Column: Will you be ditching your antivirus app anytime soon?

For the last few months, I've been hearing some well-regarded security people tell me they are considering ditching their antivirus protection all together. They haven't done it, but these individuals feel the days of having a special application scan to remove malware on your desktop are numbered. Malware has changed, but the applications to ferret them out have not.

Antivirus programs, as we know them today, are based on 20-year-old technology of pattern matching. Pattern matching may have worked in the days of the Micheangelo virus and even as recently as Netsky, but methodically matching each and every file on a computer against a list of known malware is getting tedious, if not archaic. In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million signatures, or even a percentage of that if generic signatures are used, is a pretty serious undertaking.

That's why vendors are talking to me about newer strategies for 2009 (and beyond). Among these is the exact opposite of signature file databases--something called whitelisting. If pattern matching is just another way of saying certain bad files have been blacklisted, whitelisting goes to the other extreme: it only allows certain trusted files to run on your machine.

That's more or less what Symantec CEO John Thompson called for at this year's RSA: "If the growth of malicious software continues to outpace the growth of legitimate software, techniques like whitelisting--where we identify and allow only the good stuff to come in--will become critical." He actually didn't say much more about whitelisting, yet everyone talks about this speech as though Thompson had provided clear guidance the year of whitelisting.

So how viable is whitelisting? Turns out we've been using it to defend against spam for years.

To see how whitelisting works on an enterprise level, I spoke with Tom Murphy, chief strategy officer for Bit9, a Massachusetts-based company that has been quietly leading the way in whitelist technology.

For several years Bit9 has been building what it calls a Global Software Registry or GSR (formerly called Bit9 Knowledgebase), cataloging "known good" and "known bad" applications and files. Murphy said Bit9 uses three methods--MD5, SHA1 and OMAC--to create a unique hash of the file and ensure that the file is what it says it is. For the moment, the catalog is used for Bit9's enterprise products. But they've entered into an agreement with Kaspersky, who will be using the registry for its 2009 desktop security products.

Bit9 is not alone. SecureWave's Sanctuary, Savant Protection, and DriveSentry have also been creating whitelisting technology for the enterprise. What's interesting is that the big guys Google (Green Border Technologies), Microsoft (Winternals Software's Protection Manager, and now Symantec have started paying attention to whitelisting.

Which gets us back to antivirus software.

If hosting a million antivirus signature files is daunting, how many "clean" files might there be? Think about all the versions of software that exist, not to mention the files those products create.

The downside of whitelisting, indeed the main argument, is that all those clean files outnumber the bad guys by a considerable margin. Right now, maintaining a whitelist file is impractical for the desktop.

Trend Micro (if it wants to get into the whitelist space) thinks it has the answer. For the last few years, Trend Micro has been building servers around the world to provide continuous service to its Software-as-a-service enterprise systems. Last month, Trend Micro CEO Eva Chen told me it's time to bring that SaaS service down to the desktop. Instead of having all the signature files on the desktop, the desktop app would instead ping "the cloud" and get results from the much larger database of known malware stored there.

Make no mistake, Trend Micro is still using antivirus signature databases. Chen said even after 20 years, there are still advantages to pattern-matching antivirus signature files. For one thing, she says it's faster than firing up a heuristic sandbox and testing each individual piece of malware. True, although we're talking about shaving nanoseconds between the two processes. Still, with several thousand files, those saved nanoseconds do add up. So instead of running the operation on the PC, the PC sends all its unknowns to a server in the cloud and gets the results back lickety-split. An added benefit, says Chen, is that new samples are submitted in real time and evaluated quickly. In her estimate, Trend Micro can have a new signature file for an unknown threat ready within 15 minutes.

Fifteen minutes is also the new mantra over at Symantec. For its 2009 Norton products, Tom Powledge, vice president of consumer product management at Symantec, told me the new products are lighter and faster in part because they've jettisoned the multiple copies of the signature database found in previous versions. They're also not scanning each and every file. Instead, the 2009 products will be building a trust index--that is, the app will declaring certain files (say photos or MP3s) clean and then not scan them again unless the files change. He showed me a graphic where roughly 70 percent of a given machine is trusted, and only that last 30 percent is actively scanned.

Like Trend, Norton is experimenting with faster new malware turnaround. Powledge says Norton should be updating not every 15 minutes, but every couple of minutes. This is a vast improvement from hourly or even daily updates by some antivirus vendors.

Given the improvements to the traditional antivirus programs proposed by Trend Micro and Symantec, are the days of antivirus applications numbered?

Yes.

I asked Murphy if white lists worked well enough to replace traditional antivirus protection at some companies. He answered, very diplomatically, "if (a customer) feel(s) that they have a control over the environment, some customers have removed antivirus off their machines."

I'm still not convinced that white listing is the way to go, but I do know that security solutions in the enterprise space have a way of trickling down to the desktop.

[drfrost]

The first time I was aware of this technique being used was with Everquest. To combat cheaters, they actually recorded the checksum values of several DLL's on your system, and they better match a list of known good values for those files or your account could be banned. At one point they banned over 1000 players for what turned out to be a computer virus that these players had contracted. (Yeah.... SOE has never been known for treating customers with respect but that's another story.)

[Penguinisto]

Actually, checksumming has been an anti-bot/anti-cheat method since the days of Quake II and the Ratbot. It's also fairly easy to defeat (e.g. the checksum is done/compared before launch, but you slip in your bot/cheat/etc after it starts).

[The_Decider]

That is nothing. Remember when SOE put in a notice when you logged in if there were failed attempts between successful logins?

That part doesn't sound bad but if you logged in and got a message that there were failed attempts and you reported it, they banned your account!

I almost miss the idiocy of SOE.

[kklosson]

I stopped using any form of anti-virus about 5 years ago and never looked back. And I've never had virus. As far as I can remember, I've never had to avoid one either. But I'm a computer professional and I can understand the need in any environment where the vast unwashed are using computers.

But if you are your own system administrator with no other users, and you can resist the temptation to open an attachment from someone you don't know, then I believe you can safely lower your shields without fear of an imminent Klingon attack.

Your most critical defense is a firewall and there are several very good (and free) ones out there. And the current Windows Firewall should protect you well enough - if its on.

Spam filtering is your choice. Ideally your ISP or email provider offers some filtering at the server. Use it.

Lastly, ask yourself this... if aliens landed in your living room and zapped your whole computer into a puddle of black ooze, do you have the backups you need to get everything back? If your answer is no, you are taking a far bigger risk than not using anti-virus software. And shame on you.

[joetesta70]

This is the best post I've read in a while.

[Penguinisto]

Me too - I just use Linux and OSX exclusively now. Not a single bit of malware ever since. ;)

/P

[The_Decider]

Reckless advice to those poor windows users.

A firewall doesn't stop most viruses because they ride in on legitimate data that is not stopped by a firewall.

Windows firewall is marginally decent, but once something gets through it does little to stop outbound traffic caused by that malware.

I guess you aren't aware of the fact that if you take a clean Windows system that has nothing more than the default setting, and that means Windows firewall is running, and connect to the internet and don't touch it, just let it run. Come back in 12 hours and run malware scanners on it. Then come back here and tell us how windows firewall will protect you by itself.

You don't sound very professional to me nor are you so l337 that you can tell if a file is infected on your own. Download a solid AV program and run it, you will be shocked at the results and find out how foolish you are for not running AV.

[shady28]

Interesting article. This really sounds more like a distant death knell for Windows than anything else. OS X is not burdened by an an architecture that allows one machine to infect another remotely. Yes, anyone can open a malicious executable on any machine, but only on Windows can someone take over your PC without you doing a thing.

[joetesta70]

APPLE IS THE NEW EVIL EMPIRE. Ever wonder why Steve Job is not on Forbes' list of biggest philanthropists in the US? Greed. He'd only have to give away 1% to make the cut.

Bill Gates makes the list, Michael Dell, Sergei Brin, Larry Ellison and a host of other tech people.

Closed and proprietary system. That's Apple. That's Evil.

[pjhenry1216]

Ugh. There is so much "no" in that sentence, I don't even know where to begin. Taking over a fully updated Windows PC is nigh impossible without participation from the user. Most security holes are remote and for the most part are directed at the lowest common denominator, which is normally on a Windows PC. Nowadays, Apple is so good at marketing (don't be fooled that its due to quality products) that the lowest common denominator is going over to Macs. Soon, Macs will start to have issues if they ever really do see the market share they want to have.

[santuccie]

Actually, Vista users are enjoying the same advantage. Just so you know, security has nothing to do with architecture (both Windows and OS-X use Intel shell code); it has to do with how well the kernel is locked down. Before Vista, Windows desktop operating systems defaulted to creator/owner accounts with administrator privileges. This is no longer the case.

Now, we just have to wait for Windows 7, so we can enjoy security and performance at the same time. In the meantime, the holes in earlier Windows OSes are simple enough to cover up, if you know how. Bottom line: Migration is a preference, not a security solution.

[Penguinisto]

Dunno, pjhenry... It is still somewhat easy to hijack a website, have it redirect via IFRAME, and own a Windows user's machine without so much as their knowledge (you can thank ActiveX and its ilk for that one).

Sure, folks will try to hit a Mac more often as its marketshare grows, but honestly, it'll be a tougher road to travel. Right now, the incentive is there - 8% of all computers, no competition from other bot-herders and the like, and a fairly homogeneous software/hardware environment in which to spread around a bit. Given all of this, there have been nothing but half-attempted (and very lame) trojans for OSX, but that's it.

/P

[The_Decider]

pjhenry,

That is wrong a default configured windows box gets owned without any user participation.

It is not "nigh impossible" it is simple to remotely exploit a windows box even if it is "fully patched". MS updates are slow, attackers are agile. MS is always far behind the security curve.

[The_Decider]

Joe,

Gates is not a philanthropist.

1. Every penny he gives is followed by a press release and most of it is used to bolster MS's image. That is marketing not philanthropy.

2. He is history's biggest thief. Does it matter what he does or doesn't do with his stolen money?

It is going to take a lot more than empty gestures for him to make amends for the damage he caused.

[ferretboy88]

The decider is so off with Bill Gates. The guy cares he doesn't do it for the press. Steve Jobs could even find his purse to give his daughter any support for many years. The guy is a fraud with a turtle neck.

[Kev Orng]

The best defense against virii and malware is what we learned in kindergarten:
Don't talk to, take candy from, or get into a car with strangers.
They can build walls around the school, but it is no substitute for making sure your kids are street smart.
This is why malware proliferates. Because too many computer users are not street smart.

Oh, and I agree with kklosson above: At any given time, you should be able to completely shred your hard drive, replace it, and restore from a backup, without losing more than, say a day at worst.

[demner]

I ditched desktop anti-virus years ago and couldn't be happier. As long as you don't do anything really stupid your chances of getting a virus are practically nil anyway. Just make sure you have a good firewall and good virus scanning on your e-mail accounts and you're totally good to go.

[MaLvaDo39]

Antivirus? I dropped that 4 years ago when I dropped Windows.
Get a Mac. Zero viruses in the wild...

[catch23]

And the first kicked over in the Pwn2Own contest.
If Apple ever gets its marketshare out of the dumpster, you'll be needing AV for a Mac. And with arrogance like that, I'm guessing not even that can save folks like you

[imacreal]

I wish you and Shady28 were right about macs and viruses, but I my 19 year old lost everything on his mini mac due to a virus so bad it crashed his computer. There was no tech wizardry that could save his hard drive. I know he broke the rules of safe surfing, and having a mac didn't keep him safe. So stop kidding yourselves, and leading others astray. I used to believe your lines too, until my son had to learn the hard way, to not go off safe chartered roads.

[Penguinisto]

catch23 - they had to open the thing up and allow the user to literally run a torjan to do it.

imacreal: name the virus. There have been none in the wild. Zero. I suspect your kid blew it up long before I'd suspect a "virus" that no one in the security community has seen hide nor hair of.

[santuccie]

http://news.cnet.co.uk/software/0,39029694,49254171,00.htm
http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html
http://forums.cnet.com/5208-6126_102-0.html?forumID=10&threadID=284174&messageID=2705874

Obscurity is hardly a viable security solution, as it means you are depending on the decisions of others. The way to protect yourself is to make darned sure you can ward off the attacks when they come. And as you can see from the above-linked articles, they're on their way.

[Penguinisto]

First one involves lab-based ones - none of which had ever been spotted in the wild. Second link describes a trojan (The Sophos flack's dissembling be damned - it requires specific and intentional user interaction to launch it), and the third link is a reference from the second.

Try again?

[Steve Summers]

"White listing" is effectively what biological immune systems do - they recognize cells that belong, and attack foreign ones. It would make a lot of sense if the system could prevent the execution of any file it doesn't recognize. Before adding new ones to the white list, it could send its CRC to the web service to see if it was recognized. If it's not, it could send the whole file for signature scanning (or do it locally, or both). If it's not found anywhere, the user can be given the chance to try it - and if they don't reply that it's benign within a short period of time, the checksum could be "gray-listed" until it can be cleared or proven malicious.

It all sounds good to me. As it is, I just had to re-install to get rid of a spyware infection that wasn't handled by any of three different anti-spyware programs. What we have now doesn't work- not well enough, anyway.

You're missing the point when you talk about how many clean files there are vs the million viruses for which you're scanning. How many clean files are on YOUR computer and is that number going to double in a year?

Makes a lot more sense to check the few dozen or even hundreds of apps that I want running vs all the bad code out there.

[garrettbdotnet]

I've turned off my on-access scanning 6 months ago. I do a weekly manual scan at night just to be sure, but my copy of Vista has been virus free to date.

[ilkbnd007]

What ever happen to the computer science tech. that doesn't use anti-virus software? I don't remember the details but, it seemed he had a wall of some sort to let in internet traffic; this is before firewalls.

[C++ Genius]

There are a lot of ways around a car alarm and new car thieves are born everyday, do we see people suddenly taking down their car alarms?

Firewall training works on the basis of whitelisting, have you ever witnessed a newbie training a firewall. Most inexperienced users blindly allow the application just to make it work, regardless of the consequences.

I agree, signature-based anti-virus applications are outdated in this dynamic world of malware, so the focus should be on developing dynamic anti-virus solutions, focussing on malware-like behaviour. That is in my eyes a much better solution than whitelisting. Many Bayesian spam filters are equipped with whitelisting capabilities, so the ideal solution would be behaviour based protection combined with whitelisting and blacklisting.

[santuccie]

Actually, Vista users are enjoying the same advantage. Just so you know, security has nothing to do with architecture (both Windows and OS-X use Intel shell code); it has to do with how well the kernel is locked down. Before Vista, Windows desktop operating systems defaulted to creator/owner accounts with administrator privileges. This is no longer the case.

Now, we just have to wait for Windows 7, so we can enjoy security and performance at the same time. In the meantime, the holes in earlier Windows OSes are simple enough to cover up, if you know how. Bottom line: Migration is a preference, not a security solution.

[TF_kj]

Coming from someone who collects data on the numbers of malware people run on their systems on a daily basis, and how the scanners perform in keeping up-to-date with the releases, I would say that AV will not die altogether. And some of the presentations from security groups claiming that users are safer without AV (because of the scanners' exposed attack surface) is simply misleading.
Standalone AV will become just another layer, a component of some newer technologies -- a lot like what happened to DOS. It just doesn't deserve the price that it's getting anymore.

[Doug Woodall]

Im wondering if the "Server in the cloud" would become a attractive target. If you take the server down, you could infect a massive amount of computers if it were a co-ordinated targeted attack.

[santuccie]

Dear Mr. Vamosi,

While new variants of parasites continue to be pumped out in the hundred thousands pursuant to the continued success of Storm and various malware kits, it is yet my belief that their numbers may drastically plummet once the widest door to malware propagation is closed and deadbolted. And when this happens, we won't need databases comprising millions of signatues anymore.

While two of the three machines I own use policy sandboxing and advanced file security, and have no antivirus or antispyware, the third still has them for the sake of testing. And instead of the usual methodology of a collection of malware test samples launched locally, I choose the acid test of noxious browsing over extended periods of time, including autosurfs in up to 20 browser tabs.

Slowly but surely, antivirus vendors are noticing and embracing the anti-drive-by-download concept. While a lot of users will shoot themselves in the foot via P2P and opening e-mail attachments in chain letters and even spam from unrecognized senders, the average user isn't entirely oblivious to the nature of Internet threats these days.

Different vendors are looking to different methods of addressing the drive-by problem. IDS is the traditional solution (and traditionally unsuccessful), and a somewhat newer one is leveraging the user network. Still another is mergers, such as AVG's acquisition of LinkScanner. In the meantime, McAfee's enterprise products have employed an anti-drive-by technology called ScriptScan for some time. And since November, 2006, all of McAfee's consumer products have it too.

I have been using VirusScan Special edition from AOL for 20 consecutive months, and to this day my test unit remains 100% clean. This is my print server and dedicated autosurf system that is on 24/7. Some vendors really do know what they're doing. Coincidentally, the oldest security vendor of all happens to be one of the first to put their finger on the problem and address it.

[T543212345]

Alright, I'm clearly not a security expert here, just an interested observer. But wouldn't the entire concept of whitelisting start us down a path where only software deemed "acceptable" by some big server in the sky is able to be run? And who determines what is acceptable? Does this eventually shut out the small-time developer? What would be the process of attaining a "whitelisted" status? Am I just being paranoid?

[Vegaman_Dan]

Boy oh boy...You can just about see the security experts out there cringng and rolling their eyes at the whole 'whitelisting' argument. It's worked great in email- except for those groups that couldn't get their names added or worst, got on the wrong list through no fault of their own. Sure, you could pay a group to get your name removed, or even added as a trusted source, but then that's just black/white mail at that point. And you know what- it works. Companies make money doing this sort of this scam since it isn't illegal.

I'm sure this discussion will turn into the typical Windows/OSX/Linux flamefest that generates page views, which in the end what I believe this article was really meant to do in the first place.

[magicmaster]

I am not deserted anti-virus program just because it's not as effective as before. You know the door won't completely deter burglars, but at least you could deter SOME. Combined with good habit and firewall software, most users should be malware-free most of the time, unless you can't resist visiting strange sites like porns or warez stuffs.

[Hoverbored]

Might some scheme be used that checks each file for validity ('cleanliness') when it is stored on disk [in a bit more traditional fashion?], then a combined key created from a vendor key and user key stored, related to the file. This combo key could be tested when the file was read for use. The keys could be tested for tampering on a regular basis, too.

[Mike Acker]

there is no reason the signature of every existing valid program has to be kept on every desk-top workstation. you only need signatures for those programs you are actually going to run

i would look at the registry as possibly the key to white listing

first: the operating system must not run any program this is not registered

second the operating system must not register any program that is not supplied with a valid signature where the signatures would be checked using the already existing system of certificate authorities which has been created for ssl and https

security is like a balloon though: a pin-prick and you are done

for that reason browsers need to be crippled so that the various scripts and players they run are limited to enhancing the video display, and the entire browser must run only in ring 3. thus if it does get any buggy software the OS will simply abort it.

then days of on-the-fly grab-a-program update-your-system must end. this was a bad idea to begin with and now it's a bad habit we have to be rid of. for updates we need to learn to DOWNLOAD, VERIFY, and INSTALL.

[Penguinisto]

Ugh - you mean that same registry that is prone to corruption and bloat?

No thanks.