1

Can you have Anti Virus and Anti Malware layer sitting deep with the microservice layer and have the malicious file flow through all the services ? Argument being the file is in memory and not getting processed until the service we will put the Anti Virus and Anti Malware layer on.

Shouldn't this be stopped at the routing layer of the application?

SecureUs
  • 11
  • 1
  • 3
    I'll be honest with you: Anti-Virus and Anti-Malware are 99% of the time completely useless and just exist to tick a box on someone's checklist. –  Dec 02 '19 at 12:03
  • Given today's observations, I agree with MechMK1. – Overmind Dec 02 '19 at 12:05
  • 1
    You run anti-virus where the cost/benefit makes sense but before a binary gets executed. – schroeder Dec 02 '19 at 12:16
  • 1
    You want to detect such things as soon as possible in order to avoid it from getting deeper into your network. Having said that, I do agree with @MechMK1 that it's a checkbox on someone's list. However, from a legal standpoint this could be mandatory. – Jeroen Dec 02 '19 at 13:50

2 Answers2

2

An anti-virus or anti-malware that runs too early will not be able to prevent all threats. The reason why is that the software must be able to understand all possible ways that the data might be processed by the microservice. This means that the anti-virus itself must also simulate the microservice in order to determine if the result would be malicious code execution. It's far simpler to run the microservice in a sandboxed execution environment (such as how some anti-viruses operate) to detect the bad behavior during runtime, or otherwise provide real-time protection for the microservice at a lower level, such as behavioral heuristics. In order for either of these methods, the protection must run at a lower level than the microservice itself, usually as a kernel/OS process.

phyrfox
  • 5,724
  • 20
  • 24
0

Depends what your goal and problem is.

MIT showed that email had to be filtered at the users end to prevent errors of deleting valid emails. OTOH ISPs and their connectors would like to filter the bulk spam before it clogs up everything and costs too much while delaying other mail.

Now if email per se could attack the ISPs directly or their web links then it would be better to filter email first.

At the PC level the same consideration exists. If the scumware can cause damage just by getting in then you must filter it first. Better to prevent then to fix problems. And this will depend on the architecture of the device in use. Most current PCs and similar items are insecure from the gitgo even if you filter before and and address the issue after the stuff gets into the device.

Absolutely secure architecture is possible. I did it twice. Once in the 90s for DOS type devices, and could do it again for graphics oriented win type devices. But nobody will buy them and the establishment including the antivirus companies would fight it hard as would NSA and others who prefer to be able to get into our computer than to have us keep the other bad guys out of them.

fred
  • 1