21

Are signature based antivirus or antimalware solutions effective? Has the battle been lost against the ever increasing amount of malware, particularly rootkits, that are in the wild?

Sim
  • 1,227
  • 1
  • 13
  • 21

8 Answers8

20

A signature-based detection system can't be the only solution, but it can be part of the solution. Indeed you'll find that a lot of the AV products that have behavioural detection and heuristic detection also still employ signature-based detection. It's simple, it's fast, the chances for false positives are very low. But the chances for false negatives are high, and you certainly fail against novel attacks.

  • +1. Any degree of generative polymorphism or collision attack can thwart signature detections. The secret is to provide robust definitions of allowed and restricted access, which change at least as rapidly as the underlying technologies you're trying to protect. – MrGomez Jan 03 '12 at 22:05
10

I would contend that Anti-Virus/Anti-Malware and other black-list based security systems have long lost their effectiveness due to the following:

  1. They cannot possibly protect against new (yet unlisted) threats like zero-day vulnerabilities
  2. They provide a false sense of security
  3. Their signature files are unbounded in size and always keep growing
  4. Due to 3. they become more taxing on resources (memory, CPU, etc.) over time
  5. AV software runs with the highest privileges plus it is willingly installed by legitimate users. In essence, it is part of the OS kernel. As such AV has become a preferred exploit target in itself.

In contrast, white-list based security systems which allow what is known, routine and safe, while disallowing (with an option to ask the user whether to allow from now on) everything else, are more sustainable, effective, efficient and actually secure.

This is not just my opinion, it is a principle that many prominent security experts agree on. See for example: This WiReD article

[Update: 2014-07-29]

But it gets worse: imagine a big and complex, monolithic application which runs on your computer with the highest privileges. It intercepts many system-calls and sometimes changes their semantics, installs kernel drivers on updates, employs a packet filter which sniffs everything coming in, and effectively tries to control anything your computer can or cannot do. What I just described is the essence of AV software. This is exactly what most of them do. The result is that typical AV software dramatically increases your attack-vulnerability surface. In fact, modern malware often looks for AV software vulnerabilities to exploit (see this reference for example). This is the reason why many security experts consider AV programs to be the among the riskiest viruses ever invented. AV is literally transforming into an extension of modern malware.

[Update: 2022-01-09]

It has been ~7-8 years. As feared, the AV landscape has become much more treacherous.

In recent news, users report that a well known and widely used AV software company now officially installs possibly-unwanted additional components (in this case, a crypto miner) by itself. Black-hat involvement of exploiting AV admin privileges is no longer even needed to infect your computer with unwanted software.

https://www.theregister.com/2022/01/05/norton_360_cryptominer_deletion/

What I personally would use instead?

A combination of white-list based protections, in many layers. When one fails, the others may succeed:

  1. Firewalls permitting only what's known and designed to be allowed
  2. Log scanners, trip-wire, file-signature (intrusion detection, based on anomalies) systems
  3. Sand-boxes, VMs around more vulnerable software like browsers
  4. A hardened operating system that's protecting against execution of data, supports random address loading, does runtime checks like system-call parameter checking, etc.
  5. Secure, encrypted connections like those provided by ssh
  6. An environment allowing one to look at the source code of the installed software and build from that source or at least download packages from a small number of reputable sources as opposed to a large number of random sites.
  7. Stronger/longer passwords & passphrases; a good, and open-source password manager; multi-factor authentication (MFA)
  8. For corporations: zero-trust networks and micro-segmentation.

There's no silver bullet. Security is a complex area affected by many factors. One can use the above (and more) principles to increase security but one can never be sure that they're 100% secure given the complexities of hardware, software and high number of potential infection vectors.

arielf
  • 228
  • 2
  • 5
10

Please look at these videos at securitytube

which both demonstrates how easy it is to avoid antivirus detection. Signature based antivirus needs to live on, but if they want to make a living it won't be sufficient by limiting yourself only to signature based detection.

You have automated tools which can use to disguise your malware making it no hassle distributing a malware which the antivirus will not pick up.

You also have the challenges of Polymorphic code which makes signature based checking even harder. The battle is by no means lost, but it is significantly harder to block by signature today than it was 10 years ago.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
6

It was lost when someone like your mom could lose her identity and payment cards to fraud.

I would say that, no, anti-virus and anti-malware have been very ineffective since the Windows buffer overflow in 1999. In 2010, they are adding fuel to the fire and make systems more insecure, and not just because they provide a false sense of security. They are actively being attacked themselves and used as rootkits or entry points.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 3
    Are you saying that because your mom can experience credit card fraud online, that signature-based AV is ineffective? Also, I think you need to compare the attack surface of a system with AV to a the attack surface on a non-AV system before saying they decrease security. Are you more likely to be exploited by the million of malware samples out there or the few that can attack AV? – Bradley Kreider Nov 19 '10 at 01:02
  • @rox0r: Better to make sure you are fully patched – atdre Nov 19 '10 at 15:46
  • @atdre: But it isn't exclusive. You can fully patch and run AV. Malware that uses zero-day exploits isn't going to be stopped by patches, but it can get caught by the cloud type detection the major AV vendors use. It's all part of defense in depth. – Bradley Kreider Nov 19 '10 at 15:57
  • @rox0r: Exploitation countermeasures also stop malware that anti-virus agents would in your scenario. However, exploitation countermeasures don't have an attack surface larger than the OS or any other app running on it besides browsers. AV has this problem – atdre Nov 19 '10 at 17:50
  • @rox0r: Also, I don't think you are using the defense-in-depth moniker correctly. The NSA intended DiD in computer security to refer to the combination and layering of people, process, and tools. AV definitely breaks that paradigm. The correct one would be file/memory/process integrity checkers, an audit trail, and incident handlers. – atdre Nov 19 '10 at 17:53
  • 1
    @atdre: I'm not up to date on DoD and NSA standards, but i don't see how AV breaks the paradigm of layered defense. Not that wikipedia can't be wrong, but they mention AV for DiD: [Defense in depth (computing)](https://secure.wikimedia.org/wikipedia/en/wiki/Defense_in_Depth_%28computing%29) – Bradley Kreider Nov 19 '10 at 19:21
  • 1
    Wikipedia and the world at large, may very well be deeply, insecurely wrong. – atdre Dec 09 '10 at 07:19
4

It depends what you mean by effective. This method would only notice known viruses. But if a virus is known it is also certain what kind of vulnerability it exploits. In the past those vulnerabilities were either already fixed when the virus spread or were fixed direct after it became known.

So if the system is updated on a regularly basis, a virus scanner would not have much benefit. On the downside the virus scanner slows down the computer and often annoys people.

I often advise home users to not install any anti virus software. Instead they should consider some general hints (regular updates, principle of least privilege etc.). Every half a year or so I check those systems with some anti virus CD. For ~10 years neither of those systems were affected by a virus.

I don't consider the battle to be lost. If the user pays some attention to the security of his computer he could stay safe.

qbi
  • 1,601
  • 2
  • 14
  • 27
  • 1
    Regarding your advice to home users, what about protection against vulnerabilities that don't have a patch but are being actively exploited, especially ones that require little or no user interaction? – Sim Dec 10 '10 at 01:32
  • Here comes the principle of least privilege into play. Usually a home user should work as some non-privileged user (not administrator). So maybe the system will download some worm/virus/whatever, but it don't get the rights it needs and therefore is "useless". – qbi Dec 10 '10 at 15:57
  • `So maybe the system will download some worm/virus/whatever, but it don't get the rights it needs and therefore is "useless".` Given the landscape of modern computing environment, that statement is [completely wrong](https://xkcd.com/1200/). A virus can still be quite harmful even without admin rights, in fact, most of the harm that a virus can bring to the user wouldn't even need admin rights to perform. – Lie Ryan Feb 09 '22 at 12:58
4

You could do an inverse, i. e. have checksums for valid executables, otherwise signatures are bit out of place.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
zeroknowledge
  • 41
  • 2
3

AV is a blacklist control that tries to enumerate what is bad and block it, allowing everything else by default. This type of control is very convenient but not very effective, and in the case of AV it is more or less an admission of defeat.

From a security point of view it is usually better to enumerate what is allowed and deny everything else by default. This of course is much less convenient but also much more effective.

I'd much prefer to see systems that work by only allowing the handful of programs I've explicitly installed and permissioned to run, than by trying to stop the bazillions of programs I don't want to run. I think the current tendency towards 'app stores' is somewhat helpful in this respect.

frankodwyer
  • 1,907
  • 12
  • 13
  • AV is much easier for "normal" people than keeping their OS up-to-date. If mom and dad's computer is infected every month "unprotected" without AV, but only every 4 months (on average) with AV, I don't see how it is so terrible. From an engineering perspective, I agree, it completely sucks. From a average joe getting a little more use between infections, I think it is cheap protection. – Bradley Kreider May 02 '11 at 20:20
  • Unfortunately, AV protection is not cheap. Most popular anti-virus systems I've seen slow down computers significantly. 2x, even 3x slower is pretty typical. People often buy new computers because the old ones are slow not realizing that most of the slowness comes from their (self-inflicted) AV system having to go through thousands of signature-scanning every time a file is written to, a packet over the network is received, etc. In this sense an AV pretty much matches the definition of a virus: software that interferes with the normal operation of the computer and slows it down. – arielf Feb 20 '13 at 00:42
2

I think you have to evaluate your situation to make that determination. The blacklisting AV programs out there are actually able to detect millions of different kinds of malware. If you are vulnerable to that malware and see a lot of malware, I think you would be hard pressed to say it isn't effective.

However, it is only one piece of security defense. Blacklisting is mostly reactive (some generic matching, but higher false positives). When updates are released, by definition they are already old. Any new malware won't be in the list.

A bunch of the large AV vendors are doing a sort of real-time detection and updates via "the cloud," but it just shortens the time between updates.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36