We need a fresh start in endpoint security. Recently tested legacy AntiVirus products detected 30% of malware, which is less accurate than the 50% one might get from tossing a coin to decide if something is malware.

In its Online Financial Fraud and Identity Theft Report, Cyveillance reports results on how well legacy AntiVirus products detect malware. Some AntiVirus products could only detect 30% of malware tested, missing a whopping 70%. Statistically, tossing a coin to make a call about malware would have a success rate of 50%, which is better than the 30% reported by Cyveillance.

At DefCon16 this month, in The Race to Zero contest, three teams competed on the fasted way to modify known viruses, including the ancient Stone virus dating back to 1988, to evade today’s AntiVirus products. The teams succeeded in a few hours. They found it very easy to defeat the AntiVirus products that rely on virus signatures remaining unchanged.

AntiVirus vendors were not pleased by this event. “With antivirus vendors already processing some 30,000 samples each day, there’s no need for any more samples”, said Roger Thompson, chief research officer at AVG Technologies.

But reality demands action, today’s BotNets fill their ranks by infecting PCs with frequently modified malware. A recent report noted that one BotNet changes the signatures of its malware every 10 minutes.

These signature based technologies are not effective in blocking this zero-day malware. Unfortunately, host intrusion prevention system (HIPS) technologies, designed in the late 90’s and bundled with major AntiVirus enterprise endpoint security suites, do not deliver the desired results at an acceptable level of effort. Instead, they

• Inundate administrators with false positives
• Confuse end-users with prompts to make a decision about malware
• Fail to deliver much needed detection accuracy.

The endpoint security field needs a fresh start and a new generation of techniques to detect and block unrecognized, unknown malware without asking end-users to make a decision or divert administrators from other important work.

The Race to Zero (www.racetozero.net) contest was organized by security researcher Simon Howard.

Posted: Friday, August 22nd, 2008 - Endpoint Security
RSS 2.0 - Comment - Trackback