Part 3 of 15: Antivirus Software Using Heuristics and Reputation Ratings
What Is It?
Many of you may be laughing at this right now thinking that Anti-Virus is “old school” and for the dinosaurs. You may think that currently, the evolving tactics and sophisticated exploits of cyber criminals is too advanced to be worried about Anti-Virus. The reason Anti-Virus is still current is because viruses still pose a major threat to our information systems and that isn’t changing any time soon. Just because we’re focused on ransomware and other immediate dangers doesn’t mean the threats are gone; like a good vaccine, we’re just able to handle their presence.
You know why we still get those bogus emails from some far-flung despot reaching out to the average punter, desperate to move their fortune out of whichever nation they purport to be all-powerful in? Because they work. If I send out 100,000 emails and 100 people fall for the scam, even at less than a 1% success ratio, it’s still profitable. The same with viruses. They don’t must compromise ALL systems; they only need to compromise SOME systems to be effective. It’s a numbers game where minority success can far outweigh majority failure.
Beyond Anti-Virus, this type of endpoint protection (and when I say endpoint, I include servers as well and not just workstations, laptops, tablets, and mobile phones) also defends against other types of malware such as worms, Trojans, adware, spyware. The limitation, and the likely reason why this strategy is only “Very Good”, is because this method tends to deal with known quantities. In 2009, I suffered a near-fatal run in with a new strain of influenza and despite having the “flu shot” that year, it did little to protect me. The signatures and updates that you receive from your endpoint protection vendor are kind of like that. Even still, they’re imperfect at best but like a seat belt, I’d rather take my chances with it on than off.
Without getting into the nuts & bolts, the Anti-Virus scans inbound and outbound files against a “database” of known badness and either permits, denies, or alerts the user. In some cases, the system attempts to clean the file, may quarantine it, or delete it altogether. Some systems provide reporting and statistics to administrators to help them adjust their defences and policies accordingly. At one time, you needed to buy a separate Anti-Virus program but at least now many vendors are building basic Anti-Virus into their platforms. That said, a more powerful solution from one of the leading vendors may be in order and even their top of the line systems are affordable.
There are all kinds of other solutions out there from some new and emerging vendors, but I’ll save them for another day and instead focus on our “old school” technology dinosaurs like me have relied on for so long.
Where Do I Start?
You shouldn’t even must ask this; it should be a given, but you need to ask what your current endpoint protection is (i.e. Anti-Virus) solution. If this answer cannot be received without hesitation by those managing your information systems, worry. No matter how big & bad, rough & tough, or impenetrable of a fortress you think you have, you should have endpoint protection, full stop.
After figuring out what you have, you need to find out how often it is updated, if you have the current version, if all the endpoints are up to snuff, if you still have support or a valid subscription, and how it is managed, maintained, and how often scans are scheduled. It seems like a lot, but unless you stay on top of things, it can become quickly overlooked, taken for granted, or ignored altogether – until you need it.
If you have one of the more recent versions, it may be worthwhile looking at all the other features it includes besides anti-virus. Host-based intrusion prevention, host firewalling, application control (Read: Application Whitelisting) and several other features, even location-based policies for when mobile users are on or off the corporate network. If you’re paying for the whole suite, you probably should be using it.
While you’re at it, figures out how you manage the system. If you’re an independent end-user, it’s just a matter of opening the console occasionally to make sure everything is OK. In a corporate network, you likely have a central management console and probably even an administrator or two that looks after it. Also consider any extra information you can gain such as reports, alerts, logs, and if you can feed the information into a SIEM.
How do I make It Work?
Many organisations use vulnerability assessments, penetration testing, network health check, firewall assessments and so on. Have you ever considered an endpoint protection check? The endpoints are where “the rubber meets the road” and where the real action happens – user interaction. There are many great systems integrators and vendors with specialist teams that can help get you started.
Let’s just assume you already have your endpoint protection solution in place. If not, then let’s assume you’ll get it done. Go through all your settings on a regular basis…groups, policies, alerts…. everything. Document everything and keep it updated. Can people to over-ride settings or even turn it off altogether? Do your policies unnecessarily prevent tasks you users need? Is the client (if you use this type of system) installed on every system you can? Do you have enough licenses to cover everything including growth? What about mobile devices?
Once you know what you have and what you need to change, run it through change control and just get on with it. In a defence in depth strategy, endpoint protection isn’t the final layer, but it’s close enough to the centre to be taken seriously. As with all matters related to cyber security, if you need help, ask!
Pitfalls?
The biggest pitfall is probably thinking you don’t need anti-virus and that the other layers of defence, like web / email filtering, firewalls, IPS, and so on will stop the threats before they get to you. Storage media such as USB drives (next article in the series) can circumvent all the layers and it’s fair to say that most systems these days are probably laptops and mobile devices that are not always on the corporate network. Sometimes your endpoint protection IS the defence-in-depth, so Anti-virus should never go away because viruses, and other types of malware like Trojans, adware, and spyware are not going away any time soon.
Ghosts in the Machine?
The mentality that your endpoint protection is set-and-forget and that your signatures will just update, and everything will magically look after itself is dangerous. We humans tend to get distracted and forget about the core foundations of security, focusing on the big threats rather than the little ones that can quickly grow from simple nuisances. Never take your endpoint protection for granted and realise the ghosts may slip through the cracks and not be caught every time.
Anything Missing?
Aside from overlooking features included in your solution, sometimes the information we gain from our endpoint protection / anti-virus solutions is very valuable for tactical gains and strategic advantage. Don’t be afraid to pull the reports and use them for planning. There is no greater teacher for the future than the lessons of the past.
I know I mentioned a health check earlier… maybe also consider using endpoint protection tests in your DR/BCP scenarios and exercises.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock