Monday, January 7, 2013

The Demise of Desktop Antivirus

By Gunter Ollmann - @GOLLMANN

Are you old enough to remember the demise of the ubiquitous CompuServe and AOL CD’s that used to be attached to every computer magazine you ever brought between the mid-80’s and mid-90’s? If you missed that annoying period of Internet history, maybe you’ll be able to watch the death of desktop antivirus instead.

65,000 AOL CD's as art
Just as dial-up subscription portals and proprietary "web browsers" represent a yester-year view of the Internet, desktop antivirus is similarly being confined to the annuls of Internet history. It may still be flapping vigorously like a freshly landed fish, but we all know how those last gasps end.

To be perfectly honest, it's amazing that desktop antivirus has lasted this long. To be fair though, the product you may have installed on your computer (desktop or laptop) bears little resemblance to the antivirus products of just 3 years ago. Most vendors have even done away from using the "antivirus" term – instead they've tried renaming them as "protection suites" and "prevention technology" and throwing in a bunch of additional threat detection engines for good measure.

I have a vision of a hunchbacked Igor working behind the scenes stitching on some new appendage or bolting on an iron plate for reinforcement to the Frankenstein corpse of each antivirus product as he tries to keep it alive for just a little bit longer…

That’s not to say that a lot of effort doesn't go in to maintaining an antivirus product. However, with the millions upon millions of new threats each month it’s hardly surprising that the technology (and approach) falls further and further behind. Despite that, the researchers and engineers that maintain these products try their best to keep the technology as relevant as possible… and certainly don’t like it when anyone points out the gap between the threat and the capability of desktop antivirus to deal with it.

For example, the New York Times ran a piece on the last day of 2012 titled "Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt" that managed to get many of the antivirus vendors riled up – interestingly enough not because of the claims of the antivirus industry falling behind, but because some of the statistics came from unfair and unscientific tests. In particular there was great annoyance that a security vendor (representing an alternative technology) used VirusTotal coverage as their basis for whether or not new malware could be detected – claiming that initial detection was only 5%.

I've discussed the topic of declining desktop antivirus detection rates (and evasion) many, many times in the past. From my own experience, within corporate/enterprise networks, desktop antivirus detection typically hovers at 1-2% for the threats that make it through the various network defenses. For newly minted malware that is designed to target corporate victims, the rate is pretty much 0% and can remain that way for hundreds of days after the malware has been released in to the wild.

You’ll note that I typically differentiate between desktop and network antivirus. The reason for this is because I’m a firm advocate that the battle is already over if the malware makes it down to the host. If you’re going to do anything on the malware prevention side of things, then you need to do it before it gets to the desktop – ideally filtering the threat at the network level, but gateway prevention (e.g. at the mail gateway or proxy server) will be good enough for the bulk of non-targeted Internet threats. Antivirus operations at the desktop are best confined to cleanup, and even then I wouldn't trust any of the products to be particularly good at that… all too often reimaging of the computer isn't even enough in the face of malware threats such as TDL.

So, does an antivirus product still have what it takes to earn the real estate it take up on your computer? As a standalone security technology – No, I don’t believe so. If it’s free, never ever bothers me with popups, and I never need to know it’s there, then it’s not worth the effort uninstalling it and I guess it can stay… other than that, I’m inclined to look at other technologies that operate at the network layer or within the cloud; stop what you can before it gets to the desktop. Many of the bloated “improvements” to desktop antivirus products over recent years seem to be analogous to improving the hearing of a soldier so he can more clearly hear the ‘click’ of the mine he’s just stood on as it arms itself.

I’m all in favor of retraining any hunchbacked Igor we may come across. Perhaps he can make artwork out of discarded antivirus DVDs - just as kids did in the 1990’s with AOL CD’s?

-- Gunter Ollmann, CTO -- IOActive, Inc.

4 comments:

  1. Virustotal.com/about

    Read the section about bad idea

    ReplyDelete
  2. so let me get this straight - after network-level defenses (like say the very same network anti-virus you think is a good thing) have filtered out all the bad stuff it can find, the remaining bad stuff only gets detected on the desktop 1-2% of the time?

    in other words, you're statistic is from the self-selected sample of things that can already bypass the network defenses and is thus seriously biased.

    nevermind the fact that dumping desktop AV in favour of network AV completely ignores the malware that spreads over a different vector than the network, and eliminates entire classes of techniques for uncovering whatever badness might be present.

    ReplyDelete
    Replies
    1. I think he's talking about an ideal world where all attacks are stopped at a network level. We're not there yet
      If there would be no more hacked servers
      If there were powerful updated filters on all servers passing information from one person to the next (may it be e-mail or http or whatever)
      If no application would have vulnerabilities that would allow hackers to run code on victim machines
      If all switches / routers / wireless AP would have proper management to prevent arp hijacking
      And lastly, if all operating system (though, mentioned earlier in the software bit) would include all the _other_ (and the list is long) safeguards not mentioned here


      ...then yes, we wouldn't need desktop antivirus.

      I'd love to know what the author meant by fancying a cloud version. A thin local client powered by the cloud ? because that's a desktop antivirus with just a different engine.

      Delete
    2. not only are we not in an ideal world where all attacks are stopped at the network level, we aren't even in a world where all attacks traverse the network in the first place.

      that is unless you count sneakernet as part of the network, but i'd like to see a network defense that covers sneakernet and doesn't run on the desktop.

      we had malware problems long before computers became the highly connected devices they are today. to rely on network level defenses is to forget history (and be doomed to repeat it).

      Delete