Re: AntiVirus

From: Anders Pettersson (anders.pettersson@avitec.se)
Date: 08/15/02 

To: "Shaolin Tiger" <shaolin@shaolin-tiger.com>
From: Anders Pettersson <anders.pettersson@avitec.se>
Date: 15 Aug 2002 17:22:55 +0200

"Shaolin Tiger" <shaolin@shaolin-tiger.com> writes:

> Everyone is talking like you should only have one AV vendors package
> on your machine which of course complete rubbish.

More is usually better security-wise, and also in this case.

> If you don't a few then something is going to get through.

Something is almost guaranteed to get through anyway. Most of the big
anti-virus makers do co-operate when it comes to catch, analyze and
implement signatures for new viruses discovered.

> "No single anti-virus product catches a comprehensive range of email
> viruses and malware within a variety of compressed and uncompressed
> file formats.
>
> That's the conclusion of a study analysing the results of research
> by five leading anti-virus testing laboratories from security firm
> GFI which reveals various (we'd say minor) shortcomings in popular
> AV products.
>
> GFI looked at results on tests on AV tools from Trend Micro,
> Symantec (Norton), McAfee, Norman, and Softwin by five impartial
> anti-virus testing laboratories (ICSA Labs, West Coast Labs, Virus
> Bulletin, AV-Test.org, and Virus TestCenter).

F-Secure implements a strategy where they use more then one scanning
engine in their product which seems to me as a good strategy.

> In GFI's analysis, particular attention was paid to overall virus
> detection rates, the ability of AV tools to scan through compressed
> and embedded files, and their coverage of non-virus malware.

I wish they would start detecting and remove spyware and stuff as
well.

> Each product showed strengths in different areas, GFI concluded, so
> combining the capabilities of two or more products would let
> organisations make up for deficiencies in any single product.
>
> Of course, this reasoning applies only if the products lack similar
> shortcomings and fails to take into account that the most pressing
> problem for most companies is dealing with either newly-created
> fast-spreading worms (like Nimda) or the steady trickle of old
> favourites, like SirCam and Klez.
>
> In the case of the former, best practice is moving towards filtering
> out suspicious emails at the gateway and/or employing heuristic
> detection/blocking at the ISP level.
>
> For viruses like SirCam, all antivirus software detects such bugs
> anyway and it becomes a problem of ensuring AV software is up to
> date. The reason viruses like Klez continue to spread is largely due
> to a complete absence of protection by consumers (mainly) rather
> than deficiencies in AV software as such.

There are a lot of people at home who has bought their computer with
some kind of virus protection on it, but since they bought it they
have not upgraded their signature files. I have examples also at
companies where they have not updated their signature files for
several months, more then a year in one case.

> That's not to knock GFI's study completely - it does show up
> shortcomings in the ability of anti-virus tools to look within some
> uncommon file compression types for malware.

I think also they should have checked out F-Protect and F-Secure both
who employ multiple scanning engines for the same reason that it is
suggested to use more then one product.

The problem as I see it (and have experienced) with having multiple
virus scanners employed is one of network efficiency, especially on
networks where people sometimes copy a number of files from one
network location to another. On the windows boxen a "gatekeeper" kind
of antivirus often means a rather great slowdown in the speed with
which a file can be sent over the network. A simple test I performed
with the gatekeeper function on and off showed an about 20% increase
in overhead time alone. This will of course increase with more such
functions installed and it is also a question on keeping the virus
scanners up to date, the number of clients that has to be installed on
client machines and so on.

I usually use loginscripts in Windows to deploy AV software on
desktops and laptops when the user authenticate with the domain
controller, and the sheer login time can be rather long if they decide
to update their signatures when you log on to the network.

As always it is a tradeoff between security and functionality and a
middle way is probably what most peoples want.

Many viruses today rely more or less on a kind of social engineering
where they try to fool users to start them by using different kinds of
techniques to fool the user. The best way IMHO is to constantly
educate your users on to be aware of the problems with attachments,
and to try to stay away from the most heavily attacked softwares such
as Outlook (Express), Internet Explorer and so on. This is not always
easy though and sometimes even impossible, but I kind of look at the
virus scanner as the last line of defence, not the first.

> Using a battery of different scanning engines would be preferable
> but we question whether deploying products with single products with
> multiple scanning engines, such as GFI MailSecurity for
> Exchange/SMTP, is as important as the Maltese firm makes out. You
> can make up your own mind by reading GFI's White Paper."
> http://www.gfi.com/mailsecurity/wpmultiplevirusengines.htm

Thanks for the thoughts and link. 

-- 
Anders Pettersson   AVITEC AB   http://www.avitec.se/