Schuyler Dorsey, Network Security Consultant
Back in May, Symantec declared antivirus was dead. In the same announcement, they declared their software was less than 50% effective against today’s malware. These revelations caused quite a stir and confusion in the IT community. Some outlets took this to mean antivirus was dead in the sense it was no longer needed. This is certainly not the case and after a recent surge in Game Over Zeus attacks, it is a good time to explore the problems with today’s malware strategies.
Many companies rely on traditional antivirus (AV) suites as their primary or sole form of protection against these threats. Once a new virus is created, traditional AV will provide little to no protection against the new virus until a signature is created. For a signature to be created, the AV vendor has to become aware of the new threat, obtain a copy of the virus, study and reverse engineer the virus, create a signature which blocks the virus and update their software with logic on how to remove the virus if it is found.
File-based malware protection is often based on a specific pattern of bytes in the file. Once AV has an updated signature to actively block the malware based on those bytes, evil-doers can use updated AV software to determine the exact string of bytes the AV is using as its signature. They can often alter as little as one byte in their virus and the AV will no longer detect it, as the pattern of bytes is different.
What Symantec was truly hinting at was that the use of antivirus as a primary/sole form of malware prevention is dead. We can no longer rely solely on antivirus and must take a layered approach. Two of the most common strategies are next-generation firewalls (NGFW) and advanced malware protection (AMP) solutions.
NGFWs give a company more visibility into their network. They no longer only control traffic based on IP/port but can control based on specific applications as well. The same devices often come with intrusion prevention and antivirus scanning subscriptions to add an additional layer of security to the perimeter.
Advanced malware protection (AMP) products were a direct reaction to the signature problem of AV solutions and targeted attacks. AMP solutions will monitor all files traversing the perimeter and run them in a sandboxed Windows virtual machine. If the behavior of the file is malicious, it will add the hash of the file to its block list and update all devices with the AMP subscription worldwide.
Once NGFWs and AMP devices are added to a company’s network in conjunction with active AV solutions, they have taken a more layered approach to malware defense and have a much better chance of preventing malware infection and more effectively removing an infection from the network.
The Next Step
Keller Schroeder partners with Cisco and Palo Alto Networks which can bring these enhanced layers of protection to networks. Cisco recently acquired Sourcefire to enhance their NGFW line and Palo Alto Networks recently acquired Cyvera to add endpoint security to their portfolio.
Contact your Account Manager at Keller Schroeder for more information about these products and how they might benefit your organization.