Times are a changing. Once a upon a time your security was all about a decent Firewall and some Anti-Virus and you were good to go. Yeah, not so much any more. Signature based Anti-Virus, as a tool to protect you from infection, is pretty much useless in this day and age. Why, because hackers and the techniques they use to infect you have evolved.
Back in the day if you spotted a new bit Malware you could create a signature, essentially a SHA1, that would allow you to detect the Malware and allow you to block the infection. The challenge now-a-days is the hackers now have a tool called a FUD Crypter, which will encrypt the Malware, changing it’s signature and making it “Fully Undetectable” or FUD.
What this means in practice is that there are more than 200,000 new Malware detected everyday, when I say new, I mean many different versions of the Malware, each with different signatures. There were more Malware detected in 2014, by the AV Vendors, than the previous history of computing, since the beginning of computing time. Signature based Anti-Virus just can’t keep up.
It is not the end of the world however. The AV vendors are responding by changing how they work, moving away from signatures, towards detecting behaviors of Malware, what they do rather than what they look like. Of course “what they do” is only limited by the imagination of the hacker that created it, so this approach is not full proof.
For commercial organisations there are extra options. New solutions are coming to the market that will allow organisations to intercept new files entering the organisation, via email attachments, downloaded from the Internet or copied from USB storage. Once intercepted these files are executed in a sandbox environment, which is basically an operating system that mimics your work environment, with the same applications, OS versions and patches applied. The execution is monitored, to see exactly what the newly installed application is doing. All behavior is given a risk rating, for example, if the application starts to download other files from the Internet, or communicates with known bad IP’s or domains, then it is assigned a high risk rating.
Administrators get to choose the risk ratings that they are happy to allow in to the organisations, and therefore what can and can’t be installed. The market leader in this space are the guys that have made the most noise, Fireeye.
But the technology that is considered the strongest solution within the Malware analysis community is a product from Trend Micro, called Deep Discovery. It has the advantage that it uses the Trend Micro AV database to scan all files first, therefore filtering out the stuff that is known to be bad. That way you only have to scan the unknown stuff. While this does not seem like a big deal, when you are a large organisation receiving thousands of files an hour, being able to reduce the number of scanned files to a manageable number certainly helps with the ability to scale.
The other advantage of the Trend micro solution is that once you have discovered a new threat via the sandbox you can bundle it in to a new signature and send it out to your install of Trend AV, therefore providing you instant protection across the enterprise.
There are a few start-ups that are trying to do the same for consumers, but most of them are at early stages, here is hoping they bring something decent to market soon. Because I can’t afford the many thousands that it would cost to buy a Fireeye or Trend Micro solution.