With Ransomware attacks hitting the news on an almost daily basis, the question has to be asked – why isn’t antivirus working anymore?
It seems that the answer given doesn’t feel like a satisfactory explanation – standard AV detection works on the decades old approach of matching activities to a specific signature. When a new strain of malware attacks, there has to be a casualty to begin with – a victim who informs the AV company of what has hit them (if they even know they’ve been hit). Then follows a period between the AV company writing an updated signature to detect the new strain, and the endpoints such as laptops and desktop machines actually downloading and actively using it.
And how well to these detections work anyway? Just in the last half of 2016, I’ve seen first-hand a well-known AV product unable to recognise that a malicious word attachment was in any way nefarious, simply because I had renamed it. Even a manual forced scan of the file didn’t trigger an alert. So what hope does the average user have of not getting hit when they’re relying on such outdated protection?
Well there are new products arriving which take a fresh approach to the issue. Carbon Black, Cylance, and Bromium are all advertising themselves as true next-generation threat detection products. (Yes, the term “next-generation” is being applied to run of the mill AV upgrades from the major players, but these really don’t seem to be making much of a difference).
I’ve had a hands-on test with Bromium, following on from seeing their challenge at Infosec 2016, where they opened their product up to all attackers. The only compromise came from Google’s own super-researcher, Tavis Ormandy, who managed to get bypass a slightly older version of the software. In fairness, Bromium openly acknowledged the issue, and paid the prize money to Tavis, whom I believe passed it on to charity.
Bromium doesn’t rely on signatures, but on something which I see as being similar to sandboxing, although the company don’t seem to like this term, and usually calling it micro-virtualisation. This is similar to standard virtualisation technology, in that it creates a separate virtual machine on a windows box. But these VMs are tiny, and consume very little resource in the test machines that I’ve worked with. Each time a URL is clicked within an email, or an attachment is opened from an untrusted source, a new micro-VM springs up, and captures everything that the attachment or web-page tries to do. If it asks for access to the registry, or some files on the hard disk, Bromium hands it a dummy version of each, and the malicious code runs as it expects to. However it’s not managing to get hold of any real files, so damage cannot occur, and data cannot be stolen.
Once the browsing session is complete, the VM is destroyed along with any downloaded code or hidden processes. Even running a nasty piece of ransomware in the VM has no effect on the actual host computer. The malware thinks it’s encrypting everything in sight, pops up the ransom message asking for x number of bitcoins, but with the click of the X at the top-right corner, it’s all gone.
The centralised reporting allows IT departments to understand which malware has come into the business, from where, and also allows specific actions to be enforced for each scenario. All of this occurs while allowing users to get on with their roles.
This method of working is particularly useful for staff, such as members of the IT department itself, who may have less restrictions on their internet access due to their roles. They can “freely” browse the internet, while the security team can ensure that any links they click on, or whitepapers they download are much less likely to cause impact.
The only downside with the product is that it’s not available for companies with less than 250 endpoints, which means that the SME sector is still going to have to look somewhere else. As it’s not technically an antivirus product, your business may still need to run something such as Microsoft’s free Defender software alongside the Bromium client in order to achieve compliance with various standards.
Other products which are taking a newer approach include Comodo’s next-gen offering. The sandbox technology has the same ultimate goal – to restrict files from carrying out actions that could affect the integrity of the host machine. The sandboxing action can be seen in the following video.
While it doesn’t seem quite as slick as Bromium’s offering, it does still have a advantage over the old-style antivirus which still comes bundled as standard with many PCs. Configuring the whitelists that the program basis its initial sandboxing decisions may be too time-consuming for many sys-admins to deal with.
So there’s light at the end of the tunnel. It won’t be long before the other major vendors have to catch up in the same way, and consign signature-based detection to the history books. In the meantime, it’s necessary to fully research any next-gen product you are considering, as there are big claims being made by some of the vendors, without the real-world data to back them up. Make sure any comparisons that you work on against older AV technology is configured according to your AV standards, and not just as the next-gen sales people configure it. There have been instances were this lack of an unbiased setup has allowed for certain next-gen AV manufacturers to make their results appear better than real-world testing would prove.