Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software, or malware. Malware threats take many forms, including viruses that are carried via infected files, worms that spread autonomously over the network, and humans who use malicious software as agents to remotely control or monitor victims' systems. Many established vendors, such as Symantec, McAfee, Sophos, Trend Micro, and F-Secure, offer products that detect and, in many cases, eradicate malware from the system. This is accomplished by monitoring the local host's boot sector, memory, and file system for signatures of known instances of malware. Another detection mechanism that is often used in conjunction with the database of malware signatures monitors programs for behavior patterns frequently associated with malware. When properly deployed, antivirus software can be effective at helping to establish an in-depth security architecture.
Software for defending hosts against malicious software is called antivirus primarily for historical reasons, even though it protects the system against several categories of malware, including viruses, worms, Trojans, and malicious mobile code. Antivirus software can also detect some forms of spyware, particularly those that use traditional malware mechanisms.
Strengths of Antivirus Software
Antivirus software establishes a significant layer in a reinforced security perimeter. Just like all defense components, antivirus software has its strengths and weaknesses. Some of the core strengths of antivirus software are listed next:
In addition to protecting individual hosts, antivirus software is effective when integrated with gateways that process network traffic for common application protocols such as SMTP, HTTP, and FTP. Most major antivirus vendors offer specific software products for these protocols that can be quite effective at removing known malware threats from network traffic before they reach individual hosts.
As you can see, malware protection can take place at several different locations on the network. You do not need to limit yourself to any one of these. In fact, it is generally advantageous to perform such scans on individual workstations, as well as on file servers and Internet gateways. If malware is a large concern for your business, consider deploying one vendor's antivirus product on your hosts and another vendor's product on the gateways. This configuration increases the likelihood that a malware specimen will be blocked. Such redundancy can be justified because antivirus software has many significant limitations that impact the design of the security perimeter.
Limitations of Antivirus Software
In most cases, the effectiveness of the antivirus product depends on the extensiveness of its malware signatures. When a major new worm emerges, it typically spreads so rapidly that most organizations are affected by it in a matter of hours, before antivirus vendors have time to analyze the worm and create, test, and distribute signatures. Even when a signature is available, not all companies are capable of automatically distributing the latest signatures to their hosts. As you might recall, we discussed some of the ways of preparing for such incidents at the end of Chapter 1, "Perimeter Security Fundamentals." As one of the measures, be sure to set up your systems to routinely poll the signature distribution server for updates. Most antivirus products allow you to configure the software to automatically download the latest signature database from the vendor's website or FTP site. Enterprise versions of such software allow you to distribute signature updates from your own server within the organization. This approach allows you to centrally monitor infection-related alerts across many systems and allows you to force remote hosts to retrieve the latest updates outside of the routine schedule, especially when you know about a worm outbreak.
Another limitation of current antivirus products focuses on their effectiveness at detecting mutations of known malware specimens. For instance, if you receive an email attachment with a known Trojan, your antivirus software is likely to detect it and display a warning. Unfortunately, it might be sufficient to modify a particular byte in the Trojan's executable using a plain text editor to prevent antivirus software from recognizing it as malicious. If you know what you are doing, this change would not affect the Trojan's core functionality. By modifying the executable in a relatively trivial manner, you might alter one of the characteristics that antivirus software uses for the Trojan's signature.
Another way of mutating a malware specimen is to use one of the many packers that compress and often encrypt the compiled executable. The encoded version of the executable is self-contained and contains a small decoding routine that is triggered during runtime to extract the original program into memory. For example, another way of mutating the Trojan without changing its functionality would be to use a freely available packer called UPX. When the Trojan's original executable is compressed, its size and content are altered. Antivirus software may no longer recognize the Trojan, and the compression may complicate the analysis of the Trojan's functionality.
Of course, individuals who possess the source code for malicious software have the luxury of modifying it directly with the specific goal of bypassing signature-matching antivirus engines. Malware mutations are not as effective against behavior-based scanners, but behavior-based techniques are not as accurate at identifying known threats as signature matching.
Polymorphic malware, which changes itself on the fly, is another challenge that antivirus vendors have been working to overcome with a varying degree of success. One of the first mechanisms that facilitated the creation of polymorphic malicious code was created in 1993 under the name Dark Avenger's Mutation Engine (DAME).6 Although modern antivirus products easily uncover the polymorphic tricks DAME performs, other techniques can significantly complicate the detection of malware. The evolution of malicious software is running its course in parallel with advancements in antivirus technologies. Ways to bypass controls enforced by antivirus software will probably always exist.
Antivirus applications, just like any other software, can have vulnerabilities that expose its host to attacks while helping to combat malware. For example, some versions of Norton AntiVirus allowed a remote attacker to perform denial of service (DoS) attacks against hosts (CAN-2004-0487, CAN-2004-0683) by creating a file containing many compressed directories. There are dozens of CVE entries for antivirus software vulnerabilities, many of which are common flaws that have affected several products.
Despite the limitations, antivirus software remains one of the most effective ways to control the spread of common malware specimens across multiple systems. Many instances of malware are difficult to block using traffic-filtering devices alone because they can enter the network through legitimate network channels, such as email and web browsing, as well as non-network means such as CDs, floppy disks, and flash drives. After malware is inside the organization, it can be programmed to communicate with its author via outbound connections that are often allowed to pass through the firewall unchallenged, whether to announce its presence via SMTP or to retrieve additional instructions through an HTTP request. An attacker can use malware as an agent working inside the targeted network, facilitating further, more directed attacks on internal resources. Host-based firewalls, deployed on systems throughout the network, are another part of an in-depth security architecture that can mitigate some of the risks network-based and host-based antivirus software doesn't cover.