Antivirus software could make your company more vulnerable

Security researchers are worried that critical vulnerabilities in antivirus products are too easy to find and exploit

1 2 Page 2
Page 2 of 2

For the most part antivirus vendors feel that process sandboxing is not applicable to antivirus products because it would hurt performance. Some claim that they are taking other steps, such as reducing privileges, performing routine security assessments, and developing other technologies that might have the same effect as sandboxing.

Symantec is working to reduce the attack surface of its products and services. Its approach, the company said, is to operate its security components at the lowest privilege level possible to reduce the likelihood of a successful attack.

Effectively addressing vulnerabilities is more complicated than using just one technology, according to Kaspersky Lab. The company implements the technologies it believes will provide the best level of protection to customers. For example, it's using machine learning algorithms to leverage the large amount of security intelligence and knowledge that it acquires.

"Despite the perceived simplicity of the 'sandbox' approach, it has a number of serious drawbacks, affecting performance, efficiency and compatibility," said Kaspersky's Zakorzhevsky.

Intel Security/McAfee said that when it learns of a potential issue, it immediately investigates to determine its validity, nature and severity and to develop a fix.

No one is arguing that antivirus vendors are not fixing flaws fast enough when they are found. In fact, some of them have impressive response times and their products are configured to automatically update themselves by default. The problem is the number and type of flaws that exist in such products in the first place.

Symantec and Intel Security declined to address more specific questions about sandboxing, the likelihood of attacks against antivirus products, the effectiveness of such products in detecting targeted attacks, or other criticism raised by security researchers.

Antivirus vendor Bitdefender said that a sandbox similar to the one provided by Google wouldn't be a viable engineering solution for a security product. "An antimalware solution would have to intercept and sandbox thousands of system events a second, which would bring a dramatic performance impact to the system and which might be greater than what the operating system vendor tolerates."

The company claims that most of its products' components such as the antimalware engine and the Active Threat Control subsystem already run with the privileges of the logged-in user, and that it's using brokering processes to limit the number of components running with system privileges, even in the consumer products.

On the business side, the company developed a solution called Gravity Zone that allows administrators to run the scanning service on a different machine on the network instead of the endpoint and it also recently introduced HVMI (Hypervisor-based Memory Introspection) technology that completely isolates the antimalware solution by deploying it in a Type 1 hypervisor outside of the operating system.

"This kind of isolation separates the antimalware engines from rootkits or exploits running in the user environment," the company said.

Avast did not respond to repeated requests for comment, while Malwarebytes, AVG and ESET declined to comment for this story or failed to send any responses before publication despite being given ample time.

Risk vs reward

The large and easy to exploit attack surface introduced by antivirus products combined with the likelihood of targeted attacks, raises the question of whether it's even worth installing such programs in some enterprise environments.

Some researchers doubt the effectiveness of endpoint antivirus products when faced with sophisticated and carefully engineered malware programs like those used by cyberespionage groups. Their view is that there's little reward compared to the risk, especially for organizations from industries that are commonly targeted by such attackers.

"Antivirus products can only be used, from my viewpoint, as protection tools for rather small companies and home users," Koret said. Antivirus products cannot detect what is unknown, regardless of what they advertise, and evading antivirus detection is trivial and something that most malware developers test before releasing their malicious code, he said.

Ollmann, who has been a long-time critic of endpoint antivirus products, believes that the security protections increasingly built into operating systems will eventually render such programs obsolete.

In fact, even now, some antivirus vendors have to subvert built-in OS security mechanisms in order to get their products to work as they want, which further exposes those systems to compromise, he said.

An example of such subversion came recently, when Israeli data exfiltration prevention company enSilo reported a vulnerability in products from Intel Security, Kaspersky Lab and AVG that had the effect of disabling OS-based anti-exploitation defenses for other applications.

These antivirus products allocated a memory page with read, write and execute permissions to user-mode processes belonging to other applications like Adobe Reader and Web browsers, the enSilo researchers explained in a blog post. This could have helped attackers to defeat Windows exploit mitigations such as address space layout randomization (ASLR) and data execution prevention (DEP) for those third-party applications, making it much easier for attackers to exploit any vulnerabilities found in them.

Eiram wouldn't go so far as to say that antivirus products have no place anymore. He agrees that many users, both at home and within corporate environments, still need to be protected from their own actions, like downloading risky software or clicking on malicious links.

Endpoint antivirus programs help reduce such basic threats. But does that outweigh the risk of a possible attack against the antivirus product itself? It depends on how likely those threats are to occur and the overall security of the antivirus product installed, he said.

People should carefully consider what security software is fit for their environment and especially which features they really need enabled. Antivirus buyers should check the security track record of the vendors they choose and look at how fast they deal with vulnerabilities affecting their products, as well as the type and severity of those flaws, Eiram said.

"People shouldn't just blindly install security software because they think it makes them safer," he said. "That may not be the case."

"We can never underestimate the pace at which the sophistication of malware is being advanced," Kaspersky's Zakorzhevsky said. "At the same time we can’t agree with the argument that antivirus is ineffective. Before a comprehensive strategy can be developed to detect sophisticated threats and targeted attacks aiming at businesses, generic malware must already be filtered and blocked."

A multi-layered strategy that combines traditional antivirus software with next-generation protection tools, intelligence sharing, security services, training of IT professionals and routine security assessments applied to software, hardware and applications, is the only approach the reduces the risk of corporate and personal data being compromised, he said.

Bitdefender admits that there are cases when antivirus products miss malware samples, but considers them isolated incidents that account for under one percent of all threats.

"So this ultimately boils down to filtering the bulk of opportunistic attacks -- which are based on known vulnerabilities or variants of known malware -- and then complementing the antimalware solution with security awareness programs, for instance," the company said.

One technology that could either complement or replace antivirus programs entirely in high-risk environments is application whitelisting, which only allows pre-approved applications to run on a computer. The U.S. National Institute of Standards and Technology recently encouraged the use of such protection mechanisms, which are available in some operating systems by default, and even released a guide with recommended practices.

Network perimeter protection is also important in defending corporate environments both from outside and inside threats, like data exfiltration attempts. However, users should not assume that network-level security appliances don't have vulnerabilities. In fact, security researchers have found a large number of flaws in these products as well over the years, and exploits for them are also being sold on the unregulated exploit market.

1 2 Page 2
Page 2 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.