It’s not hard. So why?

An associate pinged me with a link to The Future of AntiVirus, an article which mentions the AntiVirus Is Dead paper that I wrote for Bit9, and then quotes various people on the topic of the inevitable demise of AV.

It’s fair to say that my AVID campaign has been successful, not just in inserting the cat amongst the pigeons, but in getting people to think more intelligently about IT security. So why is it that many AV vendors simply don’t get it. Symantec and Kaspersky do, by the way, and they are evolving their products accordingly, but if the above article is to be believed, BitDefender is pretty much bottom of the class on this. (To understand what follows you may need to read some of the AVID articles, by the way, because I’m assuming you have).

Here’s a comment from BitDefender, drawn from the article.
Antivirus firms think their death is greatly exaggerated, thank you very much, even those that aren’t overly reliant on signatures, like BitDefender, which says that signature-based techniques account for only 20 percent of the malware it catches.

“Signatures aren’t dead you need them,” says Bogdan Dumitru, chief technology officer of the Romanian firm, which uses behavioral targeting techniques to stop the remainder of attacks.

I’m sorry Bogdan, but you’re blowing yourself to bits with your own words. If signatures only stop 20 percent of viruses, why use them at all? Are you suggesting that the 20 percent that signatures stop (and by the way that’s a horribly low figure) will not be stopped by behavioral techniques. If that’s so, your behavioral techniques are horribly flawed. And if it isn’t so, there’s no point in using signatures as a blocking technique. QED.

Fess up, Bogdan, you’ve got it completely upside-down and back-to-front. Behavioural techniques are a natural component of a whitelisting solution, the purpose of which is to recognize potential malware from its behavior, while it runs in a sandbox. A sandbox is and always has been a component of a whitelisting solution to deal with the software that is not “known to be good”. You’re doing it all backwards by adding behavioral techniques to AV signatures – which is a fundamentally wrong idea and doesn’t work, as we all now know.

In order to manage a sandbox properly, you’ll have to manage all the “permissions to execute” of all the software within the OS. But in order to do that, in a bullet-proof way, you’ll need to be able to recognise everything in the OS and know what it does. In other words, you’ll have to be managing a whitelist.

A further statement about BitDefender in the article fills me with fear (for BitDefender’s customers).

Its main research focus is to develop an “undo” feature that will let users hit by malware reverse its effects. BitDefender hopes to release this feature in 2008.

I’ll bet the hackers are rubbing their hands. This is not just a crock of an idea. It needs to be stopped. Please, nobody buy this. It’s worse than dangerous. Here’s why:

When you have been infected by malware, you cannot know or prove exactly what happened and what has been impacted (unless you are running whitelisting, in which case you’ll know if anything has been messed with when it runs). If I were a hacker I’d deliberately use BitDefender’s idiot cleansing product – assuming you were fool enough to use it – to get in under your radar. I’d write a virus and add a module that hid the piece of logic that I want to use somewhere (perhaps as a root kit in an invisible account) then having executed that code and inserted the code, I’d delete all traces of it from the virus. The cleansing product comes along, thinks it recognizes the virus and thus thinks its cleaned it up when it removes it. Now I’ve got you and you think you’re clean.

BitDefender has the idea that in some way it can know what a virus did. It can’t. The reverse engineering of software is hard enough anyway, but the reverse engineering of software that knows it’s going to get reverse engineered is fraught with peril and ultimately doomed to failure.

Apply whitelisting and the problem is solved, by the way.

Another quote worth commenting on in the article is from David Harley, administrator of Avien, the antivirus information exchange network (I wonder if he might have an axe to grind). He says:

“Whitelisting does seem to be advocated currently as the panacea du jour. I think this relentless search for The Answer, discarding one partially successful solution set for something else in the hope that it will eliminate the problem, is actually unprofessional.

I like the spin here. “Partially successful solution”? A chocolate teapot is a partially successful solution.