Euro Security Watch with Mathew J. Schwartz

Anti-Virus: Applied Incorrectly?

Poor Practices Create a False Sense of Security

Is your organization running its anti-malware defenses properly? Are you sure?

See Also: Realities of Choosing a Response Provider

Here's a new reason to check: A study of 4,000 clients of one security company found that 15 percent of Windows PCs were running anti-virus software with outdated definitions, while 0.7 percent of systems had a "persistent threat" - a.k.a. rootkit, bootkit, or similar type of malware nastiness - that had been detected but which the anti-virus engine could not fully scrub.

The study from IT infrastructure management vendor OPSWAT also found that 91 percent of all surveyed devices had not run a full system scan via their anti-virus software in the past seven days. Such scans can help spot malware that may have infected a system before the anti-virus engine received a related signature that was designed to block it.

Benny Czarny, CEO of OPSWAT, tells me that anti-virus signatures were counted as being "outdated" if they hadn't been updated for three days. But he admits that's a very conservative definition, and most IT administrators will demand much more frequent signature updates. Indeed, every second counts if criminals are launching zero-day attacks to compromise as many systems as possible before updated anti-virus signatures get distributed. Delaying signature updates only helps attackers, who by the way are already expert at using phishing attacks to trick users into opening malware or visiting malicious sites. Both the Anthem and Sony Pictures Entertainment breaches, for example, are thought to have begun with phishing attacks.

This new study of 4,000 organizations in the United States, Netherlands and Brazil, carries some caveats: It only included OPSWAT customers, and it didn't break out users of corporate-issued devices, versus BYOD and consumer device owners.

Thus, it's not clear how many corporate or BYOD users touch the 3.3 percent of systems that OPSWAT found running one or more potentially unwanted applications - which covers the gray area between "known good" and "obviously malicious." These applications or supposed utilities "may not be considered a true virus or a true Trojan, however they do compromise the security or privacy of a user," Czarny says, and can include everything from "free toolbars" and file-sharing tools to IM apps, rogue security software or adware.

Real-Time Protection

One potential defense against malware, rootkits and some types of misbehaving "gray-ware" is to use the "real-time protection" features now built into many, but not all, anti-virus engines. These grab new signatures as quickly as possible; watch devices for signs of suspicious behavior - which may indicate that it's become infected by malware; and block known-bad and suspicious URLs that might harbor a malicious executable or launch drive-by download attacks at users' browsers.

But OWASP found that not all users enable real-time protection features when they're available. And that's a big problem, because those features help defend systems against malware for which no signature is yet available.

While the study found widespread use of such functionality - by up to 98 percent of users for Symantec, McAfee, Norton, Microsoft, Comodo and consumer-focused Avira products - it found slightly less uptake in some other products that offer the feature. Czarny theorizes that's because some products have implemented real-time protection in an easier-to-use - and more effective - fashion than others. Memo to all anti-virus vendors: If you're not paying attention to your user interface and ease of use, it's time to start.

Anti-Virus: Not Enough

Thankfully, those who avoid running regular full-disk scans aren't sitting ducks - provided they're using anti-virus with real-time protection. "You've got the real-time scan anyway, so as a particular file gets opened - and so on and so forth - that would be scanned," Raj Samani, vice president and the chief technology officer for Europe, the Middle East and Africa for anti-virus vendor Intel Security - formerly known as McAfee - tells me.

But safeguarding PCs today requires much more than up-to-date anti-virus definitions, warns Samani. In particular, he advocates that businesses deploy on all endpoints anti-spam tools, host-based firewalls and full-disk encryption, which he characterizes as being "a must-have for pretty much any device that you walk out of the front door with."

Such advice, together with keeping anti-virus definitions up to date, would seem to state the obvious. But given the nonstop pace of data breaches - many involving lost or stolen devices containing unencrypted data - it's time for businesses to make sure these essential information security tools are not only in place, but that they're being correctly configured and used. Don't do would-be attackers any favors.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.