Antimalware software long ago evolved into more than simple signature-based email antivirus protection, which is...
ineffective against today's dynamic, polymorphic threats.
The best defense is to prevent a successful attack in the first place, which is the charter of antimalware software
Malicious software, or malware, is the main avenue for almost everything bad that happens on a computing device. Aside from losing a device, user error or negligence, almost all breaches can be traced back to malware. Complicating matters, we've seen rapid innovation on the breadth and sophistication of malware used to launch a multifaceted attack aimed at stealing money and intellectual property. So looking forward, a critical business issue becomes understanding the evolution of malware and how to select security technologies that can adapt to the dynamic nature of malware.
First we need to define malware. Malicious software is designed to damage or disable computers with the intent to steal information or gain control of the device. As such, antimalware is technology designed to stop malware. The first instance of antimalware software was called antivirus (AV) and was based on a negative security model. That means AV software would look for code it knew was bad by matching it with a signature of something known as bad. AV let everything else through, which worked well enough for a while, but as malware evolved, it became impractical to put billions of signatures on every device.
At the same time, malware writers gained access to testing tools having the latest signature databases from the AV vendors. Thus, all malware was tested to ensure it couldn't be detected prior to being used. These two factors dramatically degraded the effectiveness of traditional antivirus and, given the significant market size of AV, the vendors had to consider new approaches based more on the behavior of malware, as opposed to the specific malware files.
To put these new behavior-based approaches in context, it makes sense to first examine the attack cycle. Let's break down how a modern-day attacker does their job, and then we'll be able to understand how antimalware technology has evolved to respond:
- Penetrate. The first step in the attack cycle is to gain control of the device. This is usually done by executing malicious code on the device by hook or by crook. At times, the malware will target vulnerabilities in applications or the operating system. At other times, they will target a gullible user who gets duped into executing malware. The end result is still the same; the attacker gains control of the device.
- Pilfer. The next step is stealing the data on the compromised device. This could include account numbers, passwords, intellectual property, email or, more likely, all of the above.
- Persist. After pilfering a device, the attacker will take measures to ensure they remain on the device. This may include masking techniques such as rootkits to try to hide its presence on the device.
- Pivot/Proliferate. Typically, it's not enough to just compromise one machine, so the attackers will use a compromised machine to stage additional attacks and try to penetrate deeper into a customer environment.
Your typical antimalware technology will focus on preventing the first step (penetrate), and thus we'll focus our guide on technologies that prevent an attacker from gaining control of a device. Clearly, there are controls and defenses (some reactive) that address the attack cycle once a device is compromised, but the best defense is to prevent a successful attack in the first place, which is the charter of antimalware software.
Business and technology benefits
The following are key business and technology benefits of antimalware technology:
From the editors: Additional information on antimalware software
The future of antivirus or antimalware software
Moving toward endpoint antivirus alternatives
Understanding antimalware product suites
- Stop malware attacks. Prevent malicious software from executing on a device, changing settings and/or loading additional compromised software.
- Protect users from themselves (click protection for email and Web). Antimalware can also prevent users from going to known compromised sites that would download malicious code without requiring the user to do anything.
- Prevent outbreaks (proliferation). Even if another device on a segment is compromised, antimalware software can prevent other devices from being infected.
- Forensics on attacks. Antimalware software can provide insight into the specific malicious code and help to understand what it's done to a compromised device.
- Metrics on clean-up/remediation. Antimalware can also be used to track metrics on the number of infections and how long it takes to clean them up.
Editor's Note: This article was originally published as premium content in 2012.
About the author
Mike Rothman is an analyst for and president of Securosis, an independent security research and advisory firm in Phoenix. Mike is also the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Reach Mike via email at email@example.com or follow him on Twitter @securityincite.