To properly evaluate the best antimalware technology, you must understand the threat, how it's detected and how products remediate infections.
Antimalware technology has dramatically evolved from its signature-matching heritage to add a number of new detection techniques aimed at figuring out if a software program is malicious and should not execute on a device. Before we jump into the key considerations in selecting the best antimalware technology, let's discuss the tactics used by malware writers, which make the job of detecting much more challenging.
Antivirus (AV) technology originated using a pretty simple idea: If code is bad, block it. So, AV vendors maintained big lists of bad stuff and compared every file hitting a device to its list of bad stuff. The bad guys responded by slightly changing each malware file, so each file was close, but not exactly similar to a known bad file. It was an easy way to evade detection. So, vendors distributed millions of new signatures to each device, a strategy and business model that clearly doesn't scale.
The industry then tried a positive security model, basically building a whitelist of authorized software programs. If software wasn't authorized, it couldn't run. This was great in terms of blocking malware (which wouldn't be on the whitelist), but it wasn't so good for usability. It turns out end users need to load software pretty frequently and get kind of grumpy if the software they want isn't on the whitelist.
The negative model doesn't scale anymore, and the positive model is unacceptable to users. Thus, the industry had to basically start over again, reconsidering how malware works to determine the best detection method moving forward.
The fundamental element of malware
The fundamental element of any malicious software is a file that executes and subsequently does bad things. Antimalware is all about detecting those files before they do damage. Given the skill of malware writers to obfuscate bad files, detection can no longer trust what files look like; rather, it needs to evaluate "what each file does."
To be clear, there is still value in looking for files that you know are bad. But it doesn't scale to do that on each device anymore, so antimalware vendors leverage the cloud to keep record (software hashes, really) of billions of files. Antimalware agents on each device check the "reputation" of files to determine if 1) they've seen it before and 2) if it's bad.
Known bad files get blocked and known good files don't. But what happens when you've never seen the file before? That's when the next innovation in antimalware technology kicks in. The agent sends unknown files to a service that analyzes the file, looking for indicators of compromise by executing the file in an isolated environment. Then it sends a verdict back to the device to either allow or block the file.
Obviously there is some latency involved in this process, and you'll need to determine if you let unknown files through (taking the risk that it will be bad) or whether you quarantine the file until you get a definitive verdict. Any antimalware technology that doesn't utilize this cloud-based approach has little chance to block today's attacks.
Where to detect malware
Most of the industry has been conditioned to assume that antimalware needs to run directly on an endpoint device. Given compliance mandates, many organizations are forced into this deployment model, running antimalware on each Windows device. With the acceleration of Mac and Linux onto corporate desktops and data centers, respectively, antimalware increasingly needs to be considered for these other platforms. But keep in mind the underlying architecture of Mac OS X and Linux are far better at preventing malware outbreaks than Windows XP.
From the editors: More on the best antimalware technology
Best antimalware products
Considerations for antimalware deployments
Tomorrow's antivirus tools to attain network security
The advent of virtualization also complicates choosing the best antimalware technology. Consider that if every guest running on a virtualized device ran an antimalware agent, you'd be running the same code over and over again on the same hardware, which defeats the purpose of virtualization. So the antimalware vendors now optimize their engines to run on a single guest (or within the hypervisor) and communicate within the virtualized environment to ensure that virtual machine resources are optimized.
Getting back to the philosophy of blocking bad stuff as close to the perimeter as possible, antimalware should be deployed closer to the point of entry, either at your organization's perimeter or within a cloud service. The easiest place to check for malware is with Web or email security gateways or cloud services. Since email and Web remain prominent attack vectors, that is usually the first place to deploy.
There are also new devices that we've been calling network-based malware detection, which look at all ingress network traffic and do an analysis on the files entering the network, similar to how we described the endpoint above -- making sure no files demonstrating attack characteristics enter.
What happens when you find something bad? That's when you need to work with the other systems and/or controls in place. Thus, you'll be looking for your best antimalware technology to interoperate with such things as your network devices to block and/or quarantine devices that may be compromised. You'll also want to make sure an alert is sent to the proper reporting console, whether it's the antimalware management system, a SIEM/log management product or a help desk system to start the remediation process.
If you do suffer an infection, despite your best efforts at detection, historically the best antimalware technology would include the ability to clean the device. In the console, you'd click a button and magically, the device would be fixed. As malware got more complicated and diabolical, cleanup became a losing battle. The ramifications of leaving some remnants of the malware, thus ensuring reinfection, were significant. Why clean it once, when you can clean it over and over again?
Thus, we now recommend reimaging infected devices. Yes, this approach throws out the baby with the bathwater, resulting in frequent data loss and user inconvenience. But given the prevalence of reinfection, we believe the downside is outweighed by the need to ensure that the malware has been eradicated.
Editor's Note: This article was originally published as premium content in 2012.
About the author
Mike Rothman is an analyst with and president of Securosis, an independent security research and advisory firm in Phoenix. Mike is also the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Reach Mike via email at firstname.lastname@example.org or follow him on Twitter @securityincite.
Dig deeper on Client security
IT Decision Center