- Lenny Zeltser
Protecting endpoint computers from malware is critical to providing reliable operations, safeguarding data and...
maintaining an acceptable compliance posture. Standalone antivirus products of the past have matured to encompass a variety of tools for securing endpoints in an enterprise setting. As the threats associated with malicious software increase in sophistication, so do the capabilities of antimalware tools. Understanding the capabilities and limitations of components that form an enterprise antimalware suite is critical to selecting the right product for your organization and deriving value from it.
One way to understand what components we can expect to find in an antimalware product suite is to consider how malicious software often propagates:
- Through the victim’s browser
- Via email in the form of malicious links and attachments
- Through local network and removable media
- Via exploits and social engineering tricks
An antimalware product suite should tackle all these infection vectors, attempting to stop malware before it begins running on the protected computer. For these reasons, antimalware products typically incorporate components for safeguarding browser activities, overseeing email attachments and spam, controlling the system’s network activities, and blocking various types of exploit attempts.
The strength of an antimalware suite is not only in the solid implementation of these individual features, but also in the extent to which the multiple components are integrated with each other to offer reliable protection, even if a single measure fails. Moreover, they must accomplish this in a way that scales for many systems in an enterprise setting. Let’s take a closer look at the capabilities of antimalware product suites to understand what they involve and what limitations they might possess.
CORE ANTIVIRUS FUNCTIONALITY
Traditional antivirus techniques form the cornerstone of many antimalware suites. On-access or real-time antivirus protection involves blocking the execution of malicious code before it has an opportunity to cause significant damage. Antivirus tools also allow the user or system administrator to launch on-demand scans, which will scan the file system, removable media, memory contents and network shares. Similarly, scans can be scheduled to occur with the desired frequency automatically.
Identifying malware the vendor has seen earlier can be done with high efficiency by using static signatures, such as sequences of bytes or hashes of files. The bigger challenge involves detecting new malware, for which the vendor has not yet developed a signature. Most antivirus tools accomplish this by relying on heuristics and behavioral patterns, which indicate a program possesses malicious characteristics.
In addition to identifying and blocking malware, antivirus tools can also automatically remove some malicious software from the infected computer. However, enterprises should be cautious when relying on such capabilities. If the malicious program had the opportunity to run on the system before being removed, it’s possible additional malware components were installed there without being detected by the antivirus tool. Similarly, the attacker may have used the malicious program to remotely access the system to install additional tools or cause other damage. A more reliable method is to reimage the infected computer rather than attempting to disinfect it.
In addition to the traditional antivirus mechanisms outlined above, products designed to protect computers from malware incorporate additional defensive capabilities; which components are incorporated into the baseline antivirus offering and which are available as part of a larger antimalware suite depends on the vendor.
SPYWARE AND ROOTKIT PROTECTION
Many malicious programs incorporate some form of spyware capabilities, be it capturing the victim’s keystrokes, recording mouse interactions, capturing screenshots, intercepting browser form submissions, recording webcam and microphone signals, or stealing documents. Similarly, malware may have rootkit characteristics that allow it to hide from many system administration and security tools, complicating the task of detecting and analyzing the security incident.
Because spyware and rootkit capabilities of malware form a significant threat, the makers of antispyware suites often incorporate and highlight features explicitly designed for curtailing this attack vector. This way, even if the malicious programs aren’t blocked by other components of the suite, their effect on the protected system may be dampened: The product may be able to notice and block attempts by spyware to capture data. It may also identify inconsistencies in the way the system behaves to spot the presence of a rootkit and disable it.
HOST FIREWALL AND INTRUSION PREVENTION
Antimalware suites typically include a component that replaces the host firewall included with the operating system. This usually provides a more full-featured way of controlling traffic to and from the protected system. For instance, the firewall can learn which programs are expected to send Internet-bound traffic over certain ports, and block other outbound network activities.
The more mature the product, the more capabilities its firewall will have to automatically make decisions according to the vendor’s understanding of common software and the policy defined by the enterprise administrator. In fact, one of the advantages of replacing the firewall built into the OS is the ability to control network security settings of the computer by using the centralized console that is part of the antimalware suite.
Antimalware suites also include a host intrusion prevention component, designed to block exploits. A mature intrusion prevention module will be able to block exploits by not only matching the signature of known exploit code, but also by identifying variations of the exploit pattern. This is yet another defensive layer, designed to protect the system if other aspects of the antimalware suite fail.
Host intrusion prevention modules pay particular attention to client-side exploits by integrating into the system’s network stack and, sometimes, by installing a browser add-on. This allows the tool to offer protection even if the user connects to a host that wasn’t known to be malicious at the time, and is especially important for handling threats associated with client-side exploits. The intrusion prevention module can also oversee local processes, which is especially helpful when a program that found its way onto the system is exploiting a local vulnerability for privilege escalation. When designing the intrusion prevention module, an antimalware vendor needs to carefully balance the tool’s ability to block malicious actions with the likelihood that it may inadvertently prevent legitimate operations.
SECURING THE WEB BROWSER
Considering the high number of infections that involve the Web browser in at least some form, it’s important for an antimalware suite to wrap a security blanket around the user’s browser. Two attack strategies are worth considering when examining the tool’s ability to protect the browser:
- A remote website may attempt to exploit a vulnerability in software installed on the computer. This can occur when the victim visits the website directly, is referred to it by another site such as a search engine, or observes a banner ad that contains malicious code.
- A remote website may attempt to persuade the visitor into running a malicious program without exploiting a vulnerability in software. A common social engineering trick to accomplish this involves convincing the person to install a fake antivirus tool that is actually malware.
Some aspects of these threats can be tackled using other components of an antimalware suite, including traditional antivirus protection and intrusion prevention capabilities. However, it’s worth it to first try stopping the attack closer to the source -- within the browser itself. To accomplish this, the browser security component of the suite often includes the following capabilities:
- Blocking attempts to access websites that are known to be malicious. To accomplish this, antimalware vendors track reputational details for websites, maintaining frequently updated lists of known good and bad sites.
- Scrubbing search engine results. The tool may insert information into the search results page to inform the user about the reputation of websites before he or she attempts to visit them.
We’re increasingly using Web browsers for electronic communications, be it interacting with social networking sites, using webmail or sharing files. Yet, traditional email tools continue to play a pivotal role in enterprises. As the result, antimalware suites typically incorporate components for safeguarding this communication channel.
Spam filtering is a common component of antimalware suites. The need for blocking spam has been apparent to enterprises for many years. As a result, spam protection tends to be a very mature part of many antimalware suites.
Addressing email as a potential attack vector also involves flagging received messages that resemble phishing attempts, disabling links to potentially dangerous sites and scrutinizing attachments. The tool may disable attachments that don’t match the file types approved by the administrator. It also scans the attached file with the antivirus component of the suite. In addition to examining inbound emails, the email security module may also monitor the messages sent by the protected system: Outbound messages that have malicious attachments and those sent too rapidly would be blocked and used as an indicator that the system is infected.
The vendors of antimalware suites are increasingly incorporating community-oriented capabilities into their products, finding ways of collecting and analyzing data from some systems to benefit the rest of the user population. Such functionality is sometimes marketed under the moniker of cloud-based antivirus capabilities.
Instead of relying purely on local processing to determine whether a file is malicious, an antimalware tool with cloud capabilities captures the relevant details from the endpoint and provides them to the vendor’s centralized infrastructure for real-time processing. The vendor examines the data, potentially correlating it with information obtained from other systems, and issues a verdict regarding the risk level of the file to the endpoint. This approach helps the antimalware product identify malware even if the file was not known to be malicious a few instances earlier.
A significant component of many vendors’ implementations of community or cloud-based capabilities is the reputation of files. For instance, when a system encounters a new executable, it can query the vendor’s “cloud” to determine the file’s popularity among other members of the community. An executable that is unique to a system is likely to be malicious or, at least, is suspicious. Antimalware products may incorporate similar reputational capabilities with respect to URLs and email messages for the benefit of other components of the suite.
CENTRALIZED MANAGEMENT CAPABILITIES
Organizations need to be able to control hundreds, even thousands of systems running the antimalware suite. To support this requirement, vendors generally include a centralized management console as part of their products. This is a critical capability, since handling the installation, oversight and troubleshooting of individual instances of the product doesn’t scale in the enterprise setting. With this in mind, enterprise-focused antimalware suites generally allow administrators to perform the following remote functions from a centralized console:
- Install, upgrade and configure antimalware products on endpoints.
- Collect and review alerts related to the product’s functionality and malware events.
- Manage false positives related to erroneously blocked files, URLs, email messages, etc.
- Run scheduled or ad-hoc scans on some or all systems in the organization.
- Identify “rogue” systems that should, but do not have the product installed or enabled.
- Generate reports for reviewing the metrics related to the organization’s antimalware posture.
- Deploy emergency signatures or other updates when handling a malware outbreak.
The way in which an antimalware product will be managed needs to be compatible with other security-related tools and processes within the organization. That’s why antimalware vendors often include the ability to integrate their centralized management consoles with Active Directory and log management tools.
Considering most antimalware suites incorporate the features outlined above, one product might be a better choice for one enterprise than another based on factors such as:
- How effective they are at identifying and blocking malicious actions: Independent labs periodically evaluate the capabilities of antimalware tools. Review reports from several sources, while paying attention to the components and use-cases that have been tested.
- How intrusive they are on users’ day-to-day activities: Some antimalware tools place a heavier load on the system than others. Moreover, the tools differ in the extent to which their user interface elements overwhelm users with questions or other annoyances.
- What capabilities they provide to administrators for handling malware outbreaks: Consider what features -- such as logging, remote installation, emergency signature deployment, and quarantine management -- will be valuable to help you analyze and contain a security incident that involved malware.
- Where their components can be installed. While the focus of this article has been workstation protection, antimalware tools often include components that can be installed on servers, mobile devices and network boundaries.
Antimalware suites incorporate several components for protecting a system from malware because a single layer of defense is more likely to fail than several tools integrated together. Similarly, an antimalware suite running on the endpoint is only a single defensive measure in the context of the enterprise at large. As you explore the capabilities of the antimalware suite that you already own or are planning to purchase, consider how it fits into the overall enterprise security architecture.
Lenny Zeltser is a seasoned information security professional with a strong background in online threats and defenses. He teaches malware combat courses at SANS Institute. Send comments on this article to email@example.com.