Information Security

Defending the digital infrastructure


Get started Bring yourself up to speed with our introductory content.

Malware defense revisited: How to improve Web-based malware detection

Signature-based AV doesn't stop Web-based malware, but what does? Spyro Malaspinas points out what's next in enterprise malware detection technology.

Antimalware has been steadily losing its effectiveness over the last few years, yet it remains a security staple...

among CISOs. The choice to stick with antimalware as a component of an enterprise endpoint protection program usually hinges on the need to satisfy compliance and regulatory mandates like PCI DSS and HIPAA, the continued inclusion of antimalware on security "best" practices lists, or the uncertainty of how to replace what's been the legacy endpoint security tool of choice for the last three decades.

The top-performing antivirus product was only able to detect 25% of the malicious code.

Regardless of the reason, it's becoming increasingly evident that adversaries have been successful in crafting malware to avoid detection by the leading antimalware products, particularly Web-based malware defenses.

Some staggering facts:

  • According to a 2012 Sophos Ltd. report, 85% of all malware (viruses, worms, spyware, adware and Trojans) comes from the Web; drive-by downloads are considered to the largest Web threat.
  • Sophos also reports that 30,000 websites are infected daily; 80% are legitimate sites that have been hacked so that cybercriminals can use them to host malicious code.
  • Content Agnostic Malware Protection (CAMP), a malware-detection component that Google Inc. built into its Chrome Web browser earlier this year was able to detect more than 5 million malware downloads per month. CAMP was able to detect malware at a rate of 99%, which decimated four leading security vendors' Web-based antivirus products: McAfee Inc. SiteAdvisor, Symantec Corp. Safe Web, Trend Micro's Site Safety Center and Google's own Safe Browsing. In a recent comparison conducted by Google, collectively these products were able to detect 40% of the malicious code they encountered; the top-performing product was only able to detect 25% of the malicious code.
  • Following the test, Google's CAMP Project selected 2,200 previously unknown binaries and submitted them to VirusTotal, a service that facilitates the creation of antivirus signatures for newly discovered malicious code. After 10 days, 99% of the binaries detected by CAMP were detected by only 20% of the antivirus products mentioned above.

In case malware defense shortcomings weren't already painfully obvious, these data points illustrate just how inadequate signature-based antimalware products have become. Traditional AV products can no longer be trusted to detect malware, period. Yet if signature-based antimalware is the wrong tool, what are the right tools? Do they even exist? I say they do, with some caveats. That's what we'll discuss in this tip.

Malware detection alternatives

Like all security pickles, the solution is not a one-size-fits-all approach. There are a variety of tools and approaches that can be used in concert to achieve a much higher level of security for endpoints, both within the data center walls and in the hands of employees. But mileage may vary based on the unique challenges each organization faces.

Content filtering: Since 85% of all malware is distributed via the Web (with drive-by downloads being the biggest threat) it only makes sense to provide some level of content filtering within your enterprise. There are two key types of defensive tools that should be widely deployed:

Web proxies: The number of vendors here are in the double digits, and the technology has been around for quite some time. Companies like Blue Coat Systems Inc. and Websense Inc. offer subscription-based services where sites can be permitted or blocked based upon policy. Additionally these services provide intelligence and dynamic updates to thwart users from visiting known malicious sites. The caveat here is that these products aren't able to detect zero-day exploits and, as with signature-based antimalware, there will be delays in getting the bad sites identified and signatures pushed out. While Web proxies may be just one link in your malware defense armor, they are an important one.

DNS filtering: Tools like Open DNS actively prevent users from visiting known harmful sites by blacklisting domains so a user can't even browse to them. It also offers a whitelisting service. Open DNS users benefit from millions of users collaborating to provide faster intelligence about the estimated 30,000 new sites that are infected with malware each day. Implementation is straightforward and there are a number of big-name clients that use this service as a first line of defense in protecting Web users. The best part? These services don't require on-premises appliances of expensive hardware.

Browser-based security: Web browser components similar to Microsoft's Smart Screen (a part of Internet Explorer 8 and above) have been effective in filtering users from visiting malicious sites. According to Microsoft, its product has blocked over 1 billion attempted downloads of malicious code to date. Google CAMP is another initiative that allows Google Chrome users to take advantage of Google's vast and dynamic knowledge base about malicious sites. 

Host-based anomaly/forensic tools: These are still maturing in the market but offer significant new defensive capabilities geared toward the more prized assets of a company: database servers, financial systems, email servers, and executives' and other high-risk users' systems. In theory, an agent sits on each endpoint and will first develop a baseline of a system's normal activities (applications run, network connections/shares opened, memory calls, and files accessed while monitoring open sockets among other things). Once a baseline is complete, these agents then continue to monitor the system, looking for irregular activity that may be malicious. 

Some of these product vendors have partnered with other vendors and service providers, like VirusTotal. They will automatically upload suspicious or unknown binaries for analysis automatically when a user downloads an application or binary from the Internet, an email or even a USB drive.

The tools can also provide significant advantages in the event of a breach. In a normal breach situation, forensic tools are installed on compromised systems after the breach. Some of the tool sets offered by cutting-edge vendors like Carbon Black, Mandiant and Guidance Software's Encase have been pre-installed and offer visibility into what may have happened before the breach, what led to the breach and what happened as a result of the breach.

Virtualization protections: Yet another technology that has been gaining momentum during the last three years is security through virtualization or isolation. These technologies don't rest on their laurels for reactive detection through signatures or blacklists. 

Through virtualization and isolation, vendor Bromium Inc. seeks to isolate each process and application on a computer on top of its own micro virtual machine.  These micro VMs operate in a cloud formation on the local host, thereby separating out processes such as those associated with Web browsers, office suites, email and so on.

More on malware defense

Custom malware attacks need new defense approach

Sourcefire updates malware detection and analysis

Protecting a website from malware redirects

Alternatively, FireEye Inc. offers a virtualization container that allows security professionals to evaluate suspected malware in a controlled environment, thus allowing for analysis without subjecting the rest of the environment to the unknown risks of foreign code. Analysts can replay suspected attacks and analyze compromised virtualized systems with malware code to benchmark and identify malicious behavior that can be used to fingerprint similar behavior across other systems and networks.

Because malware is constantly evolving, relying on a singular malware defense system or even the same combination of defenses for an extended period of time is often a foolish choice. We cannot assume that the tools we used to protect our most prized IT assets today can be used five years from now. So as the transition away from signature-based antimalware and toward these new techniques begins, remember that it is essential to reevaluate the threat environment on an ongoing basis and make adjustments accordingly.

About the author:
Spyro Malaspinas, CISSP, CISM, CISA, QSA PCI – DSS, GCIH, CCNA, Six Sigma, is a principal at 3Factor LLC. He formerly served as the PCI practice leader at Symantec Corp., a senior security consultant at VeriSign Inc., and security architect at IBM. He has been engaged in breach response for three of the largest five breaches in U.S. history, he performs compliance assessments, remediation, risk and compliance program management functions for some of the largest global merchants and service providers. He can be reached at

Article 3 of 3
This was last published in September 2013

Dig Deeper on Web application and API security best practices

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Great overview of the challenge of browser based malware attacks and the real threat. All these approaches still focus on quick reaction to persistent and new attacks. The new approach is to focus on prevention keeping the execution outside the firewall and off the client and the network. Spikes Security ( is one of the new breed of technology providers that are getting excellent results addressing the malware problem with prevention rather than trying to react once the malware is inside the "door".

Get More Information Security

Access to all of our back issues View All