Software developers are typically trained in similar ways and, like any other group of people, make similar mistakes...
over time. Developers at computer security companies are no different. Customers might have expectations that software provided by security companies is secure, but they will be disappointed to know the dismal state of software security. Some companies have devoted significant resources to improving the state of software security, but this is not the norm yet. Recent discoveries of antivirus vulnerabilities in the Symantec AV scanning engine further highlight the diligence enterprises must have when managing systems and choosing a solution.
This tip will explore how host-based antivirus tools operate and the enterprise management considerations for these tools.
Host-based antivirus tool operations
Tavis Ormandy, a Google Project Zero researcher, has been keeping the information security industry honest and pointing out the inconsistencies between the marketing and reality in security tools. Ormandy has found numerous critical vulnerabilities in antivirus tools recently, one of them being the vulnerability in Symantec Antivirus products. The intent of antivirus tools is to scan and work with malicious files. It is reasonable to expect the software to be secure and that any malicious file would not cause a problem for the software. Standard secure development recommendations are to distrust the input from an end user and antivirus tools should also distrust that a file is not malicious. The software should assume the file could cause a problem for the tool, and include functionality to prevent exploitation of vulnerabilities in the tool.
The vulnerability is a classic buffer overflow. It is triggered when scanning a malformed file that could be received via email or browsing the web on an endpoint, or on a server when it accesses a file, such as when the server saves a file, processes a file attached to an email or downloads a file. Email systems or systems that operate on files from uncontrolled sources are at the highest risk, since a file could be sent from anywhere to be processed by the antivirus software. The buffer overflow allows for remote code execution as system or root -- depending on the platform and user of the software executing the scan.
On Windows, Symantec loads itself into the operating system to intercept all file system activities and runs as an administrative account -- or system. Symantec also loads itself into the kernel to prevent modifications to its configuration by unsuspecting users or malware. Symantec is not unique in these decisions -- many antivirus tools implement these kinds of operation techniques.
Enterprise management considerations for antivirus tools
Not much has changed since November 2011 when I wrote about a vulnerability in a Sophos antivirus product, which had been researched by Ormandy. The same enterprise protection steps of keeping core operating systems and applications updated are still necessary, and the same must be done with all of the other software on an endpoint, especially security critical software like antivirus software. Given how long enterprises have been using antivirus software and using centralized management of antivirus software, they should already have in place a regular cycle for updating the endpoint software, deploying patches, monitoring the environment, automating definition updates and monitoring the logs. Performing this at scale consistently is difficult, but critical to good security hygiene to protect the enterprise.
If an enterprise decides to keep using antivirus tools, it should evaluate thoroughly existing and potential vendors. There are AV comparison or test guides which have focused primarily on features, functionality and detection coverage. These are potentially the most important aspects of any tool, but the security of the tool also shouldn't be overlooked. It is necessary to understand the additional risk from any piece of software so integrated into the operating system. Evaluating the software development practices of the vendor, or better yet, having a third party that focuses on secure software development and application security, could help with understanding the severity of future antivirus vulnerabilities in a particular product or from the vendor.
Enterprises may want to perform these same steps on security tools periodically as part of critically evaluating their information security programs and identifying areas of improvement. As a community, customers must advocate for secure development practices from their software providers, and this could improve the state of software security. If we continue paying maintenance or subscription fees for insecure software, software vendors will not make the necessary changes.
Antivirus software is dead; long live antivirus software! The core functionality of antivirus software as an independent operating system security monitor will continue to be necessary and evolve over time. However, the critical nature of antivirus software requires antivirus vendors to perform at a higher standard of security. The continued embarrassment of antivirus vendors by the poor state of security and the decreasing efficacy of their tools should drive more enterprises to critically evaluate if traditional antivirus vendors are performing adequately for their information security programs, and replace these vendors if they are not meeting the enterprise's needs. The funds devoted to antivirus could then be used elsewhere to better protect the enterprise.
Find out more about the Symantec vulnerability's effect on the antivirus industry
Learn if mobile antivirus software is necessary for your enterprise
Discover new defense strategies against cyberthreats