Smart tactics for antivirus and antispyware

Antivirus has become a commodity service with vendors touting value-added features and the ability to protect other parts of the network.

This video addresses AV and antispyware from an architectural perspective. You'll learn the benefits of standalone products vs. integrated suites, where antivirus and antispyware should sit on the network and how to approach implementation issues.

About the speaker:
Joel Snyder is a senior partner with consulting firm Opus One in Tucson, Ariz.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact   

Smart tactics for anti-virus and anti-spyware

Presenter: Welcome to Search Security's Intrusion Defense School,
Smart Tactics for anti-virus and anti-spyware, with guest instructor
Joel Snyder. Joel is a senior partner with Opus One, a consulting
firm in Tucson, Arizona. He has worked with networks since 1980
when he signed on with CompuServe Research and Development.
Joel will discuss anti-virus and anti-spyware from an architectural
perspective, and he will explain the benefits of standalone products
versus integrated suites. Thank you for joining us today, Joel.

Joel Snyder: It is great to be here. Thank you. Hello there everyone.
I am Joel Snyder and this is the Intrusion Defense School. I want to
look very specifically at anti-virus and anti-spyware, because those
are on everyone's minds right now, certainly not maybe the anti-virus,
but the anti-spyware part, in a little bit more detail. Today, for the next
20 minutes, we will talk about some smart tactics for AV and anti-spyware,
specifically, talk a little bit about standalone versus integrated suites,
how this things fits in your network and the implementation issues,
what you need to know about this, and what are the best practices
for anti-virus and anti-spyware, anti-malware, whatever you want to
call it this week.

The first issue that we have to be aware of is that virus detection
itself has become a commodity service, which means that the
virus detection engine vendors are desperate to differentiate
their products by adding value-added features in, so if that
antivirus little asterisk in the middle is the virus detection engine,
which most of have a very difficult time differentiating between,
then all of these things which are stuck on the outside of that
have become these value- added features. For example, certainly
everyone is excited about adding antispyware into the world of
anti-virus. We got people that are adding personal firewalls in,
we are looking at issues like a posture assessment for endpoint
security for things like SSL VPN, or a network admission control
if you are in the Cisco camp, or network access protection if you
are in a Microsoft camp, centralized management, patch
management, all these things are differentiating that core engine.
The core engine is actually still probably the most important
part of the product, although the antispyware that is going to
move into it is also important, but these are differentiating
features that will help to show you the difference between
different products and where they are going. These big vendors
that have all these value-added products also want to control as
much of your network as possible. I got a State of Liberty clipart
here saying, 'Give us your desktops, your servers, your laptops
yearning to be free of viruses,' and that is the thinking behind a lot
of the antivirus vendors, they want to really give you full, complete
enterprise solutions.

What I want to focus on in this talk, though, is perimeter anti-virus,
and I want to make it real clear that I am talking about issues that
occur much more at the perimeter than on the desktops and the
servers, because this is all about perimeter intrusion defense, that
is the whole topic of school here, so we really want to talk about,
what are the issues much more at the perimeter? I have to
quickly admit that I am not much of a desktop guy. I do not know
all the different Microsoft whatcha ma call its and whizzbangs, but
I am a network guy, and I am a network edge guy and that is what
I want to talk about. I will give you some quick guidelines here. When
you are building a perimeter anti-virus it is going to contradict the desktop.
The first guideline that I would offer for you is that whatever anti-virus
you are running at the desktop; you do not want to run that at the
perimeter, because you want to have different vendors doing
different things. Everyone knows that every anti-virus vendor is
eventually going to send you a bad update, which means that you
will either pass a bunch of stuff through or possibly the reverse,
you will block a bunch of stuff you should not be. In any case,
you want to be able to survive that kind of thing. There are always
going to be errors, you should be using different technologies at the
different layers. That is best practice guideline number one.

Oddly, number two is that all that stuff in your desktop suite is
generally irrelevant at the perimeter. If you got a personal
firewall or patch management, it does not matter at the perimeter.
There, what really is the most important thing is the anti-virus and
the anti-spyware detection engine that is actually occurring out there
at the edge. Guideline number three is to absolutely understand that
anti-virus and anti-spyware are just special cases of anti-malware,
and you really do need to expect them to merge. You are not going
to have separate anti-virus and anti-spyware products in a couple of
years, they are going to zip right back into each other.

Given these three guidelines, how do we build an effective
perimeter anti-malware strategy? Choosing where to put
anti malware, I just have anti-virus but I really need anti-malware,  
it is a simple matter. Choosing how much anti-malware to use is a
harder question to answer. I got pictures of places where you might
put this. Clearly, you are going to put this kind of anti-malware on
the desktop, you are just going to have anti-virus, anti-spyware
technology on the desktops, you will manage it centrally if you are
smart, that is great. Where else are you going to put it? I got four
circles here showing you where you might put anti-malware, and
this is probably. If you have a UTM firewall, that is an excellent
place to put anti-malware because it will give you an additional
layer of protection. If, like most companies, you have a perimeter
mail hygiene system, I hate that term, but a security appliance,
whatever you want to call it, some sort of thing that receives you
mail before it forwards it on to your internal mail system, whether
it is Exchange, Notes, Unix, or whatever, that box is an excellent
place to put anti-virus, anti-spyware, anti-virus, of course, is much
more important in mail. If you have an outbound proxy server that
people are going to use before they get out to the internet, one
of the Blue Code boxes, a bunch of different companies are doing
that sort of thing, that is also a very important place to put anti malware.
Typically, there you are more focused on spywares more than viruses,
but both can come in over the web path, and if you have internal servers
you can certainly put it on.

I think that if you got it at the perimeter and you have it at the desktop,
you do not necessarily need to throw it on your mail server, but you
may want to, you may have the performance that you can afford to
do that, or you may have the licensing, that is fine. I do not want you
to think that I am shilling for the AV people, I am not. As a security guy,
I will just tell you, the cost of infection is too high not to overprotect. A
rampant virus within your organization can take the entire network down,
it can shut down your entire mail system, and that could be a huge cost.
The cost of doing anti-virus and anti-malware scanning at all these
different places is fairly low compared with the threats.

I want to make sure you understand this very important part,
and this may contradict what some of the marketing people are
telling you, but this is my view on this, anti-virus and anti-spyware
are basically parts of a generic anti-x, anti-virus, anti-spyware,
anti-spam, anti phishing, so I got these four creepy demons today,
or maybe tomorrow I will have five creepy demons, or maybe
there is already five and tomorrow they will be six creepy demons,
who knows what evil lurks in the hearts of the bad guys? The
bottom line here is that we are doing content-based analysis
of traffic going into and out of our network to block malicious
software. This whole anti-x thing, spam is sort of a separate
piece, but not even really, though, antivirus and antispyware
are definitely going to be merging into a single product, because
if you take a look at it, they really are exactly the same thing,
they identify malicious software that should not be there, either
coming into your system or based on the behavior of your system,
or because it is sitting on your hard drive. I do not really see any
difference between spyware and viruses except that the antivirus
guys, in some ways, have been negligent and not throwing antispyware
into their products, or the antispyware guys have gotten better at
doing things because they are more nimble than the anti-virus
guys. Trust me, within 18 to 24 months, there is going to be a
single product space and you are not going to think of them as
separate, definite things. That would be great news for the good
ones that get acquired, bad news for the guys that just think that
antispyware needs to sit there all on its own. You may always
have a business in antispyware disinfection, that is a whole different
issue, or spyware disinfection, but really, in the detection side, in the
behavior anomaly side, these are all going to merge into a single

The precise thing I want to tell you is that you put anti-x where it
makes the most sense. I got a table here of threats, infection
vectors, and protection points. I want to be very clear that this is
a protection point, so we are trying to protect ourselves against this
malware coming in. Viruses right now are normally coming into the
organization through e-mail, and I am not differentiating between
viruses and worms and Trojan horses, we will just call them all
viruses, for the sake of simplicity, those are mostly coming into
organizations today, this week, via e-mail. Some of them are going
to come in via web browsing, people actually hitting a web page
that exploits some bug that they might not have patched on their
system like the WMF bug, or something like that. What that says
is that if it is mostly coming in via e-mail, one of the best protection
points is to have an edge e-mail security appliance, that could be a
UTM-ish thing, or it could be a separate appliance. The best place
is in a separate appliance, because separate appliances can do a
better job than UTM boxes at catching viruses, particularly in e-mail,
and, of course, you want to have it at the desktop, you have to have
antivirus sitting there at the desktop. Spyware normally the infection
vector is via web browsing, so that is where you see some of those
differentiations between virus and spyware, but fundamentally it is
still malicious software that is coming down onto a PC via a network

Right now, the best place that people have to protect you against
that is, again, on the desktop. Secondarily, you are also going to
see people being able to do a lot of nice protection by checking
things with an edge proxy server. If you have users that are web
browsing, you might get an edge proxy server, point them at that
and force them to go through that to get out to the internet, that is
a great way to trap spyware before it comes in. Some of the spyware
guys have said 'At the edge, we can catch 30%,' or I don't know,
'We catch 30% less,' or something like that, somehow they are
saying 'At the desktop, we catch more.' I do not know if that is
going to be true forever, but certainly, the edge, you are going
to have an issue with, not necessarily being able to catch the
behavior of the spyware. "I want to change DLLs,' whereas at
the desktop, that is very easy to catch. Just like AV is great for
catching that at the desktop, spyware will as well. Of course,
your UTM device is also a great place, if you do not have a proxy
server, for catching spyware, not as good a job as a separate
proxy server typically, or at the desktop, but still a great protection
point. Things like phishing and spam almost exclusively come in
via e-mail, and the place you want to catch that is going to be on
an edge e-mail security appliance, possibly UTM if your UTM
device does anti-spam, but frankly the UTM device has not done
a very good job of anti-spam, you really want to focus on an edge,
a specific edge e-mail security appliance, or if you have chosen to
do anti-spam on the server itself, you can do it on your e-mail you
can do it on your server itself if you only have one, or however
you want to do that. Those things, as a protection point, are best
protected from at the edge.

Let me contrast that with the detection point, because a lot of people
are not, do not separate these in their heads, but you can detect and
contain malware by its behavior. When a person is actually infected
with a virus, what they tend to do is they infect other systems, they
send email out, and the best way to catch that is going to be at the
firewall, because you will the wrong kind of mail coming out, someone
that should not normally be making Port 25 connections out to the
internet will suddenly be making Port 25 connections out to the internet,
that is a detection point for viruses, detecting the behavior after
someone has already been infected. It is great to prevent infection,
but it is also great to detect it when someone really does get infected,
and people inevitably will, so you can detect the behavior of these
systems. The exact same thing is true of things like spyware; spyware
tends to phone home or redirect people to certain kinds of websites.
You can easily detect that at the firewall because these are not
necessarily fairly well known but they are well- known enough to
the virus and spyware folks that if you got a UTM-ish firewall that
is watching for that, you can block that.

Phishing is slightly different; it sends users to disreputable websites.
Those change very, very quickly, there might be lots and lots of them,
as opposed to spyware which is often more static. In that case, an edge
proxy server, which is doing things like checking the reputation,
making sure that what you typed in the URL is right, that the SSL
certificate is correct, that kind of blockage, that is a great place to
do detection. If you do not have an edge proxy server, again, you
detect this really well as an edge firewall. Things like a Botnet Trojan,
things where someone has been infected or they are not trying to
infect other systems, but now they are actually attacking other systems,
that is a great place to detect at the firewall because of the behavior of
these systems. If you suddenly see a lot of IRC traffic on an organization
that generally does not do IRC, then that is a great sign you got some
Botnet going on inside your network. You should be definitely monitoring
on your firewall all ports 6667 outbound traffic, you will catch an
enormous amount of junk just by watching it, who is using IRC,
because most of the time, unless you are a technical company
where people are chatting on IRC all the time, that is illegitimate
Botnet traffic, and the great thing is that normally businesses now
are using IM-ish stuff rather than the IRC-ish stuff.

I want to point out that the edge issue here reduces equivalents of
these devices. UTM firewalls and edge proxy or edge e-mail devices
are not the equivalent in anti-x; I want you to understand this very
clearly. A UTM firewall is not going to catch as much spam, viruses,
and phishing attacks as an e-mail edge device. It is not going to catch
as much spyware and viruses as a proxy server that might have,
things that might have been propagated via web traffic. For e-mail
traffic and web traffic, these very special purposes devices will
catch more attacks; they will defend best against these very specific
threats because they have much, much more content information
than a firewall that is trying to do this stuff on-the-fly. There is a
trade-off between what you can catch, or as much stuff that you
are going to catch at the edge using the one technology versus a
different kind of technology. Does this to say that you should all run
out and not use UTM and go to edge proxy or email security
appliances? No. It just says you need to be aware that you are
going to catch different levels of this stuff, depending on the
device you have chosen. If you got extremely good desktop
protection, if your company has very good training, and people
will tend not to get sucked in by viruses and social engineering
attacks, then maybe the UTM stuff is perfectly good, and, of
course, there is this huge budget issue.

Now the great thing about the firewalls though is that they are
going to catch threats that go around other devices, so if you buy
an email security device, that is only going to look at e-mail. If you
buy an edge proxy, that is only going to look at typically web traffic,
so something that might go in through AOL IM, that is not going to
get caught by this stuff. That is exactly where the firewalls and the
UTM can do a great job if they are actually looking at other protocols.
Be very careful when you start looking at anti-x features in these
UTM devices because they do not always look at every single protocol,
but they will catch certain kinds of threats that go around these other
devices. These firewalls and UTM things can also catch infected
systems by behavior anomaly detection, which typically, you are not
going to see in the edge proxy or e-mail security devices because they
are not watching transaction-to-transaction, they are doing things one
at a time, and when that transaction is over, throwing things out.

The edge proxies and e-mail security will add cost and complexity
to your network. They do a really good job at what they do, but they
cost more money than doing things with and edge UTM device,
and they add additional complexity to your network. I am not going
to give you special advice that says. 'Do this or do that.' I want you
to be aware that you get a better level of detection at a higher cost
for certain protocols by using edge proxy and e-mail security devices.
You catch other things at the UTM-level, slightly worse detection level
on things like spam and phishing, but you can also do things that you
cannot do at the edge by looking at other protocols or by looking at
behavioral anomalies, detection within the firewall of the UTM. This
is not a substitutable thing. Do not think "I will rip this out, put that in.
I am getting the same features." That is not what's really happening.

Let me give your four best practices for anti-malware, which includes
virus and spyware. First of all, the desktop is a critical location in the
anti-malware fight. You have to have desktop anti-virus, anti-spyware,
anti-trojan, and anti-whatever, that is essentially, a requirement. You
cannot, maybe Mac users you can possibly live without it, but certainly
on the Windows platform, especially with untrained, relatively untrained
users, you have to have desktop protection. You cannot say, 'I am
protected at the edge. I do not need it at the desktop.' I do not think
anyone is going to disagree with me, I hope not, but I just want to
reiterate that point. That is a best practice.
Email edge devices, that is your best strategy for filtering things that are
coming in via email. That will give you a better level of filtering on spam,
phishing, and viruses before they enter your organization than any other
thing. That does not mean that you need to do that necessarily, I just want
you to understand that is a best practice, especially for any network with
more than, say, 100 to 200 users on it. Going out and getting one of these
email edge devices is a very inexpensive way to get a very high level of

Edge proxy servers give you great control, and they have excellent
compatibility in catching malware, adware, and spyware before that
enters your system. These are probably more appropriate for larger
networks where you really do have a lot of folks on the inside doing a
lot of different kinds of browsing, not necessarily great training. They
give you excellent control for what they do. You need to consider that
as a possibility, depending on the size of your network.

The UTM firewalls supplement or replace these dedicated perimeter
devices, so they will supplement an e-mail edge device, or they can
replace it. They will supplement an edge proxy server or they will
replace it, and that is for you to decide based on the risk-reward
ratio and your own budget. If you think you got totally fantastic
protection at the desktop and well-trained users, you may not
need to have totally fantastic e-mail edge devices and totally
fantastic edge proxy servers, assuming that you get really good
anti-spam, actually I would say that you need to have anti-spam
anyway, so you are probably not going to replace an anti-spam
with a UTM firewall.

These are your primary tools, however, for detecting
infected systems trying to go out. If your firewall has a
policy which says, 'No one can come in, but anyone who
wants to on any port they want, can go out,' that is not a
best practice anymore. You should be at least logging
certain suspicious ports, if not outright blocking them and
watching your logs and finding out what is really needed by
the user community on the inside. Simply letting everyone
on the inside do anything they want toward the outside is
definitely not a best practice. Thank you very much for you time.

Presenter: Great. Thank you, Joel. This concludes our webcast on
anti-virus and anti-spyware. You can access the webcast and
other learning materials on demand at
Thank you for joining us.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.