ANTIVIRUS IS DEAD
Symantec, if you’re not aware in non-Tex-land is the maker of Norton Antivirus. So, needless to say, his remarks generated significant shock and criticism at the time.
The truth is he was and is absolutely right. However, as with most things that’s not the whole story.
In my first article on TTP, A Clean Start, I made the following assertion, echoing Dye’s sentiment:
“Anti-virus is today at best about 30% effective at stopping malware. It’s near-0% in stopping a determined attacker and also near-0% if not kept up-to-date daily.”
What he and I mean when we say Antivirus programs are “dead” is that any computing defense that relies on a “blacklist” of programs that shouldn’t be allowed to run is ineffective by itself in today’s connected world. We need defenses based on new technologies like behavioral analysis and “whitelisting.”
“Ok, Tex, but what does all that mean in plain English?” As a fellow rational conservative, I’ll use our Constitution as an analogy.
In its original, pre-Bill of Rights form you can think of the document as a whitelist of specific things the Federal government is allowed to do, called “Enumerated Powers”: Not on the list, not allowed.
However, during the ratification debates many States expressed concern that Natural Rights were not explicitly listed as something the new government would not be allowed to infringe upon. In short, these early patriots were arguing for a blacklist, with those opposed arguing that a whitelist of what the new government was allowed to do was enough.
In the end, we know how the story went: The Bill of Rights was added as a condition of ratification; as an extra layer of protection in case future generations (e.g. Democrats) decided to endlessly expand the whitelist such that the Federal government was allowed to do anything it wanted.
Effective cybersecurity defenses work on this same principal of layered defenses, or “defense-in-depth.”
However, most IT departments and laymen are outmoded in their ideas of what layers should be present. They continue to believe that static systems like firewalls and traditional antivirus that block known threats are sufficient, vs. dynamic systems that can detect and mitigate both known and unknown attacks.
This was Mr. Dye’s point (and mine).
“So how do I get this whitelist concept on my system, Tex? And what do you mean by ‘behavioral analysis?’ That mean folks like you are going to spy on me in the name of keeping me safe?” First, let’s discuss behavioral analysis.
It’s not about looking for naughty things you might do on your computer like tracking your browsing history. What cyber-geeks are referring to is leveraging massive amounts of data that’s been statistically studied to determine what is normal, everyday activities by your system (not you) vs. a pattern of activities that suggest you have an unwanted visitor on your computer.
The good news is that most of the major antivirus vendors since 2014 have been adding more and more of this into their products. For example, with every Windows 10 update, its built-in antivirus has expanded from the simple “Defender AV” product to an entire suite of capabilities.
Aside: This is a prime example of why I and other security professionals are so adamant about keeping your systems up-to-date with the latest version of your Operating System of choice; Every 6 months (in the case of Windows 10) it’s like you have a whole new SpecOps division added to the defense of your system without any action on your part!
Windows Defender, McAfee, Symantec, and many others now (with your consent) can connect your system into their enormous “threat intelligence” databases in the cloud.
While there’s some tin-foil hat folks out there that think this is the Mark of the Beast in terms of privacy, the reality is this is the least of your worries if you’re really concerned about your privacy online (definitely a topic for a future CyberTex article!).
Why? Because there’s no better “force multiplier” for your computer’s defenses than to get near-immediate protection from malware that is intent on invading your privacy.
Here’s a real-world example:
Recently a PC running the business version of Defender (which can gather more detailed behavioral data than the consumer release) known as Defender ATP detected some very strange things going on with a user’s PC. It noticed that after reading an email from a source not normally seen on this system the user downloaded the (fake) attachment (he didn’t listen to Tex).
As if that wasn’t enough, once the attachment was loaded into Word or Adobe it began to execute a series of things on the system; but here’s the kicker: there was no “malware” involved.
In other words, no blacklist antivirus would have anything on its list to block, as the hacker just started using the built-in, normally innocuous programs on the PC to do bad things, kind of like using a screwdriver to poke someone’s eye out instead of tightening a screw. A good tool used for an evil purpose.
Now the good news: because this system was connected to its cloud-based threat intel database, it blocked the execution of anymore things from this document and reported these symptoms in real-time back up into the cloud. The result?
Every Windows system on the planet running Defender connected to the Internet was protected against this unknown threat in less than 15 minutes.
This is how we all begin to neutralize the miscreants out there!
“That’s really cool, Tex, but what if I’m not running Defender ATP on my Windows PC? Or what if I’m running a Mac or just using my phone and tablet? And what about that whitelisting again?”
Not to worry. As I said, most of the major vendors have their own answer to this kind of capability and have versions that run on lots of different platforms. Notice, however, I said “major vendors”. Be wary of most “free” antivirus programs you can download as they are either:
- Complete fakes and are just malware themselves
- Legitimate but you must be very careful to download the real version from the vendor’s website (AVG is a notorious example where there are lots of fake or hacked versions of it for download).
- Great at blacklisting but don’t have any whitelisting or behavioral analysis
Next, let’s get to whitelisting.
I’ve saved this for last because I’ve got some good news and bad news for my fellow TTP’ers:
- The good news is systems like iOS and Android by default only allow programs downloaded from their stores to run on your system. So, unless a hacker is able to get past Apple and Google’s deep code security analysis (which has happened, but fortunately rare) you’re protected.
- The bad news?
- On iOS and Android you must keep your apps up-to-date, because if there’s a way to exploit that app to run stuff on the hacker’s behalf (as in the example above via the email attachment) bad code can still run.
- On Windows and MacOS, unless apps are only allowed to run from the Microsoft and Apple Stores respectively, the system is wide open.
- On Linux, whitelisting can require more technical expertise, but if you run Linux it’s likely you have that. (If there’s interest in this, let’s discuss on the TTP forum!)
“Tex, does that mean I can’t protect my Mac or PC with whitelisting?” Not at all!
For the Mac, Apple has introduced a new capability as of v10.7.5 “Lion” called Gatekeeper. I strongly recommend implementing it to limit software from the Apple Store, or at least software Apple has investigated as part of their new Gatekeeper program. More on this can be found here.
For your Windows 10 PC (because that’s the only Windows version you’d ever run on a system connected to the Internet, right?!), you can do the following:
- Under Settings, Apps, Apps and Features, you can enable the option to “Allow apps from the Store only.” This will prevent the installation of new apps from outside the Store, but it doesn’t stop existing programs from running nor “stand-alone” ones that don’t permanently install on your system (like a lot of malware).
- Buy a system with “Windows 10 S”, or next year one with the new, lighter-weight version called “Polaris”. Both of these will prevent anything not “signed” as coming from the Store from running. Polaris will let you run many programs from outside of the Store, but in a “container” that’s isolated from the rest of your system.
- If that’s too restrictive for you, consider a white-listing approach from a third-party like PC Matic. (Despite their cheesy marketing, they make an excellent product and even include security training for the layman that will sound familiar to a lot of Tex’s advice.)
To conclude, new technology is needed in today’s threat environment to ensure your Clean Start stays that way. If you’re running an older antivirus, OS, unpatched applications, or allow applications from just anywhere to run on your system: you’re asking for trouble.
Tex Manchester is TTP’s world expert on cybersecurity. He travels the world advising Fortune 500 security executives and professionals on how not to be on the news. However, he is even more passionate about helping everyday people protect themselves in today’s connected world.