On January 30th, the New York Times published a story about themselves. They were infected with an advanced persistent threat, and had called in Mandiant to clean up the mess. The quote repeated many times on twitter was
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
Any antimalware failure generates a lot of schadenfreude from people who think that wouldn’t have happened with their antivirus choice, wouldn’t have happened to their Operating System choice, or just think antivirus products don’t do anything useful.
I was more curious about what they were running and what their other security protections were. For example, if they’re running Symantec Antivirus version 10, then they’re a bit behind the times.
Initially Symantec choose not to comment. But in a statement released today (31st), Symantec stated:
“Advanced attacks like the ones the New York Times described in the following article, (http://nyti.ms/TZtr5z), underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”
It is important to be on the current release of your antimalware product, and to learn about and use the available features. This doesn’t guarantee protection against zero day targeted attacks. Nothing does. But it is a good place to start.