In the wake of McAfee’s false positive that rendered Windows XP computers unbootable there has been a lot of talk. What I wanted to talk about today was the staging of virus definition updates. I saw a lot of comments that companies took the McAfee update and deployed it company-wide without any testing.
I dont know of companies of any size that would roll out any other patches without testing. Or I shouldnt’ say testing as much as rolling it to a small group of users, followed by a bigger group then all. Even if no tests are performed, the computer at least is used after the update an shown that everyday tasks still work.
Yet companies have given in to the virus definition update race and update definitions between 365 and 5000 times a year without any testing at all.
Depending on your vender, virus definitions come out between 1 and 20 times per day. Do you really want to be the choke point that prevents your company from being as fully protected as they could be? I gave up on that after the time I had to drive back from an awards dinner and run down a hallway yelling “hit update now, hit update now”. (I needed the email gateway antivirus updated)
Perhaps i’m going to feel really stupid when Symantec does the same thing next year. But I still feel our protection is better for having up to date definitions. Perhaps as a middle ground I could apply Rapid Release definitions to my own computer.
More and more antivirus venders are going to the cloud or going to the community to provide intelligence on the validity of a file. As antivirus venders take to the cloud, any staging/testing of virus definitions is only part of the equation. You can’t test the cloud in small groups.
Posts tagged ‘Antivirus’
Staging Virus Definition Updates
SEP 11.0.6
Symantec Endpoint Protection 11.0.6 is available on fileconnect. The release notes are here.
Release Highlights
•”Symantec Protection Center v1.0″ introduces a centralized management console with single sign-on to integrated Symantec applications including Endpoint Protection, Brightmail Gateway, Data Loss Prevention, Web Gateway, Critical System Protection, and IT Analytics
•”SEP Manager Web Console” delivers web-based access to SEP Manager in addition to the legacy JAVA console
•”SEP for Mac” provides integrated management and reporting of Mac and Windows clients in the SEP Manager
•Randomizing scan start time improves support for clients in virtualized environments
•The Symantec Endpoint Recovery Tool allows customers to scan and remove malware from client computers that the SEP client is unable to remediate effectively
•Enhanced default Antivirus and Antispyware security settings make SEP more efficient at detecting malware
•Includes over 155 customer reported defects
One of the defects may be one I’ve had a case open on for more than a year.
Auto Location Switching does not recognize 144 Mb/sec 802.11n connections
Fix ID: 1927272
Symptom: Auto Location Switching does not switch a client to a 144Mbs wireless connection
Solution: Added support for a 144Mbps wireless connection.
I’m hopeful that this will solve the location awareness issues when 802.11n is used. I’ve been told that wouldn’t be fixed until RU6MP1. But we’ll see what this does.
Another writeup of on the release is here.
Unicorn sighting
A few weeks ago my officemate posted to Facebook,
I’ve just been told by two different Mac Geniuses that installing an antivirus software could actually make the Mac computer less secure. Unfortunately, both were phone conversations because I’m almost certain they were doing the Jedi mind trick hand motions.
I thought of this today as Graham Cluley tweeted links to a couple of video blogs from last year. Unicorns have been spotted, Malware for the Mac does exist. Now to be fair these examples are largely social engineering. Just because it’s not a zero day doesn’t mean the systems isn’t owned. Fake Codecs and Fake anti-maiware aren’t the exclusive providence of Microsoft Operating Systems.
Antivirus Exclusions
For many years Microsoft has had an exclusion list of files and folder that antivirus should not scan. I’ve seen similar knowledgebase articles from antivirus venders. For some reason this became blogworthy over at TrendMicro. That has set off the usual echo chamber of anti-Microsoft handwringing. (wait a second an echo chamber of handwringing? exactly how loud is that? Stop mixing metaphors).
A lot of people have the knee-jerk reaction “oh no the virus writers will start putting their viruses there.” The TrendMicro blog entry isn’t as worried about the exclusions as he is about the public knowledge of the exclusions. “Now, although it actually makes sense to stop checking …we are concerned by the fact that this was released publicly.” I laughed out loud when I read that. Security through obscurity is no security at all. If you don’t tell antivirus administrators what to exclude from scanning just who are you going to be sharing this mystic secret with?
All the articles I’ve read imply that the only reason to make antivirus exclusions is performance. Exclusions can also be necessary to allow a product to work correctly. Data integrity is a valid reason for antivirus exclusion, I think.
Unlike what some people think, exclusions aren’t just for the performance of scheduled scans. On the contrary they more needed for real-time scan exclusion. Lots of files created in a folder and deleted, etc. That is a real time scan situation.
Microsoft’s KB is clearly aimed at system administrators not home users, in this writers opinion. Excluding a file from scanning is not a white flag of surrender. Endpoint security suites may still have IDS, proactive and firewall components. The malware will need to beat the antivirus to get on the system in the first place.
I guess I got my hand wringing out of the way on this one five years ago. Strangely TrendMicro did too. Their own knowledgebase has instructions with some recommended exclusions to solve problems with shaddowcopy and sql
VanMorrison.com Iframe
Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on “van morrison” (another termination offense). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.
Manually looking at www.vanmorrison.com’s source, I currently see a iframe loading ‘http://iqsp.ru:8080/index.php’. Perhaps someone can remind me, aren’t there sites like virus total where you can send them a link and they’ll tell you what’s up. I haven’t yet learned javascript deobfuscation but that didn’t look like good stuff was happening.
So I took a sacrificial lamb system. (still dangerous don’t try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.
Bluecoat – detected the virus on the site. Blocked Access to the entire site.
Scansafe – detected the virus on the site. blocked access to the entire site.
Purewire – site loaded. Wanted me to install Flash (seemed legit but I didn’t do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.
Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.
Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.
Update 10/23/09
I see Sophos and eweek have linked to this article. Thanks!
Pob is correct, the infection changed after I posted this entry. I went back yesterday to see if anyone cleaned it. I found the site on Google’s naughty list and the site had obfuscated code like he screenshots. Didn’t check on it today.
Web Security – The Problem
Web security has changed a lot in the past few years. It is no longer good enough to take a desktop antivirus scan engine and scan web content. URL filtering isn’t enough. It is not enough to put HTTP security on your corporate gateway.
The reason its not good enough to have a HTTP security gateway should be rather obvious. People go home. People travel. People work at client sites. People work at the Starbucks. An increasingly mobile workforce necessitates a mobile security solution.
URL filtering isn’t enough. URL filtering is reactionary and there are many new sites each day. When a legitimate site is compromised, URL filtering can categorize it as a malware serving site and block it. But how quickly will the site be rechecked after the virus is clean? Viruses are showing up on otherwise legitimate sites. Sites can be compromised through lack of patching, through SQL Infection. In several cases advertising networks have inadvertently included malicious content. Some sites are potentially insecure by design. Web 2.0 sites accept user provided content with little controls in place. While some URL filtering solutions are better than others, it is an incomplete solution at best.
Some web security solutions are merely URL filtering combined with a desktop antivirus engine. I don’t think I need to rehash the failure of the antivirus engine. But there is better technology. The best web security solutions include zero day protection as more than a marketing term. A web malware scanner is looking at the context of the file. The site its on. The number of requests for the file. The history. Its then running it through heuristics in a way much more accurate than any desktop heuristic.
The web is a ready avenue of attack. Strengthened defenses against email and network attacks have left http the prime target for attackers.
Its a good time to be looking at alternative solutions. I think that SaaS web security has hit the sweet spot in what Gartner would call the hype cycle. Its at that point where you’re still on the leading edge but not on the bleeding edge. I’ll be trying to get a “why SaaS” post out.
Some People Really Need to Look Into NAC
Over the weekend I was talking to someone who has a mandatory requirement at work to have their computer inspected by the helpdesk every 60 days. If the computer is not inspected the computer is not allowed onto the network.
I’ve heard of such requirements for remote users. Remote users who don’t connect to the company using a VPN are tough to check up on. Requiring a periodic check-in could be a good idea for those users. However, physically checking computers that are manageable devices on your internal company network seems like a waste of time to me. If this story is accurate, I’d like to introduce them to NAC.
I know what you’re saying. First they are using a form of NAC if they can keep unapproved people off the network, and force them to go to the helpdesk to reauthorize themselves every 90 days. Second, some people think of NAC like they think of PKI. It just hasn’t taken off yet and some people think it is one of the more useless “useful technologies.”
NAC is actually useful for quite a bit more than keeping people off the network. If you manually check computers every 60 days, a computer that has broken patching mechanisms or is infected will not be detected for an average of 30 days. NAC would be able to detect this as the computer is connected to the network and on an ongoing recheck schedule. Even if you don’t want to send the user to a remediation page you could alert the helpdesk. Better to be fixing known problems immediately than inconveniencing everyone else every 60 days.
If you do have a NAC project, I’d suggest checking out Forescout. I have been happy with our selection. When we looked at other vendors it wasn’t even close in my opinion. Don’t feel like you have to buy NAC from your network switch vendor or your desktop antivirus vendor.
Alternatives to Desktop Lockdown
This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.
Desktop Lockdown has failed.
But so has complete freedom.
So what do you do?
From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.
Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can’t change the timezone or install a printer driver. Its not workable for the traveling user.
Locking down computers failed because new technologies bypass local controls. For example it doesn’t prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn’t even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.
Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.
Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.
Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.
So what do you do? The talk reviewed multiple alternatives.
Alternative 1De-Privilege Admins – UAC
UAC prompts to elevate rights when admin rights are needed.
As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.
Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.
One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn’t install every random file he found on the Internet.
Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.
Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.
This scenario requires solid network connectivity. It also isn’t clear how the network is protected from the unmanaged computer.
Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.
The major drawback to this approach is licensing cost, patching, and extra hardware cost.
In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.
Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.
Alternative 6 Hybrid
A few from column a and a few from column b.
Alternative 7Employee Owned PCs
I’ve read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn’t going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).
The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.
Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?
For the longest time, vender’s made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I’d love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.
Eric Ouellet on DLP
A new Gartner Magic Quadrant covering Data Loss Prevention was released this week. Eric Ouellet spoke on this at Pre-Conference for Gartner’s Security Summit.
In spite of several years of DLP hype, Ouellet indicated that it is not yet at the sweet spot in the security product hype cycle. People who implement DLP often don’t have fully formed goals, they leave the product in monitor only mode and they are disappointed with the results.
It is important first to define terms, Garnter has begun calling it Content Aware DLP. This is a DLP that is content or context aware. Many vendors say they have Data Loss Prevention. To a specific definition this is true, anything that prevents data from leaking is DLP. Under this definition vendors have claimed that USB port controls, Enterprise Digital Rights Management, hard disk encryption, and file tagging are DLP. None of those devices are aware of the content of the data. To differentiate those products from the traditional DLP product space, Gartner uses the term Content Aware DLP.
Two trends have occurred since I’ve looked at DLP last. Antivirus vendors have taken the lead (through purchase) and added client DLP agents to their suite. Also it is no longer Network based agents versus the desktop agent. It is necessary to have both unless you are only after a specific monitoring purpose.
With DLP I have always struggled with the use case. Its pretty easy to install and report on credit card or social security numbers. But how does the DLP find what is important to my company. I dont even know what should be protected. The limited FIPS data classification that we’ve done doesn’t help either. I did learn that 90 percent of deployments are for compliance purposes (PCI, HIPPA) rather than for the protection of Intellectual Property.
The message I heard was ‘if you don’t know you need DLP, then you don’t need it.’ Too often people think they need it because its been written about in the tech press. If you are going to move forward, good general advice is don’t let the vendors website write your RFP. Dont write in requirements you wont use. Certainly dont use requirements you wont use as a differentiator between vendors. Be aware of the false sense of security that DLP can provide.
Ouellet closed advising that DLP is like a magnifying glass and the corporation is Pandora’s box. You’re going to find out things you didn’t want to know. Rather than being the impetus for budget justification, in some companies it has called the use of the existing budget into question.
