Saturday, December 29, 2007

AV Signature False Positives

Kaspersky's AV accidentally identified the Windows Explorer process as malware. The same thing happened to Symantec with their Asian Language Windows customers. And Heise is running an article on how AV vendors' ability to protect has decreased since last year.


The problem with these commercial, signature-based, anti-malware solutions is that they work 1) Backwards, and 2) Blind. They operate "backwards" in the sense that they are a default-allow (instead of default-deny) mechanism-- they only block (unless they screw up like this) the stuff they know all of their customers will think is bad. And they operate "blind" in that they don't do any QA on their code in your environment. If you think about it, it's scary: they apply multiple (potentially crippling as evidenced by these recent events) changes to production systems, in most organizations several times per day without proper change control processes. Besides anti-malware, what other enterprise applications operate in such a six-shooters-blazing, wild west cowboy sort of way?


Surely this is one more nail in the signature-based anti-malware coffin.

2 comments:

Mike Myers said...

Preach it brother. I have had this conversation with every system admin who will listen -- and many that wouldn't. Mandatory antivirus does more harm than good if you're a power user. Nothing like having your copy of netcat quarantined and deleted out from under your nose, when you know anyone with a hex editor can change any arbitrary executable P into P' such that it evades all known signatures and not affect the functionality of the program.

Unfortunately, even when we convince our network security departments of the uselessness of signature-based blacklists, what do we suggest to put in their place? Too often I run up against the "yea I know but something is better than nothing" argument.

Tim MalcomVetter said...

Mike,

That's a great question. When we, as users of commercial OSes that have problems separating information from instructions, are forced to deal with this situation our options are: blacklist anti-malware, combination blacklist and behavioral anti-malware, weakly implemented whitelists, or nothing.

Blacklists are bad, like we agree. Behavioral is the logical next step for anti-malware vendors, because for whitelists to be successful they have to watch all code execution points. But, a funny thing about Turing Completeness (that should be a follow-up blog post by itself) is that there are nearly infinite ways to accomplish a given task. Hence, behavioral systems fail and have false positives. Not to mention you just cannot find a vendor selling a behavioral only anti-malware solution these days (if you know of any, post them in the comments).

Another limitation is that today's anti-malware looks mostly at file I/O (typically read) calls. If a file is read, and the malware engine says it's bad, the File I/O is hijacked (in Windows, the anti-malware hooks into a File System Filter driver API), preventing the file from being read into memory and instructions being loaded into the CPU. But we all know that it is any input vector that can become a malware vector. The lists go on and on, but things like malicious image files (especially those stupid file formats Microsoft made that allow executable code to live inside of the images-- that's another data/code separation problem), browser plugins, script code, etc., are going to cause problems for a long time. Malware doesn't have to be disk resident anymore. The state of the art is to inject code into running processes. Who cares if the process/system is restarted? The code can just be re-injected later. Whitelists don't implement well in that situation because there is not a clear delineation between what is just "data" (information) and what is data that can be interpreted as instructions (programmable code).

So, in short, until OSes are re-engineered (or until you can convince your security team to think more progressively on the matter-- which I think may happen if the number of new variants in 2008 follows the exponential growth of 2007), blacklists are here (although possibly augmented by behavioral analysis). Maybe an argument you can use with that team (since they enjoy blacklists) is to rip the blacklist anti-malware out and slap a blacklist NIDS to watch the system. It's no better, technically (and some of the threats it looks for are different), but it won't be the same hassle for you. That, and you should be able to tell your commercial product that some things are OK in certain circumstances (although that's a fun set of rules to manage ;).