Last month, an article in Dark Reading by Robert Lemos asked if it was “Time To Dump Antivirus As Endpoint Protection?“. It referenced a recent Google research paper that outlined their new reputation technology called CAMP (short for Content-Agnostic Malware Protection), which they claim protects against 98.6% of malware downloaded via their Chrome browser, as opposed to the 25 percent detected by the best performing antivirus engine they tested.
This may sound like magic. Whether you view this as white magic or black magic depends on if you know that Google sends attributes of all the “unknown” files on your computer to their online service for analysis.
To us, however, all this is old news. As early as 2008 we stated that standard detection technologies need to be combined with other methods like reputation services, whitelisting and so on. We’ve invested heavily in the technology needed to detect malicious infrastructures and ecosystems.
Because we collect so much information, we’re able to help law enforcement agencies around the globe put cybercriminals in jail. When Google talked about CAMP, they claimed that their system makes millions of reputation-based decisions every day, and that it identifies and blocks about 5 million malware downloads every month. Great job to make the Internet a safer place!
Then again, this is what the security industry has done for years already, so this is not something brand new. For example, Trend Micro blocks 250 million threats per day (files, websites, and spam), and our systems process more than 16 billion requests per day. These requests generate 6TB of data daily for analytics… that’s what I call Big Data.
The article also talks about what some customers are doing in the face of the problems of traditional antivirus. These are:
The author himself states this is a bad idea, pointing to the recent Microsoft Security Intelligence Report that said that computers with no endpoint anti-malware protection were 5.5 times more likely to be infected. It’s all well and good that, say, Google Chrome protects me from infections – but what about the latest driver on a CD that I need to install my USB 3.0 PCI card? What about the USB stick I just got from a friend? What about the digital picture frame with malware on it? Let’s not even talk about all the other entry vectors using vulnerabilities and so on. Endpoint protection is still necessary, and a baseline for effective defense.
Beef up the blacklist
We’ve been saying this for years as well. A blacklist can be combined with reputation technology, advanced heuristics, communications monitoring to identify commands by malicious botnets, and all the other new tools we have up our sleeves. Users have to accept that especially a sufficiently determined and sophisticated targeted attack will be able to get in, but there are ways to detect these threats, particularly when they try to “phone home” to malicious servers.
Use a whitelist
Yes! Trend Micro has built up a whitelist with over 220 million known good files, and we use it as part of our reputation services within our products. This can be used in critical endpoints to minimize the risk of running malware as well.
Focus on isolation
This makes sense for critical machines where you have the time and money to manage them in a different way. The users of these machines will have to learn that they can’t execute code from all kind of sources anymore, they need to say goodbye to their personal computer. I see the use cases here in hardening industrial control systems and Windows systems in production environments.
I totally agree that it is easy to avoid traditional antivirus. However, the security industry has known this for quite a while now and have worked hard to find new ways to protect against malware and cybercrime. Do we do a perfect job? No, there is no silver bullet. Our job is to protect our users as best as possible, and that’s what we continue to do. So long live anti-malware – it still is needed.
For users who want to know more about this issue, I came up with a video discussing how anti-malware products are still relevant and crucial in protecting users’ data amidst developments in reputation technology.
My website CTO Insights contains more discussions about pertinent security issues.