Recently at work there was a security incident where a worker was tricked into loading malware on their machine. I was asked if your desktop antivirus solution fully protected us against this. While I’m sure most people that read my articles are aware of the answer I gave I thought I would share it with you (some parts have been rewritten from the original email)
While our desktop antivirus solution does detect malware, spyware and virii vectors into the machine, the vendor needs to release definitions to make sure it can detect it. Due to the fact that we don’t have the name of the spyware in question I can’t verify whether the vendor has the definitions loaded to detect this particular piece of software. The problem with spyware and malware in general is the fast moving vector in which it changes code, when the code the definition was written for changes even slightly usually they won’t be able to detect it.
Our desktop solution does include heuristics to detect malicious activity done by a software program, but this only goes so far. Researchers and malicious code writers have even turned this into a game — http://www.infoworld.com/article/08/04/28/Security-vendors-slam-Defcon-virus-contest_1.html.
Without knowing all the steps included I think that the vendor did not have the definitions for this particular attack. Not only would it have to bypass the desktop virus scanners, it would have had to bypass the web filters if it came via a web page, the mail servers scanners if it came in via e-mail, also possibly any network scanners andmail gateway scanners that we may utilize.
Protecting from malicious software will always be a moving target that there will never be 100% protection against. There are things that can be done to minimize it’s effects:
1. Layered security — scanning at the desktop, proxies, mail servers, mail gateways, and virus and IDS at network level — these can help detect known attack vectors and suspicious activity.
2. Vista — not something some people want to hear, but from a Windows perspective with the UAC (User Access Controls) it makes it more difficult for malware to get a foot hold into the operating system. This is much more effective on machines where the users do not have administrative rights to their machines. While machines with Linux and OSX operating systems are essentially immune to virii ( there is more virii added to Windows AV Definition files in a week then have ever been discovered for these operating systems) there are not immune to all malicious software.
3. Machine policies — group policies initiatives that lock down the machine lower the surface area that this malware can attack. Requiring users to only go to trusted sites and disabling unsigned active-X controls go a long way to minimizing these type of attacks from vectors outside of the just e-mail concerns.
4. User education — the more educated a user is, and the more conscious of the possible repercussions of their actions the less this type of attack happens.
While even all of these will never have 100% coverage combined gives the desktops the best chance of detecting these types of threats.