This week, a Symantec executive proclaimed that anti-virus is dead. Given the company's position in the AV market, it may be the most discussed comment coming from Symantec for some time; though in and of itself, I'm not sure the statement would elicit much of an argument from most security professionals. Oh, except for the other AV vendors of course.
For our own part, it's not news that we believe that AV is "limited". In fact, Metasploit specifically offers AV evasion capabilities to represent the way that attackers behave. Anti-virus only works to protect you against threats that are known. And known in enough detail that it can be recognized and blocked on a variety of systems. It’s not rocket science to think then that a technically-skilled attacker with time will either tweak some existing malware, or create something new, so that it won’t be recognizable to standard AV packs.
Hence all that cynicism about AV, particularly among the pen testing community who face – and defeat – AV on a daily basis. But here’s where I have a hard time playing the funeral dirge for AV.
See whether it’s because you’re lazy, or a total go-getter that wants to cram as much into your day as possible, either way you’re likely to want to be as efficient with your time and effort as you can be. This is why people like automation (yes, that was a Metasploit Pro plug). This is also why there is a pretty decent market for crimeware packs. And why not? There is a lot of malware knocking about on the internet after 30 years or so of people creating it, and others creating flawed software to be exploited by it. And tragically much of it still works.
So if I am an evil genius attacker (cybercriminals are all evil geniuses, no?) and I can get the goodies by using old malware that’s been around for ages, why wouldn’t I? Why spend time and energy on creating something more elaborate when the old stuff still works, and meanwhile I can divert my time to creating a car that turns into a submarine to reach my secret underwater layer. Or sitting around playing Titanfall in my underwear.
So yeah, I’m not ready to pronounce AV dead, and I still make sure my mom runs it on her computer because at least it affords her a level of basic protection against drive-by attacks. The Verizon Data Breach Investigations Report summarizes this with: "While many proclaim AV is dead, not having it is akin to living without an immune system." I’m not sure I think AV is as effective as an immune system. Rather, I’d compare it to a shower curtain – it protects you from the peripheral spray, but won’t stand up to a direct deluge.
This is where I think AV can become problematic, dangerous even. It can give people a false sense of security. You need to remember that it doesn’t make you bulletproof, not even close. So whether you’re my mom or a Fortune 50 enterprise (and everything in between), you still need to practice good security hygiene and practices beyond deploying AV. Which is where pen testing comes in… (though probably not for my mom).
Testing AV evasion techniques is the way to understand the impact of directing the faucet right at the edge of the tub; just how soggy is everything going to get, and what problems does that cause? To find out, why not try our updated AV evasion techniques which help you mimic a real-world attack?
One final comment – if you are running AV, it’s crucial that you keep it active and updated on all machines or it really is a pointless exercise – like having a holey shower curtain, or one made of rice paper. This is something Rapid7 ControlsInsight can help you with. Now I’m off to my mom’s place to update hers and work on my sub-car-ine.