Don’t let your anti-malware be your permeable safety blanket.
Antivirus is the safety blanket computer users and businesses have used for decades. They trust it. They swear by it. Gartner estimated corporations spent a whopping $3.4 billion on antivirus products in 2012. Consumers spent $5 billion.
But antivirus isn’t as effective as it used to be in the 1980’s and 1990’s.
According to AV-Test.org, 220,000 malicious programs are found every day. The problem is, antivirus software can only detect about 60% of these threats. Even the company that invented antivirus (Symantec) has come out to say ‘it’s dead.’
(Before I go any further, note that I will no longer be using the word ‘virus.' Spyware, adware, worms, Trojans, and viruses all have different functions, but they’re all unwanted malware doing questionable things. So, virus = malware and antivirus = anti-malware.)
See also: Ditch Typical Anti Virus for True PCI Requirement 5 Compliance
Anti-malware is signature-based. It’s not artificial intelligence. That means anti-malware software only flags malware that is known to be malware.
Let me explain how it works. The anti-malware company creates signatures for each type of malware on their radar. The company pushes new malware signatures out to your program in every update (which is why it’s so important to regularly update your anti-malware software.) When the anti-malware program on your computer finds something that matches a signature, the software quarantines it. Sounds great, right?
Here are a few problems with signature-based software.
Basically, anti-malware software is reactive technology, rather than preventative. It’s playing catch-up with attackers. It’s never ahead of malware.
Does it surprise you that 31% of all computers in the world are infected with malware?
That being said, every business and every person should still install, update, and run anti-malware on systems regularly. Besides being a PCI DSS requirement (PCI DSS Requirement 5), anti-malware is a critical layer in your whole security strategy. Just because it isn’t cutting edge technology doesn’t mean it won’t find lots of old malware still floating around out there.
See also: SecurityMetrics PCI Guide
File integrity monitoring software (FIM) is another crucial layer in your security system that works well with anti-malware programs. It’s also another PCI DSS requirement (PCI DSS Requirement 11.5.)
When you run anti-malware and FIM in conjunction, it is much more effective than either system separately. FIM shows you the changes occurring in your system. For example, you can see that yesterday at 2 p.m. a file was added in an odd file while no one was doing an update of your system. Chances are, it’s malware that was added when you visited an infected website and it wasn’t detected by anti-malware. After doing a little detective work following that track in the sand, it’s easy to wipe that piece of malware clean off your system.
The distinct difference between anti-malware and FIM is, if anti-malware finds something, you can be 99% sure it’s a piece of malware. If FIM finds something, it may be tipping you off to a problem that anti-malware hasn’t created a signature for yet, or it may have just found a false positive.
Companies out there are working on developing new anti-malware strategies that are more effective for today’s malware. One of these companies is Cylance. Rather than creating another signature-based malware finder, they're thinking about it a different way by combining elements from both antimalware and FIM software.
As a QSA and security professional I recommend continuing to use anti-malware software. Make sure it’s updated. But also be sure to incorporate file integrity monitoring software into your malware discovery strategy. The first time you find malware that slipped past all your other defenses, you’ll realize its true value.
.svg)
