Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The shortcomings of anti-virus software

Published: 2012-11-02
Last Updated: 2012-11-02 00:57:10 UTC
by Daniel Wesemann (Version: 1)
10 comment(s)

No, this isn't about lousy detection rate. I think we're pretty much resigned to that, irrespective of the latest fancy marketing terms the industry uses to sell us the same failed concept. This is about the forensic quality, or rather lack thereof, of anti-virus.

Let's say your anti-virus (AV) happens to find a Spyware. Something like the spyware that I described in yesterday's ISC diary. What does it do with it? If your AV is anything like the products that I've seen in use, it will display a Halloween-like scary pop-up ("Danger! Virus!") and will delete or quarantine the threat.

So far so good.  This used to be cool back when all we wanted our anti-virus to do was to get rid of the threat. But these days are over. Increasingly now, anti-virus alerts us (maybe) to a persistent threat that has been on the system for days, weeks, heck, even months. And deleting or quarantining such a threat causes a serious problem:  It modifies or eradicates evidence. Yes, we get an alert, but then we are like the CSI guys who get called to a murder scene that doesn't have a body. Sure we can spend hours trying to lift DNA off cigarette stubs, but things would be so much easier if the caller could tell us what exactly he has seen where, and where the body was?

In other words: If anti-virus removes a registry key to unhook a DLL, why can't the AV log tell me (a) where this registry key was and (b) when it was created?  You know, this would give a first indication on how far back we have to dig to determine what data was stolen. The same holds true for the actual threat files that get deleted or quarantined: A full MAC (modify/access/create) timestamp in the logs shouldn't be too much to ask for?  Maybe garnished with an MD5 checksum for good measure, so that the analyst can tell right away if the exact same threat has been seen on another PC already?

I don't think the AV companies have caught on to this yet - they seem to be deleting and quarantining threats with the same casual indifference like they did 20 years ago, stomping all over the crime scene, and wiping out or contaminating important forensic evidence in the process.  

If your enterprise-grade anti-virus software does any better in forensics than described above, please let us know via the contact page.  If it has the same shortcomings, please let us know as well, but more importantly, please let your AV vendor know. Maybe, someone listens.

 
 
Keywords: antivirus forensics
10 comment(s)
Diary Archives