Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What is "up to date anti-virus software"? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is "up to date anti-virus software"?

On the heels of my post on Microsoft's SIRv4 earlier this week, reader Ray posed a great question that elicited some nuanced responses from fellow handlers Mark H and Swa F. All parties have agreed to allow me to share the conversation with the ISC readership.

From Ray:

What is, "up to date anti-virus software"?  Is there a de facto standard of how often or what defines when a system is up to date or not up to date?  My goal isn't to split hairs.  There are a lot of moving pieces (in the background) to this question & where I work.  I would like to know what other organizations use; besides sooner is better. 

Mark H's response:

To me the definition of up to date is the latest pattern file for that particular application.  So I tend to configure AV products to check at least hourly for updates and apply them.  Some product interestingly however still consider daily or weekly to be ok.  Putting on my QSA hat usually I accept daily updates as being ok (assuming that the AV product is therefore at the lates pattern update), go beyond that and you'd best have a very good reason for lagging.

Ray's reply:

While wearing the AV hat at my last company I expected a drop in infections when I stabilized our (pattern file) distributions, but didn't expect such a dramatic drop in the rate.  With three updates a day I hit < .5% systems were more than one day out of date.  Since moving to a different company with different responsibilities I see one update a day and a 5 day window for updates with the target of only 90% of systems updated I see...room for improvement but face a mind set challenge.  I was curious what other "standards" were.

Swa's feedback:

Agreement with Mark: hourly is THE way to go. 

Add internal servers to help distribute it and allow in the field updates for machines at home or while roaming out there.
Make it so that the machine gets isolated in quarantine on your internal network if it's more than a long weekend out of date on updates. 
I'd suggest a trade off between this aggressive updating - transparent to the user as long as they do not sabotage it - vs a daily scan of the entire drive - which is far from transparent. 
Also focus on those not getting updated on time: figure out why and how to fix it. 
There's no point in paying for AV updates if you do not use them. Any self respecting attacker checks their handy work against something like VirusTotal, so being behind even a little bit makes the AV useless. 
Sure you might someday trip over a bad AV update. So what? It's easy to know what it did wrong and recover from it? Easy to know what it did is absolutely untrue for any modern malware. Those that still think that need a reality check. The only recovery of malware that works is "nuke from high orbit" all the rest does not yield reliable machines. 
 
Russ' 2 cents:
 
I'll follow up on Swa's point. There is no "recovery" from malware in my world. There is no running a tool to "clean up" after an infection. Nuke from space is the only solution or the machine(s) remain entirely suspect.
So have a plan for reimaging systems conveniently and efficiently, store data on separare drives or partions, and practice safe backup. Because when you pop a valid AV alert in my shop? BOOM...
 

Photo courtesy of nukeitfromorbit.com 

Great discussion, Ray and handlers. Thanks for letting us share.

Russ McRee | @holisticinfosec

Russ McRee

179 Posts
ISC Handler
It's true that the best way to ensure that a threat has been neutralized is by reformatting & re-installing the compromised system. Even better, zero out the hard disk with a tool that meets DoD 5220.22M to ensure that it is sanitized before reusing it. The most efficient way to do this is with images that are ready to go (patched, updated, etc.) and make them an integral part of your incident response strategy/process.

However, what would you do in the event of a zero-day attack that infects a good number of your nodes- let's say, over 100? In this case, having a tool (antivirus, etc.) that can scan, detect, and "clean" the infected systems would be useful. At least, it would buy you time (and act as a triage unit) while you are running around the building responding to all of the infected nodes...
da1212

69 Posts
If you're relying on desktop AV as anything other than a protection of last resort you've already lost the battle. If you have a thousand computers, you have a thousand single points of failure.

If you do hourly updates and your vendor puts out a bad set of defs, you just DoS'd your entire company.

Our perimeter systems (proxy, email, IPS) check for updates every fifteen minutes but we have ways of rolling those back fast and people can keep right on working. Trying to rollback a thousand PCs when the AV has rendered them unbootable is a bit more problematic.

If malware gets to the desktop yo have a lot bigger problem than wondering how many times a day the product needs to get updated.
Anonymous
I find that infections of limited accounts can be cleaned pronto. Otherwise I find the nuclear option very tempting, after backing up the data by some means.
Anonymous
It doesn't matter. Even if you check for updates every 5 minutes, and the AV vendor puts out an update every 5 minutes, you are not "up to date enough".

Update checks cost resources; therefore I recommend once a day for antivirus, or once a week.

AND do something else, in addition to antivirus.

Preferably (1) Application whitelisting -- use a solution that detects potential malware, using a whitelist instead of a blacklist; or detects suspicious software.

(2) HIPS -- software detecting suspicious behavior

(3) Group policy software restrictions, Applocker -- only software approved by IT can run.


Go for those 3, before something silly, like attempting hourly updates.

It's not that having AV software "fully up to date" is bad; it's that, having AV software is almost silly these days, when there are billions of malware samples out there, and a small number of rules, that don't detect plenty of threats, even fully updated.


The difference between "weekly update" and "hourly update", from a security standpoint, is in a sense -- negligible.

Neither will help you against the zero days. Heck, it takes the antivirus companies more than a few hours to make the rules, based on samples that were submitted to them days ago.

You're trying to add granularity to your update regimen that doesn't exist in the data available for your antivirus in the first place. Do something else.

Get a good IDS. Update the IDS hourly, because that's more useful.








Mysid

146 Posts
It's true that as soon as new or "updated" definitions are released they are, almost by default, outdated. Updates of all kinds (IDS/IPS filters, AV, Malware, etc.) are simply a way of communicating to attackers: "We know what you're up to, try again". The problem is, with a global community of attackers from kids to state-sponsored agents, it literally takes them a few minutes to "try again".

In the end no one security solution or countermeasure will protect your network. The best bet against an attack is having a proactive defense-in-depth strategy. This includes maintaining the strictest firewall ruleset possible, using a well tuned IPS (not IDS which is no different than a passive reporter), strong host security, strong network policies, and yes, as a last defense, updated AV/Malware definitions.
da1212

69 Posts
According to the news bulletin heise.de the city of Schwerin (germany) dumped 170 PC due to infection with malware.

The costs for new acquisition of hardware would be lower than cleaning up the infected ones, the responsible department said.

They estimated 130.000 Euro for disinfection and 35.000 Euro for reinstalling software.

WOW!
Makes approximately 1000,-Euro (1300,-USD) per PC for wiping a drive and rebuild the OS.

If this is the daily rate for cleaning up infected machines I probably would quit my job for that reason.
Anonymous
For an Enterprise environment, if your AV software includes host firewall and HIPS, then keeping your "signatures" updated isn't a high enough priority to check every hour.

If you have 1,500 systems, having a central authority that can PUSH updates is a much better solution. Especially if it can get updates from the vendor as soon as they are released and schedule staggered pushes across regions and time.

But, honestly, AV should be a part of your solution, not THE solution. We should be stopping most malware at the gateway, whether firewall, application proxy, or email.

If you can run an network IPS or IDS that does decent anomaly detection, you can even catch 0-days before you have a signature at all.

I think daily updates for AV are quite sufficient if you have other layers of defense and is probably a good tradeoff between resource usage and protection.
Jasey

93 Posts
JJ is 100% correct. I've seen first-hand what McAfee's botched A/V pattern did on a Monday morning - 50% of the PCs down. We now only promote patterns that are 2 days old (skipping weekend patterns) to our normal PCs, which still gives plenty of protection. We deploy twice a day to a some of our lower-priority machines (some Help Desk machines, some IT SysAdmin machines), all machines used daily, but not so much that we'd be hurting if they had a problem with an update. Between this method and watching the IT news on a daily basis, we feel fairly confident that we won't ever get burned again.

As someone else said, if having your A/V update to date is what keeps you protected, you've got other problems. You should have many lines of defense.
Jasey
42 Posts
Ah, wasn't a Monday, but a Wednesday:

https://isc.sans.edu/diary/McAfee+DAT+5958+Update+Issues/8656
Jasey
42 Posts
The hourly update might well work in the employee's regular office, but for employees constantly on the road, it is often tough to get a daily AV update to say nothing of more often. Internet access is still far from universal and far from uniformly fast or reliable. Hourly is FAR from THE way to go.

I also have to question the viability of replacing infected machines with new ones mentioned in another comment. Sooner or later the employees will notice and deliberately infect their computers to get new hardware.
KBR

63 Posts
>> Sooner or later the employees will notice and deliberately infect their computers to get new hardware.

While it may be "new-to-them" hardware, it could possibly be older-than-what-they-sabotaged "post-nuke" hardware, with a brand-new freshly-imaged hard-drive, pulled from the pile of "reconditioned" machines that were taken away from the employees. So, they might get something older and slower than what they had.

Maybe, you just need to deliberately "downgrade" one of those deliberately-compromised employees. The word will get around, through the office grapevine, that his/her replacement system is older/slower than before, thus discouraging all copy-cat employees from trying this "switcheroo".
Anonymous
Perhaps rotation of equipment among employees with equal computer performance and screen requirements is a good idea.. Don't let any employee get too comfortable about having a certain computer for too long.

Also, regularly rotate out machines for maintenance, to re-image them, just in case of undetected malware, or undetected tampering, or in order to gradually introduce newer upgraded machines, but with fairness (every employee with the same job responsibilities has an equal chance of being assigned every available computer).

When a computer gets infected, or has to be taken out for whatever reason... replace it with a machine from IT's "ready spares"

then within a business day, reassign all the machines to different employees, so... which employee ultimately winds up with the spare is unpredictable.
Mysid

146 Posts

Sign Up for Free or Log In to start participating in the conversation!