01-03-2009
26,240,
27
Join Date: Sep 2000
Last Activity: 1 August 2008, 3:09 PM EDT
Posts: 26,240
Thanks Given: 0
Thanked 27 Times in 26 Posts
Future of Malware Defense
Last week, I blogged in SiliconIndia about theFuture of Antivirus. This is a continuation of what I have already written there.
Antivirus as a Service
There are a few Antivirus models in the market where vendors provide Antivirus as a subscription service. But most of those models are built around the traditional signature based technology. The traditional Antivirus software scan data for any malicious code as and when the data is accessed on the local machine (File creation and modification). Here, the focus is on the patterns which are found on the file but not on the data integrity or the applications which are trying to access the data. The Antivirus software does not check if an application is authenticated/authorized before it can access the data.
Role of Antivirus in Application Authentication
An Operating System is always vulnerable to malicious programs if programs can be launched without proper authentication/authorization. User authentication is the first line of defense against unauthorized system access and data modification but application authentication is also very important to protect system and data against malware threats.
What we need to protect is data, its availability, confidentiality and integrity. A malware can be a threat to any or all of these. The future Antivirus software should be able to authenticate applications before they can access the local data. Application authentication should not be confused with application white listing.
The Antivirus service installed on the local machine should be able to perform application fingerprinting and compare the same with the local database. If a match for the application fingerprint is not found on the local database, then the local Antivirus service should be able to communicate with the Antivirus Server which is installed on the datacenter or on the cloud and look for a matching fingerprint on the master database. Applications should not be given access to data unless they are properly authenticated.
The future Anti-malware software should also allow different authorization methods, depending on the type of data that need to be protected. New process or application creation should always be monitored and any unauthorized activity should be blocked irrespective of whether data is modified on the disk or memory.
Application Authentication- How effective it would be?
Denying an unauthorized application from accessing data is only a part of the malware defense model but it is not a security model which can give maximum protection.
There are 100s of applications with known and unknown vulnerabilities. And there are a number of malwares developed to exploit those vulnerabilities. How we can trust an application only because it is developed by a trusted vendor?
There are different types of software vulnerabilities and exploitation methods. An exploitation of each of these vulnerabilities would have different level of impact on the Confidentiality, Availability and Integrity of the data and system.
To provide maximum protection, the local antivirus service should also be able to communicate with a HIPS/NIPS service (local/network) and check for vulnerability exploitation attempts as and when applications request access to data on the local disk or memory.
This model can be best implemented in a Service Oriented Architecture.
More on this topic in my next blog.
Disclaimer: "What ever I discussed here are my personal opinions and they do not represent the opinions or positions of my employer".
More...
