For years, desktop anti-virus software has been one of the first lines of defense against viruses for both home computer users and businesses. But as the sophistication of viruses continues to increase, many experts now believe that anti-virus software alone in no longer enough.
When the Klez.H virus was first discovered in April, e-mail security experts say it surpassed SirCam as the fastest-replicating virus to date on the Internet and among the most sophisticated.
“Klez tries to access documents in a hard drive and can disable anti-virus programs,” says Angela Hauge, a technical manager with MessageLabs, a managed anti-virus security outsourcing firm based in England.
“There’s a major spoofing aspect to Klez, which enables it to change its subject lines and other characteristics that anti-virus programs scan for. Prior to Klez, for example, very few e-mail viruses did this,” she says.
“They have the ability to change attachments and cover their tracks and deceive recipients. The rise of the Klez.H signifies that viruses are becoming more and more sophisticated.”
That’s no surprise to Steven Sundermeier, product manager at anti-virus consultancy firm Central Command, which placed Worm/Klez.H and the Klez.G version before it atop its “dirty dozen” list of the most virulent viruses.
Given the increased speed of viruses, such as the KaZaA Worm that can dump over a gigabyte worth of malicious files with movie titles, song titles, or T.V. show names, security experts agree that traditional desktop anti-virus software is no longer an adequate defense.
For one, traditional desktop anti-virus software was built with desktops in mind, and not the Internet-connected PCs of most enterprises today, says Pete Lindstrom, security research director with Hurwitz Group. “The viruses and worms frequently work their way onto the network, infecting servers and other PCs, with the aim of infecting the entire computing environment.”
Does this mean the days of the good old anti-virus scanners running on desktops are hopelessly outmoded? Yes and no, say analysts and virus experts.
It does mean that anti-virus software is increasingly deployed at the firewall level of a company’s network and at every gateway along with desktop scanners. Analysts also note that mid-sized businesses are increasingly looking to hire outsourced “managed security service providers” that serve as “digital watchtowers” looking on the horizon for malicious payloads.
Signature-based scans not enough
With a virus outbreak, traditional anti-virus software running on desktops has to essentially wait until a sample of its customer base has been infected. From there, it’s sent out to virus labs and analyzed for a signature to be released to the anti-virus industry.
The method consigns the customer to becoming a kind of sacrificial lamb in order to isolate a virus signature to tell the world about.
“That aspect of signature-based scans is in itself the big dirty secret in this industry,” says MessageLabs’ Hauge. “The weakest link is the desktop. From an IT department standpoint, those guys are standing over the dike trying to patch the holes, all the ports to a network. That multiplies by the minute with extranets and VPNs.”
And when Klez variants can go worldwide in a matter of hours, just updating anti-virus software religiously and staying up-to-date on virus scan definitions isn’t enough, according to Forrester Research security analyst Charles Rutstein. In a matter of days, he points out, the Code Red virus infected 28 percent of companies worldwide, while Nimda infected 68 percent of companies.
That’s why these and other anti-virus researchers talk about the need to add more anti-virus perimeters, which also happens to be the pitch from a new breed of outsourced security providers that help scan e-mail traffic before it enters the network.
Take MessageLabs. Instead of deploying in-house reactive methods, it deploys “digital watchtowers,” scanning engines with artificial intelligence that look at patterns and unusual characteristics within e-mails before they come into a customer’s network, whether that’s suspect files, codes, even porn-related spam.
MessageLabs’ SkyScan engine, notes Lindstrom, who has published studies of outsourced security providers, combines the scanning capabilities of three commercial a/v scanners (McAfee, F-Secure and V-Find) with proprietary statistical analytics (otherwise known in the trade as heuristics) and applies rule-based scanners to detect anomalies in network traffic.
The e-mail is routed through these control towers where messages are scanned at about 1.2 seconds per megabyte. By now, the company counts about seven million e-mails scanned per day.
The main advantage with these outsourced providers such as MessageLabs and Okena, adds Lindstrom, is that “you’re doing outside the network infrastructure.”
Everybody’s doing firewall a/v
But Laura Koetzle, a security analyst with Forrester Research, says most of the major anti-virus software providers are also offering the same mixes as outsourcing vendors.
Symantec and McAfee, for example, “have done well in the middle market by offering customers an all-in-one protection product: firewall-level a/v, gateway-level a/v, a little bit of intrusion detection, little bit of denial-of-service protection.”
Because all the big anti-virus software makers are increasingly sophisticated in catching viruses early, and getting signatures published, there is a shift underway in the industry to increasingly differentiate their product mixes, she adds.
So now, the big a/v providers “are trying to differentiate on a basis of other things, like managing parts of the network, such as helping a network with 6,000 employees make sure the most appropriate virus definitions get deployed out to all of the end points.”
They don’t sell these products to major enterprise customers, but instead offer to mid-sized companies, those in the $100 million to $200 million range of annual sales, who may not have large information security staff, she says.
Everybody recognizes that the “signature-based approach is fundamentally reactive” and isn’t enough for the lost down time and cost of cleaning up a virus infection. The trend has helped to boost the profile of managed security outsourcing companies, who Koetzle says have also managed to overcome trust issues with customers in the past few years by first by winning consulting contracts and conducting vulnerability assessments.
Rick Rosenthal, an administrator with INT Media Group (this publication’s parent), agrees that most companies are running anti-virus protection software at the firewall level, and on as many gateways as necessary.
Still, with all the extra services that traditional and newer anti-virus companies offer to add more security around the network, knowing a nasty virus is out there doesn’t mean you can prevent it. Someone’s bound to click on an executable file and unleash a fast-replicating payload.
“You still have to know your viruses, keep virus scan definitions up to date, and you have to have a virus scan running on your firewall,” he says.
And just because outsourcing anti-virus protection is gaining in popularity with middle market companies who don’t have enough IT staff to update virus scans, don’t count out the traditional anti-virus software makers who are offering similar services to the digital watchtowers, adds Lindstrom. “They’ve been branching out into newer modes of thinking,” about anti-virus protection. “I wouldn’t count them out.”