Security experts and vendors recommend that users install and use antivirus and other anti-malware software on their PCs, but enterprises that have these installed in their infrastructure may not be as well protected as they think.
According to Promisec, which offers clientless security solutions, more than 25 percent of 100,000 computers it surveyed recently have missing or disabled antivirus software, but the antivirus management consoles are not alerting network administrators about the problem.
That lack of reporting leaves a major security hole for cyber criminals to exploit.
Peter Firstbrook research director at analyst firm Gartner, told InternetNews.com the problem is real, but disputes Promisec’s figures. “It’s possible for the antivirus software’s agent to be corrupted so it doesn’t report something’s wrong,” he said. But he he was surprised by the 25 percent figure, which he believes is inordinately high.
One of Firstbrook’s clients faced this very problem. While looking into problems with the corporate virtual private network, his IT department found that 300 PCs had been taken over by malware. However, the antivirus software management console did not show anything wrong.
The malware authors had replaced the affected PCs’ antivirus agents and the firewall protecting them with code they had written themselves that hid the malware takeover, Firstbrook said.
Situations like this will not happen with McAfee’s (NYSE: MFE) anti-malware solutions, Ed Metcalf, group solution marketing manager at the vendor, told InternetNews.com. “We have self protection built into our software to prevent any modification or disablement of the software,” he said. Also, enterprises can deploy policies to all endpoints to ensure they check in regularly.
Further, Metcalf said, McAfee offers a rogue system detection option that will immediately inform IT when devices without its anti-malware solution are attached to the network.
To ensure PCs are not taken over by malware, enterprises can put a secure Web gateway in front of their PCs and force all Internet traffic to go through it, Gartner’s Firstbrook said. “Almost all threats today are Internet based, so if you pay attention to the gateway you can see what PCs are going to dangerous sites,” he explained. “Because the gateway doesn’t sit on the client, it’s not corruptible the way a client is.”
Control is the key
Another solution would be to have more operational control over PCs in the enterprise, Firstbrook said. “Don’t rely on your antivirus vendor to tell you your desks are up to date, use systems management software like BigFix or LanDesk or Altiris,” he added. “If the antivirus client is disabled or whatever, it may give you a false status report but another tool will give you a discrepancy report you can investigate.”
Implementing enforcement rules is critical, Checkpoint Software (NASDAQ: CHKP) product manager Gaurav Marwaha told InternetNews.com. “You either put in rules that check to see whether the endpoint is running antivirus software, or you have a client doing enforcement for this,” he added. “If someone turns off their antivirus client the management console won’t know about it, but if you have an enforcement rule on the endpoint, that would work.”