Anti-virus is considered as a necessary security mechanism for the low-hanging fruit, predictable malware, most of it old, easy to detect, and still dangerous. Anti-virus primarily uses two methods to detect malware:
- Signature: This method looks for known patterns of malware
- Heuristics: In this method the behavior of potential malware is analyzed for malicious actions
Depending on the sophistication of the threat, and if detected, the solution may be able to "clean" the virus from the system. With encoding and encryption methods the norm for malware and hackers, detection is near impossible.
Note
A common method to exploit systems with malware is to bypass anti-virus using simple techniques. Methods include encoding, encryption, obfuscation, and random language compiling, all of which confuse anti-virus and the malware goes undetected. A quick search on the Internet will provide several sources on methods to evade and bypass anti-virus on a system. One example is the method provided within Metasploit, a freely available exploitation tool:
http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass
Typically, anti-virus solutions will install an agent on the endpoint, run scans continuously, and any new file introduced is scanned immediately. This method of protecting a system can be taxing depending on the role of the system and the footprint of the agent.
The most common component of anti-virus solutions is the signature set used to detect known malware threats. In order to leverage the anti-virus to protect systems, the solution must have a known fingerprint of the malware to offer detection and mitigation of the threat. This fact alone is a significant shortcoming of the typical anti-virus solution and is the primary reason malware infections are extremely successful in today's threat landscape. There is also a lag time for anti-virus vendors to become aware of a new malware, reverse engineer, and provide a signature update to users. In some cases this is mere hours, and in other cases it is may be several days. While the signature is being developed, the malware has free reign on the user network. This design in anti-virus is most well suited for known, low-hanging fruit type malware threats.
The behavioral detection method used by anti-virus is called heuristics. This method attempts to identify a malware threat based on what actions are taken by the malware, again using known behaviors for known malware types. The limitation to the behavioral analysis is that it has to still have some known fingerprint to determine what the malware threat is. Without a prior knowledge of the malware, heuristic analysis offers little advantage over the signature-based nature of anti-virus.
Anti-virus for the user endpoint may always be a requirement, but other more effective methods are fast becoming a replacement for anti-virus on server endpoints. Server endpoints are typically the systems that run the enterprise, and adding more software that is always running as a service is becoming less tolerable when performance is crucial. This becomes a challenge especially when security teams want to push another solution to protect the enterprise systems because it almost always requires another agent. When possible, strive to get more from what is already installed on the system, or look for methods that are forward-thinking such as application whitelisting to possibly reduce agents on server endpoints.
The overall effectiveness of anti-virus is reliant upon the research team of the vendor providing the software and how quickly they are able to update signatures and heuristics to detect the newest malware. Anti-virus vendors are unable to protect against the latest threat until they have a sample of the malware that can be reverse engineered and inoculated based on a unique characteristic found within the code. Any deviation from this unique characteristic will render the developed signature ineffective for the next variant. Fortunately, anti-virus vendors are quick to find variants and create a signature for protection. This reactive facet of the solution should be weighed carefully when selecting a solution. Not all anti-virus is equal nor should anti-virus be the only enterprise solution for malware detection and mitigation.