Here’s how I would choose an AV company. I would ask a ton of customers of each short-listed vendor the following:

• When is the last time you had a virus, spyware, etc. on your network?
• Where was it caught and how easy was it to fix?
• How much time do you spend per week messing with AV software?
• How much do you pay for the license?
• Do you feel like you are getting a good deal?
• How is the support and how often do you use it?

I don’t know what viruses I’ll most likely encounter other than what I have experienced in the past, so I would combine that with input from the many other similar companies and choose the vendor that has produced the desired results historically and ignore any RFP-type bake-offs or comparison matrices with information supplied by the vendors. I would probably ignore AV Fight Clubs too.

Today a piece of malware (Troj/Bancos-BDF) crossed my desk that at first did not look like a Banker Trojan at all. It eventually turned out to be one of the most nefarious and brazen Banker Trojans I have ever analysed and it managed to do it all with only one small snippet of code. What it did, was add 8 hostnames to the local Windows HOSTS file. That’s it.

The HOSTS files is a place where Windows looks when it wants to resolve a host name to an IP address. Usually this is handled by your ISP’s DNS servers but if Windows finds a matching entry in the HOSTS file it doesn’t bother looking any further. Now this has many uses but in this case all of the host names belonged to a single South American banking institution and all of them redirected to a single IP address.

The Trojan was probably quite easy to write. Coding the fake website takes more time, which probably explains why they only targeted a single bank. Quite nasty. They criminals could pull a similar stunt on someone’s router too if they leave the default password. The average user would never suspect.

So how best to clean up a malware infested PC? Well, there is always the manual way, which Jeff did. Check out the comments on his article and you can see that they fall into a couple of different camps.

Use Mac or Linux and kiss your spyware problems goodbye

This actually works pretty good. Really good. There are tons of added bonuses in terms of programs, usability, and features when you go this route too. Of course, this might not be sustainable if they start writing malware for OS X and Linux, but let’s cross that bridge when we get there. Maybe we will experience a paradigm shift in terms of a browser security model before that time comes.

Use automated tools like “Rootkit Unhooker”, “Hacker Defender” or a bunch of others

This requires some know-how and initiative to find, install and use the various programs. Even after you run them, you can’t be sure they found everything. Some readers noted that the nastiest malware hides completely from the OS itself, so you can’t clean up the OS from within. This doesn’t seem like an option that converges to a state of zero malware to me. It would be much faster to reformat and reinstall the OS.

Reformat and reinstall Windows

Major pain in the neck for most users, but this is a skill worth learning. You could use a program like Norton Ghost to make this easier.

I personally recommend buying a Mac if you are in the market for a new computer. You could also pop in a LiveCD of Ubuntu on your PC and install it as dual-boot or, if you are brave, just wipe your Windows off and install it single-boot. These are the best options for those that don’t want to tinker with their computers. Who has the time? Especially if you use primarily web and email this option especially makes sense, because you can do so without spending time and money on all of the malware prevention and removal. If you are a gamer, then use Windows for games – not for the internet. It’s not the ideal OS right now to be surfing the internet.

If you want to keep Windows, well, then, umm, it will be a pain to keep it fresh and clean. You need to install all the updates to your OS and browser promptly when released. You will of course need some sort of “security suite” to prevent most malware and viruses. You need to run a safer browser, like Firefox. If you want to be more safe, search the Firefox site for some security add-ons like NoScript and install them. This takes lots of tinkering, which I dislike. You might want to check out Green Border. Green Border keeps any code that your browser runs from accessing the resources on your PC. Google bought Green Border since they have a vested interest in making browsers safer and they aren’t taking on new customers until they can rework it into their family of products. Using this stuff can help keep your PC clean, but you will have to follow a program religiously to keep it that way. Reinstall Windows once a month or something.

Seriously, the best thing to do right now is just use something else besides Windows if you are sick of spyware and adware.

Patchlink has announced that they will acquire SecureWave, which adds endpoint security to their recent acquisition of the vulnerability scanner STAT Guardian (now Patchlink Scan), and their existing prowess at automated patch management. Last Fall, I told Patchlink that Bit9 would be a good buy for them, mainly because I liked their software inventory and application control features. They practice what is known as the positive security model – allowing only known applications to run on a desktop. The approach promises to eliminate the need for malware signatures, because nothing will be able to run unless it is on the whitelist. Now, I have zero pull with Patchlink, but someone over there thought of the same strategy, but chose SecureWave instead. SecureWave offers the same type of technology as Bit9 (this might not be fair to either company, but it is basically true). I think it is a good move – a great move – but Patchlink might want to change their name now to brand their new direction and unique value proposition. I like SecureLink.

My question now is whether or not the market will adopt the positive security model as a replacement to signature-based defense or view it as an adjunct. In either case, AV companies will need to develop some technology to compete with Bit9 and SecureWave or buy someone like Bit9. SecureLink/Patchwave may want to add signatures to their product. This might make it easier to sell to customers stuck on the old paradigm. I think this is why eEye added signatures recently to their Blink endpoint security product.

In this podcast we touch briefly on the well-known malware problem and how Webwasher tackles it at the gateway with their Anti-Malware Module. Using a combination of signatures, heuristics and behavior analysis (proactive detection in marketing lingo), they can stop more real-world threats than anyone else right now according to AV-Test.org.

You might also be interested in the Webwasher SSL Scanner podcast from last month.

Sign up for a Webwasher Web Demo Here

Participants:

Me

Oliver Braekow, Mgr. Product Marketing for Webwasher, Secure Computing. You may remember Oliver from the SSL Scanner Podcast.

Christoph Alme, Principal Engineer and Anti-Malware Team Lead, Secure Computing

Jon: While effective malware prevention includes training users to stop clicking through spam and to stay away from bad web neighborhoods, so to speak, Webwasher provides the technology you need to achieve and maintain a malware-free network in an automated fashion. Let’s agree on definitions first. What do you mean by malware?

Oliver: In general we refer to malware if a file entering your network will result in universally accepted malicious impact on your machines, infrastructure or yourself. This can be a traditional old school virus formatting your hard drive at some point in time or it can be some kind of spyware on your machine sending information out without your explicit consent or even a trojan converting your machine to a member of a botnet, thereby stealing processor power, bandwidth and even potentially implicating legal issues.

Jon: Are all these bots just unwary home users with no firewall or AV software or are they found in businesses too?

Oliver: The rise of botnets is a problem we’ve seen over the last couple of years, and now this seems to become the next big buzzword after spam and spyware. In reality, it’s just the natural evolution of the virus and spyware phenomenon; people are just becoming more creative at making money. While the majority of home users is affected by this, we clearly see botnets spreading inside corporate environments. Traditional stateful inspection firewalls and signature based anti-virus for mail and web clearly doesn’t cut it.

Jon: How big is the problem really?

Oliver: We can tackle this question from different angles. Lets start with an independent test that just got published on PC Magazine They actually performed a test of 29 known anti-malware/anti-virus scanners and basically squeezed 606,901 malware samples through all these scanners. That’s a lot of samples. All of these malware samples were collected over the last 12 months and all of these samples were actual functional samples that at one time or another circulated on the internet or via e-mail; not proof of concept code or something like that.

I still remember a mere two or three years ago traditional anti-virus vendors boasted how many samples they actually covered with their signature database. This was roughly in the area of 100k to 200k samples, over the whole lifespan of their product up to that time. So now, just last year, we got more than 600k new samples. And as expected some vendors seem to be doing a better job keeping up than others. In summary, on average the products detected 86.95% of the samples. So out of the close to 607k samples, 79,200 samples weren’t detected. That’s scary. Webwasher Anti-Malware covered 99.83%, only letting through roughly 1300, therefore ranking first place. The three vendors sharing close to 90% of the traditional AV market covered between 87.28% and 97.77%, thus letting through between 77,200 and 13,500 samples. The worst commercial product only covered 62.12% and was even outperformed by free the Clam AV.

Translated to ratios: At the gateway, Webwasher Anti-Malware is outperforming the market-leading products by a factor ranging between 10 and 60 in some cases. Of course Webwasher is a gateway only product, so we can actually apply stricter filtering rules than products that run on the client because even if we would produce a false positive it doesn’t result in nuking your machine.

Jon: So the big problem you feel is an incomplete protection of threats by AV companies and you have therefore made it a goal to protect against as many threats as possible, coming close to 100%. What isn’t “traditional” signature-based AV doing for organizations?

Christoph: Signatures are an important baseline for any AV, and they’re here to stay. They scale very well, allow us to detect a threat exactly, and usually they don’t generate false-positives because they’ve been taken from a caught sample, that is known to be malicious.

Exactly this benefit, on the other hand, is its Achilles heel. You have to get hold of at least one such malware sample before you can create a detection signature against it. And analyzing malicious files that are, in most cases, obfuscated and try to protect themselves against being disassembled and debugged, takes time. Choosing the right signature to detect this threat, and hopefully future variants of it, takes time as well. Finally, your signatures go through QA before becoming available to users.

In the meantime, the attackers may long have released yet another variant of their miscreant. Take the so-called Storm Worm Trojan early this year, for example, that was distributed in a serial variant attack, where, at some phases, we saw new variants emerge about every 15 minutes. So the question arises, how to protect users in the meantime, how to protect them right from the start against some new piece of malware? How to tell in advance, whether a new file, that nobody (except its author) has seen before, is probably malicious?

Obviously, we need to make that detection depend less on database updates containing latest (manual) analysis results, and rather act more automatic. In other words, we must not only look for malicious content that we’ve seen before, instead, we have to make a decision on whether some new content may be malicious – without ever having had a human analyst look at it before.

Jon: Not only are the variants coming out more frequently, but the attacks are becoming more targeted. Everyone is using the term “targeted attack” in their marketing? What does this mean exactly?

Christoph: Usually, attackers rent large botnets that they use to send out mails to an anonymous mass of mail addresses that they have collected or bought. The mails either link to the malware or have it attached.

A “targeted attack”, in contrast, is performed against some individual whom the attacker knows, rather than a large anonymous group. Therefore, he can use very focused social engineering to craft an E-mail that tries to fool the victim into opening the malware. That piece of malware may even be tailor-made for exactly that one attack.

Jon You mentioned the need to make detection less dependent on humans and more automatic. How is that possible? Can you describe Webwashers approach in more detail? Is it different from heuristics?

Christoph: With Webwasher, the administrator can combine, for example, Secure’s own Anti-Malware engine with up to three additional Anti-Virus engines. Just as a second set of eyes sometimes sees more, so do multiple scan engines. To keep the gateway’s latency low, Webwasher’s PreScan™ technology allows us to limit the load against the scan engine to exactly the content, and portions, that need to be scanned.

Looking at marketing collateral, it seems there’s around a dozen companies claiming to do this.

As the second line of defense, we provide our own behavioral heuristics scanner along with any chosen combination of scan engines. This module tries to determine what behavior a scanned file may perform at runtime, e.g. when it would be executed on a client computer. And the administrator defines whether to allow, to block, or maybe to warn the user upon download of a file comprising certain behaviors, like, for example, a Java applet that might try to modify files on the user’s hard disk, or a script that might try to modify settings of the user’s browser.

Jon: Is this the same as “sandbox” technology, where a virtual run environment is created to actually run the possibly malicious file or program to see how it behaves? Can you describe your proactive security filter in more detail? How do you keep false positives low – a problem with many heuristic scanners?

Christoph: “Sandboxing” works great at the backend, in a lab environment, but it doesn’t scale well on a gateway that several thousands of end-users are using to surf the web. Therefore, our behavioral analysis is performed almost completely statically, avoiding time-consuming emulation as much as possible.

This comes at the unavoidable cost of false-positives, just as you said. First of all, a false-positive at the gateway means that a user can’t browse a certain web page or download a certain file, and this can always be whitelisted on demand.

Next, when we detect suspicious content on web pages, for example, we only block the whole page when we are relatively sure it might in fact turn out to be malicious. Otherwise, we rather remove only the offending scripts, or even only parts of it.

Likewise, for executable downloads, depending on behavior categories and probability, the administrator can choose to have us not directly block but rather warn the end-user about his download first, showing the possible behavior categories to him, and then the end-user could choose to proceed with his download. In addition, the administrator can further have us check for digitally signed executables, and skip behavioral analysis for trusted certificates.

Jon: I suppose if the user is warned and he knows the download or the site violates the Internet use policy, he might very well abort, since he knows he is being watched. Can the sensitivity be adjusted by the network administrator?

Oliver: Webwasher comes with default block pages in most languages telling the end user exactly why a page was blocked. These block pages can easily be customized to match the corporate design and they can even be extended to provide more information. The settings for Webwasher after installation have the heuristic proactive security filters enabled at a medium sensitivity level, which should be be OK for most security conscious customers. Admins can easily apply a setting such as “Strict” or “Low” without the need to understand the details of this technology. More advanced users can fine-tune the sensitivity of the proactive security filters down to a level where for each type of active code they can exactly specify what level of interaction with the operating system is permissible or not.

Jon: Is Webwasher the only product doing this? What are other companies doing? What are the other different approaches?

Oliver: Looking at marketing collateral, it seems there’s around a dozen companies claiming to do this. Looking behind the scenes at what is really done, this number shrinks down to Secure Computing and two others (ed. Aladdin and Finjan). Our Webwasher product was actually one of the very early ones providing this technology with market standards to a broader audience and embedded in a suite of security products that are completely integrated. Besides the actual signature only approach of traditional AV vendors and our Proactive Security filters, there’s one other approach that might be noteworthy and I’ll shortly cover it.

Instead of stopping the actual piece of malware, you try to stop access to this piece of malware. This is basically like expanding the reach of a traditional URL Filter to cover more protocols and to go on a quest to find the bad stuff out there on the internet before it finds you.

Digging into this there’s again two ways companies do this. One with mostly muscle and one with mostly brain. The one I refer to as mostly muscle means actually running huge server farms and crawling the internet 24×7 looking for malware. So if they find something that looks suspicious on the server they block the server. According to the website of the company doing the most noise around this (ed. Websense), they cover the whole internet in about 24 hours – I actually find such a statement hard to believe. Even if it is true – on the switch side it shows that ideally they find a new threat in 24 hours, plus the time they need to analyze, QA, and push out to customers. Most traditional AV vendors have on par or even better reaction times, so this different way of doing it shows no immediate and apparent benefit to me.

We’re covering this approach too, but we’re limiting crawlers to special cases and put some more brains into it. First of all we make use of that fact that our proactive security filters block malicious code without needing a signature. So when our product installed at a customer site finds some new malicious piece of code we get automated feedback with the file itself and where it came from. Obviously this is an optional setting customers need to activate manually, but we see more and more customers using it. Second we’re using a technology dubbed TrustedSource, effectively doing something similar to what our behavior-based heuristic filters are doing for malware, just on the website and domain level. Rather than looking at the content of a website, we’re looking at the social and network neighborhood of the domain. This allows us to build a reputation score providing a good indication if a site is potentially malicious or not. We’re using a similar approach with our messaging security products and see tons of cross pollination. Moreover it turns out that this approach is becoming the de facto standard for enterprise-grade anti-spam filters and now we’re adapting it to the web.

Sign up for a Webwasher Web Demo Here

Jon: Let’s talk more next time about how you have adapted TrustedSource reputation technology to URL filtering. I know there are people interested to see how that works. For readers interested in learning more, you can of course visit securecomputing.com or email Oliver (oliver_braekow@securecomputing.com) or me.

Oliver explains how, using their SSL scanner module, Webwasher prevents malware from using HTTPS to communicate. It will also prevent users from bypassing traditional web content filters using popular CGI proxies. This is important to keep sensitive information from leaving the corporate network. In addition to their SSL scanner, Webwasher offers several modules that can be chosen according to your needs including URL filtering, anti-malware, traditional anti-virus, anti-spam, SSL scanner, content reporter, and IM filtering.

If you listen to the podcast, you’ll learn how malware (and users) takes advantage of SSL to bypass your other controls and how Webwasher solves the problem. [display_podcast]

Sign up for a Webwasher Web Demo Here

What are the problems companies are having with SSL?

Web encryption is indispensable for today’s businesses, but organizations with an open port 443 (HTTPS tunnel) on their firewall are left with a major security hole wide open in their network. Traditional firewalls and gateway anti-virus solutions are unable to scan encrypted traffic, and therefore can provide no control over what content is sent in and out of organization’s networks via HTTPS. This presents risks to organizations that may not realize they cannot rely on their HTTP filters to protect HTTPS encrypted traffic.

Risk also exists with regulatory compliance. Can an organization be compliant if they allow open SSL tunnels that could contain the very confidential information the regulations seek to control? Moreover, hackers and malicious employees alike know that the traffic that goes through HTTPS tunnels is wide open and unprotected, and therefore they use and will continue to exploit the HTTPS protocol to bypass content control mechanisms to circulate potentially malicious content.

Today there are dozens of URL Filtering circumvention proxies that make use of HTTPS connections. Currently none of the established firewalls or Web Gateway Anti-Virus solutions can look into this type of traffic. Moreover we’ve seen popular adware and spyware applications switching from IRC and HTTP over to the HTTPS protocol to bypass the established gateway filters. There was a nice article on this in eWeek called “Zombies Try to Blend in With the Crowd, giving you a pretty good idea what’s coming in this area”.

How does Webwasher solve this problem?

The only viable solution, as we see it, is to temporarily decrypt the SSL traffic, scan it, and then re-encrypt it.

This is different than what one might think popular proxy firewalls are doing. They’re just decrypting (in other words: terminating) the SSL session, apply virus scanning and then forward to the end user or web application. This sort of security measure cannot be used in today’s web environments, because it invalidates end-to-end encryption requirements and confuses browsers.

SSL security proxies like Webwasher function as a “black box”?. SSL encrypted traffic goes in and SSL encrypted traffic come out. Nobody can see the decrypted part or sniff it on the network; it’s all handled in memory. There are a couple of home baked solutions out there that offer SSL decryption on a separate box, forward the decrypted traffic to the scanner box, the scanner box returns it to the SSL solution that in turn re-encrypts it. This effectively means you have decrypted SSL traffic on your network, which is an issue in Europe even if it is in the server room only. Moreover you typically want to fine-tune policies, e.g. allow upper management to do online transactions without scanning but scan for everybody else. This requires in most cases double administration overhead, but not with Webwasher.

How does the Webwasher SSL Scanner work exactly?

Basically all we’re doing is separating one SSL connection between the browser and the server into two separate SSL connections. Upon the browser request to connect to an encrypted website the Webwasher SSL Scanner actually does it for the browser. One of the beneficial side effects is the ability to do SSL certificate inspection centrally instead of leaving it up to the end user. We all are aware of that pop up window saying that we initiated a session with an encrypted web site, do you want to accept the certificate. We see that typically 90% or more end-users just click accept and don’t care if the certificate is valid, self signed, expired or whatever. Once Webwasher validated the certificate we initiate the SSL session and terminate it, thereby extracting the certificates “common name”. To the web server, Webwasher acts as a normal browser. Now we have the decrypted traffic and can apply our arsenal of content security, anti-spyware, anti-malware and outbound content control filters to it. Remember, all this is done on the same box and in memory, so no privacy issues here. Once we’re done with the filtering we act as a webserver to the actual end user browser. This is what we need the common name for. Webwasher re-encrypts the traffic using either the customer company’s certificate or a self-signed certificate with the common name of the web server. This way the browser doesn’t complain if you’re connecting to your American Airlines account, for example, and the certificate says something else. All our customers have to do is roll out their own either officially signed or self signed certificate once and the end users will never get an accept certificate message pop up ever again.

Will the IT department have to maintain a whitelist of certificates? Will users be complaining?

We were able to keep the administrative overhead near zero. The Webwasher appliance or software application checks for revoked certificates with our servers on a daily basis, so you’re always up to date. We also invented a training mode. So you get Webwasher SSL scanner up and running and basically it accepts all certificates presented and stores these. After this training mode, let’s say 2 weeks, the admin can go in and look what certificates have been requested and reject the ones that don’t seem to be ok. Webwasher offers a set of tools for this so the admin doesn’t have to be a subject matter expert. Once this training phase is done the administrative overhead should be negligible.

How does it prevent users from using SSL proxies to circumvent web content filters?

As mentioned above there’s tons of web surfing anonymizers that are based on SSL encrypted traffic. Typically URL Filter vendors try to block access to these by blacklisting the servers the application tries to connect to, but that’s one battle you can never win, there will always be a vendor who sets up new servers and is not blocked. But far more imminent is the help when it comes to data loss. We see the typical spyware and adware application switching from IRC and HTTP back-channels to HTTPS back channels simply because hackers have figured out that this channel isn’t blocked or controlled. Two very popular examples in this are Gator and Cool WebSearch.

Webwasher can, for example, be configured to only allow Social Security numbers or credit card numbers be posted to legit and known sites that are in the Banking and shopping category. Even if you had a trojan attempting to steal a credit card number on your PC it wouldn’t be able to send the information back home; not even through HTTPS. Before somebody might ask, we also have solutions that cover this for Instant Messaging and peer to peer, just not on the same box yet.

What’s the performance overhead. Don’t you need special accelerator cards?

Performing the SSL security proxy does add an overhead, of course, but it can be calculated and the servers can be scaled in advance to have enough horsepower for it. What we typically see is a HTTPS traffic is about 20-30 % of the over all web traffic. In this area, switching on the SSL scanner function typically means the appliance can handle 70-80% of the load it could handle without scanning SSL. So the drop in performance isn’t dramatic. For really large installations we offer the application as software for Solaris and Linux (and still on Windows), supporting a series of accelerator cards. We have customers running more than 20,000 users with SSL scanning enabled, so this isn’t some myth, this is reality.

How does it install in the network? Does Webwasher play nicely with other solutions?

In order to get hold of the SSL traffic the best way is to establish a firewall rule to forward all SSL traffic to the SSL proxy and only accept it from the SSL proxy. This way we can make sure nobody can sneak by. For CISCO environments with WCCP enabled devices, like their routers, content engines and some firewalls, we invented a mechanism on the appliances to transparently request HTTPS traffic. So installation in CISCO environments is extremely easy. We are ICAP compatible.

Sign up for a Webwasher Web Demo Here

If you would like to learn more, please email Jon Robinson or Oliver Braekow: oliver_braekow@securecomputing.com