Last week a flawed DAT file from McAfee led to false positives crashing Windows XP systems and leading to a massive cleanup effort. It would be very easy to simply point the finger at McAfee, terminate the employment of a scapegoat security engineer or two, and continue on with the status quo, however the whole incident is an illustration of why the anti-malware industry--not just McAfee--need to embrace the U.S. Marines mantra to improvise, adapt, and overcome.
The current model is like a war where the attacker gets to fire first, and only after some victims are hit can we take action to guard against a similar attack recurring. The reactionary, signature-based model is flawed by nature, and cumbersome to implement and maintain. It's a wonder that situations like the McAfee issue last week don't occur on a regular basis.
According to Symantec's Internet Security Threat Report XV, Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71 percent increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008.
A Symantec spokesperson stated "Knowing that Symantec produces up to 20,000 new malicious code signature each day, and that other security vendors face similar circumstances, it becomes easier to understand, while not making it any more acceptable, a situation like McAfee faced last week."
Andrew Brandt, lead threat research analyst at Webroot, told me "Being even more proactive, and building signatures based on what you think the malware authors might do with their creations, can also lead to situations where you create more false positives. The key is to be alert and responsive to malware (which is in a constant state of rapid evolution), to build signatures as quickly as possible, and then do thorough testing before releasing them to the wide world. After all, scientists need a sample of the new flu virus strains before they can make a vaccine. The analogy applies here, too."
Fair enough. Or, maybe there are simply too many "flu strains" for the reactionary model of developing a vaccine after the fact to be effective. Perhaps it's time for anti-malware vendors to evolve and adapt new models that can work more efficiently to provide the same level of protection with less effort on their part, and less room for error with impact such as with the McAfee incident.
There are a couple of approaches. One is to stick with the signature-based model, but apply it in the cloud rather than implementing it on an individual system basis. This is the direction Webroot is headed. Brandt explained "Putting the definitions into the cloud, instead of letting them reside on the endpoint has a clear advantage in cases like this. If a definition hosted in the cloud goes horribly, horribly wrong, we can pull that definition from circulation immediately, thereby limiting the scope of the damage, and hopefully containing it to the small number of users who happen to be in the unlucky position to be first to use a defective definition set."
Symantec is working on a different approach. Gerry Egan, director of Symantec Security Response, described it "Symantec's Reputation-Based Security breaks at a fundamental level with the idea that a malicious file has to actually be captured and analyzed in order to protect against it. Instead, Reputation-Based Security works in a way similar to how Google ranks Web pages. Google's PageRank algorithm relies on what might be called the wisdom of the crowds to determine a specific Web page's value."
Egan continued "In its most basic form, it essentially looks at how many other Web pages link to a page and each link is considered a "vote" for that page. However, it looks at more than the sheer volume of votes, or links pointing to a page; it also analyzes how popular the page is that casts the vote. All this information is computed to give a Web page a ranking on Google."
There are other potential benefits to a reputation-based approach as well. There is no need to intercept a sample of malware first in order to defend against it, a lower risk of false positives, and less impact on the speed and performance of the PC. It can also be custom-tailored by IT administrators to implement and enforce policies.
The signature-based model has been the default anti-malware defense for 20 years. It has served us well, and performed admirably in most cases. However, the malware developers are too numerous and agile for such a cumbersome defense to remain effective much longer.
As the threat landscape evolves, so must our defense system improvise, adapt, and overcome.