Last week, I blogged in SiliconIndia about the Future of Antivirus. This is a continuation of what I have already written there.
Antivirus as a Service
There are a few Antivirus models in the market where vendors provide Antivirus as a subscription service. But most of those models are built around the traditional signature based technology. The traditional Antivirus software scan data for any malicious code as and when the data is accessed on the local machine (File creation and modification). Here, the focus is on the patterns which are found on the file but not on the data integrity or the applications which are trying to access the data. The Antivirus software does not check if an application is authenticated/authorized before it can access the data.
Role of Antivirus in Application Authentication
An Operating System is always vulnerable to malicious programs if programs can be launched without proper authentication/authorization. User authentication is the first line of defense against unauthorized system access and data modification but application authentication is also very important to protect system and data against malware threats.
What we need to protect is data, its availability, confidentiality and integrity. A malware can be a threat to any or all of these. The future Antivirus software should be able to authenticate applications before they can access the local data. Application authentication should not be confused with application white listing.
The Antivirus service installed on the local machine should be able to perform application fingerprinting and compare the same with the local database. If a match for the application fingerprint is not found on the local database, then the local Antivirus service should be able to communicate with the Antivirus Server which is installed on the datacenter or on the cloud and look for a matching fingerprint on the master database. Applications should not be given access to data unless they are properly authenticated.
The future Anti-malware software should also allow different authorization methods, depending on the type of data that need to be protected. New process or application creation should always be monitored and any unauthorized activity should be blocked irrespective of whether data is modified on the disk or memory.
Application Authentication- How effective it would be?
Denying an unauthorized application from accessing data is only a part of the malware defense model but it is not a security model which can give maximum protection.
There are 100s of applications with known and unknown vulnerabilities. And there are a number of malwares developed to exploit those vulnerabilities. How we can trust an application only because it is developed by a trusted vendor?
There are different types of software vulnerabilities and exploitation methods. An exploitation of each of these vulnerabilities would have different level of impact on the Confidentiality, Availability and Integrity of the data and system.
To provide maximum protection, the local antivirus service should also be able to communicate with a HIPS/NIPS service (local/network) and check for vulnerability exploitation attempts as and when applications request access to data on the local disk or memory.
This model can be best implemented in a Service Oriented Architecture.
More on this topic in my next blog.
Disclaimer: "What ever I discussed here are my personal opinions and they do not represent the opinions or positions of my employer".
Interesting thought, signature based anti-virus system is reactive and proving to be obsolete, through we still survive on it. Most of other technologies have either failed or have administrative overhead which administrators don’t prefer.
Finding reliable method to fingerprint and authenticate application is a challenge, especially when application goes through upgrades, updates and patches on daily basis.
Posted by: Anil Aravind | 23 January 2009 at 08:18 AM
Anil,
Thank you for your comments
I understand it would be a challenge to manage all application fingerprints and authenticate applications when they go through regular upgrades and patch updates. It is a real challenge to maintain different fingerprints for the same application at different versions. But this will not be that difficult if Antivirus can keep a centralised database of all known application fingerprints and the local antivirus agents check with the Server if they could not find a matching fingerprint on the local machine.
Note: This model might not be sutable for a consumer version. More details about this new model (Antivirus as a Service)in my next blog.
Posted by: Praveen | 26 January 2009 at 11:24 AM