This document discusses whether antivirus (AV) software is dead or just missing in action. It begins by comparing traditional, signature-based AV to next-generation security products that use techniques like machine learning and threat intelligence. The document then debunks common myths about AV and security technologies. It analyzes results from tests of next-generation security products on services like VirusTotal. The document concludes that while no single product can stop all threats, security defenses continue to evolve beyond traditional AV through layered approaches.
5. Traditional AV vs Next-Gen Security Products
Traditional AV
• Signature based, blacklisting & reactive approach
• Latency between
• Samples reported, analysis and release of signature for detection
• Complex samples using detection evasion mechanism
• Ineffective against exploits targeting vulnerabilities in
• Adobe, Microsoft Office file formats
• Operating Systems, Web Browsers
• Java and other applications
• Fileless malware attacks
Threat landscape & Computer Security is ever evolving
6. Next-Gen Security Products
Big change in approach how threats are detected
• Endpoints are acting as sensors
• No longer dependent on signature based approach
• Threat Intelligence – indicators of compromise, context aware
• Ideally no latency in getting protection to all users
• Products at perimeter of enterprises
• scanning web traffic, email messages
Traditional AV vs Next-Gen Security Products
8. Busting Security Myths
Threat Intelligence
Traditional AV is just
signature based
Machine Learning
solves all problems
Malware behavior does
not change
Sandbox cure for all
Advanced Threats
(Next-Gen) Threat Intelligence
9. Myth#1 Machine Learning solves all problems
• Building models based on train sets and anomalies
• Effectiveness depends on accurate feature engineering
• need strong domain expertise
• Needs tuning of models for changing threats
• challenge in scaling model to big number of samples
• False Positives vs False Negatives
• Efficacy against advanced threats
• Specific, targeted and unknown samples
• Garbage In Garbage Out (GIGO)
• Best Next-Gen AVs with machine learning engines
10. Myth#2 Malware behavior does not change
• Execution on real-systems or sandbox
• to identify malicious behavior
• Behavior common with clean applications
• execution from temp folder, autorun entries, self-delete,
copy to multiple locations, launch browser etc.
• need to minimize false positives with reputation and
whitelisting
• Malware behavior is ever changing
• e.g. evolution of ransomware
• Adware, PUAs are hard to detect with behavior
11. Myth#3 Sandbox cure for all Advanced Threats
• Email, Network sandboxing
• Sandbox analysis is performed based on
• known malicious traffic – netblocks, domains, snort rules
• static analysis – yara rules & analysis scripts
• known malicious behavior – pattern matching
• Sandbox evasion techniques
• detect presence of sandboxes
• delay payload execution until user interaction
• check for signs of real system
• Ineffective against targeted malware
• which run only on specific system configurations
12. Myth#4 Traditional AV is just signature based
Not just signature based detections
• algorithmic & emulator based detections
• heuristic based detections
• machine learning based detections
• cloud based detections
Endpoint Protection System have
• behavior based detections
• anti-exploit detections
• firewall, IDS/IPS
• web security
AV-Certification methodologies have changed
13. Myth#5 (Next-Gen) Threat Intelligence
Legacy, signature-based intelligence feeds
Avoid the hype!
• indicators of compromise
• domains, urls, ipv4, ipv6, hashes
• block malicious scripts based on patterns
• to prevalent exploit kits
• threat intelligence community
• aggregation of threat intel subscriptions gives best results
• hourly updates – still leaves window for compromise
15. Maintaining a healthy community:
“all scanning companies will now be required to integrate their detection scanner
in the public VT interface, in order to be eligible to receive antivirus results as part
of their VirusTotal API services.”
VirusTotal should not be used to generate comparative metrics between different
antivirus products. Antivirus engines can be sophisticated tools that have
additional detection features that may not function within the VirusTotal scanning
environment.
VirusTotal & Next-Gen AVs
16. NG-AV 1 - The Industry’s Best Machine Learning Next-Gen AV
NG-AV 2 - machine learning engine designed to identify previously unknown malware
MD5: feb93aaab2357f00c23b06b7a6cab4c9
VirusTotal & Next-Gen AVs
20. Comparison of Next-Gen Security Products
AV-Comparatives
First public comparative Next-Gen Security test report
• number of vendors refused to participate
• some product only provide logging rather than protecting
• protection features are deactivated by default
• may not be available as trial version
• do not sell to testing labs
21. Threat Intelligence
Email Protection Web Security Firewall / IPS
Anti-Virus /
Anti-Malware
Behavior Based
Protection
Anti-Exploit
Patch
Management
Application
Control
Data
Protection
Endpoint Protection - Layered Security Approach
22. Just Missing in Action?
Having right expectations from anti-malware products
• ransomware & data protection
• mobile devices, IoTs
Malware-less attacks
• using legitimate remote administration applications
23. "ain't a horse that can't be rode,
ain't a man that can't be throwed"
24. Defense against insider threats?
Walking cyber security threats
Theory of convenience
And world needs to pay high price!
25. Conclusion
• Security Products have multiple detection mechanisms
• Threat-centric security technologies
• Approach to security needs to be constantly evolved
• No silver-bullet to solve all cyber security issues
• Go beyond the Next-Gen hype!