Author's Note: This was an article I previously wrote for the Dasher Technologies blog on September 20th, 2017. As Dasher has been acquired by Converge Technology Solutions, the Dasher blog may be removed in the future; I am posting this here for archival purposes (with permission).
Over the last few years, “traditional” antivirus protection has become increasingly ineffective against modern malware. This has led to a shift in the industry towards “next-generation” endpoint protection…except the term “next-generation” refers to a variety of methods for combating modern malware. Today, I’d like to take you through a brief history of antivirus, a discussion of the challenges facing “traditional” antivirus products, and then discuss the different types of “next-generation” endpoint protection options.
A Brief History of Antivirus
Back in 1971, the first computer virus was written. Creeper, as it was called, was a worm which copied itself across mainframe computers on ARPANET, with its only damage being the copying of itself to other mainframes, and the printing of the line “I’m the creeper: catch me if you can”. The next year, programmer Ray Tomlinson (best known for inventing email) wrote another worm, Reaper, which was designed to detect and remove the Creeper worm from systems; while some may argue that Reaper was the first antivirus program ever written, its behavior was similar to that of a virus itself, in that it was deployed without the consent of the system owners and administrators. Fast forward to 1987, when a handful of true antivirus utilities were released; the most well-known today being VirusScan by McAfee, and NOD, which was the predecessor to ESET. As the industry progressed in the 80s and 90s, players such as Panda Security, Trend Micro, Symantec, F-Secure, avast!, AVG, and Kaspersky joined the growing market of antivirus solutions, which are commonly used today in homes and businesses around the world.
Challenges of “Traditional” Antivirus
Traditional antivirus solutions are struggling to keep up with the malware threats of today, due to a variety of reasons. Many of these challenges come back to a single root issue: the use of signatures, commonly called “hash values”, to make comparisons with files to identify if the file is a known virus or malware, or is otherwise considered to be clean.
In the early days of antivirus, the number of known samples of malware were fairly low. In 1994, the AV-TEST Institute, an independent IT security research group, reported a total of 28,613 malware samples in their database. To detect these samples, antivirus engines would analyze a file using a mathematical algorithm such as MD5, to create a hash value, and compare that value against the list of hash values associated with known malware.
The challenge with using hash values (or other signature-based methods) in today’s threat landscape is partially due to the rise of what is called “polymorphic” malware. Polymorphic malware is written in such a way as to cause the underlying code of the malware to change, so as to evade detection by way of no longer matching the hash value from which the signature was written. Take the following (incredibly basic) example:
“Hello world” – MD5 hash: ca74e8418fcd3ef2e5d34857baf7b3cb
“Hello world “ – MD5 hash: 2ce16307b8984b86477dc19b548811ef
Just the addition of a single space in the second version results in a different hash value!
This move towards polymorphic malware, combined with the general increase in organized malware campaigns, meant that there were over 115 million new samples of malware added to the AT-TEST Institute’s database in 2016 alone; for comparison, the entire database size at the end of 2013 (of all malware cataloged since 1994) was about 175 million samples.
The increase in number of samples of malware in the wild, combined with the rate at which variants have been created, is causing traditional antivirus systems to fail. When once a day updates worked before to provide sufficient coverage, many vendors are increasing update intervals to as fast as every five minutes, to help customers catch the newest malware. However, until a sample of malware is seen in the wild, it can’t be properly defended against by traditional antivirus; this means a more targeted campaign can be missed for a very long time, like in the case of the initial deployment of Stuxnet.
Side Note: if you are interested in reading more about zero-day malware, I highly recommend the book “Countdown to Zero Day” by Kim Zetter.
How “Next-Generation” Endpoint Protection is Different
Over the past 3-4 years, the endpoint protection industry has started moving towards “next generation” solutions, to better combat the rise of modern malware, especially with the entrance of solutions such as CrowdStrike, Cylance, Bit9, and others. These solutions work in different ways than traditional antivirus, especially in that they all move away from signature-based detection of malware.
Here are a few ways that Next Generation Endpoint Protection works:
- One vendor’s solution focuses on machine learning and artificial intelligence to break down files into much smaller fingerprints, or characteristics, looking for those pieces which are known to be signs of an attempted attack on a system.
- Another vendor’s solution works to mitigate malware by analyzing all running processes on a system, maintaining a whitelist of acceptable processes and process behaviors, as well as detailed forensics on processes to identify and stop unusual behaviors.
- A third vendor’s solution also watches processes on the endpoint, looking for signs of the low-level exploits that are shared across most malware that are leveraged as part of an attack, and stopping those activities from taking place.
Traditional security companies are not standing still and firewall vendors offer total solutions.
Of course the traditional players like Symantec, McAfee, TrendMicro, MS Window Defender and Sophos are not standing still and are coming out with new Next Generation solutions to further fill the marketplace with options for our clients to consider. To make it even more interesting companies that have traditionally worked only in the firewall space such as Cisco, CheckPoint, Palo Alto Networks and Fortinet have come to market with the concept of total protection solutions that offer EndPoint as well as network core and edge protection.