anti-malware

Warning: Panda Security/work related post.

… this week.

The main news in the 4.03 release is:

* Optimized console performance
* Reduced installation package size
* More auto-uninstallers for competitor products
* Improved update features for mobile users
* Full support for XP SP3 and Vista SP1
* Full support for Exchange 2007 SP1
* Full NAP support in our desktop protections

A lot of other news and bugfixes also included.

Ask you local Panda office for the complete document of changes.

If you’re a client you can download the upgrade here.

Cheers,

Photo: Today is a good day on Flickr.

I’m sitting here preparing for a meeting at which I will discuss our role in a clients PCI DSS project, and I thought it might do others good if I post what I’m thinking also.

First off, remember that all of this is from a perspective of a Panda AdminSecure/MalwareRadar point of view and it might not apply for other solutions.

Alright then. Which control objective’s and sub-objectives are we even directly responsible for when helping the client achieve compliance? By my thinking it should be:

Requirement 5: Use and regularly update anti-virus software or programs (all subs)

Even though the term anti-virus doesn’t really apply anymore, we can help with this

Those that we might be affected by/can help with are:

Requirement 6: Develop and maintain secure systems and applications
— 6.1 Ensure that all system components and software have the latest vendor supplied security patches installed. [...continued]

Requirement 11: Regularly test security systems and processes
— 11.2 Run internal and external network vulnerability scans at least quarterly [...continued]
— 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems [...continued]
— 11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files [...continued]

and how can we do that? My notes on all mentioned subcomponents below…

The main ones:

5.1: This point discusses deployment of anti-virus protections. With Panda solutions, there’s no problem here. Deployment can be done by pushing (RPC) or setting login scripts from within the console and there is also .exe’s and .msi’s available for those that have bigger deployment solutions.

5.1.1: This point discusses verifying correct operation in the solution at hand and seeing to it that it also detects and removes other threats such as spyware or adware. The function verification is really up to the client, but of course we’ll help ‘em if they need help heh… And spyware/adware has been a part of our signature since 2004.

5.2: This point discusses the monitoring of the chosen solution to ensure that it is working, it is updated and capable of generating logs. All of this can be monitored from within the AdminSecure console and scheduled reports can be set up to inform admins of the current status. There is also the possibility of using other logging and notification services such as syslog and snmp, but one should be aware that these units need to be reachable from the client computers as the warnings will originate from them.

and then the others that we might be able to help with:

6.1: This point discusses the need to ensure that all computers have all security related patches applied. We can help with this by offering scans with MalwareRadar (distributed by pushing (RPC), .exe’s or .msi’s) which does both low-level scanning with a huge (too huge for on-access scanners) signature and patch inventory on scanned machines. MalwareRadar is a part of AdminSecure as of version 4.02.01 (beginning of 2008 I think).

11.2: This point discusses running vulnerability scans periodically or after significant network changes. MalwareRadar might be applicable here, but I would not really classify it as a vulnerability scanner. From marketing they will however probably say that it applies

11.4: This point discusses and encourages the use of NIDS, NIPS, HIDS and HIPS. In this section we can help with the HIPS part via TruPrevent. Truprevent is more than just a HIPS but it has all feature’s of one. This component was released in late 2004 and has been optimized since for both capabilities and performance. Installs by default on both clients and servers. Read more here, here and here.

11.5: This point discusses the use of file integrity monitoring software. This is being done in part by our client protection with TruPrevent (see point above) on some critical system files and behaviours. It could however be locked down even further by customizing the ruleset. For a simple example, one may not modify the “hosts” file in certain ways. TruPrevent is not the answer to this point 100% though, as what they are really after is a checksum monitor like Tripwire.

Ok, that’s about it.

If anyone think I’m totally of target or if they have other ways of looking at this, please let me know!

is without doubt the hands-on management aspects of the whole suites.

Every month I read news, blogs and press releases from both vendors and independents on detection effectiveness. Sometimes these news are about the accuracy of the vendors signatures, sometimes about the files the sig’s missed, sometimes it’s about the vendors brand new and shining behavioural analysis engines. But it is almost never about the technical management features of the products. What eventually makes the news in this aspect is either the new administration consoles that pop up every two to three years or if something fail in a spectacular fashion.

That kind of information is not really as newsworthy as a remedy to the latest threat, but one thing is for sure and that is that it doesn’t matter how good the detection ratios are if the client protections remain unmanaged, defunct or unlicensed.

Most of the time this is not a problem in larger networks where the appropriate funds and technical resources has been allocated, but if reviewing smaller companies or organizations (<500, sometimes larger) without dedicated security management you will often find problems.

The problems range from client communication malfunctions to management servers dropping dead for no particular reason. Often, these issues requires human interaction to resolve and this in turn increases the IT-services overhead. Sometimes this happens with our (Panda Security's) solutions and sometimes some other vendors (I consult for another company in the PCM Group and meet a lot of different environments).

I’m not saying this is the AV vendors fault, as it often turns out to be erroneous customer configurations and/or secondary system malfunctions (thank you Microsoft for your most excellent AD/DHCP/DNS solutions, thank you).

My point is that these problems, from a software point of view, should be a calculable risk.

People will make mistakes. People will be incompetent. People will be lazy. People will “install and forget”. People will be People. And we should be better at understanding and counteracting these factors.

The latest versions of Panda AdminSecure has some of this in functions that repair failing client protections automatically, but it surely is not enough. People should not be able to set permissions or deactivate polices that might be a danger to the protection functioning without some serious alarm bells going off. People should not be able to setup firewall policies that cripple the communication required and by that degrading the level of protection without the central management consoles showing large red flashing screens. If something is done by a Microsoft patch which might or do disrupt the correct functioning of any server components, the management tools should be able to tell the administrators this in a reliable fashion.

Surely there are those that think that this is complete bullshit and have the “if they’re morons and fail, plz let them burn” attitude. These people are ignorant of the overall picture and do not understand the underlying problem.

If there were no unprotected (not installed or malfunctioning protection) clients, there is a much smaller market for “corporate” malware creation. One effect of this is less money for the bad guys. Less money for the bad guys means they have less money to spend on maintaining developing new malware.

And of course, Less malware development => good for all.

In conclusion,

Security systems is all about reliability. How come AV’s are lagging on this particular point?

Users and less experienced technicians are unpredictable, but how hard can it be? We have built engines that can detect hostile code based on behavior, why not do the same to the admins