Immunet Blog

One of the questions we frequently field at Immunet is what value the cloud brings to anti-virus. There are many technical, analytical, and business reasons behind why the cloud model is the future of AV, but for now I am going to focus on one area that we feel we have the greatest ability to innovate, namely rapid detection of new threats. 

In traditional anti-virus, collections of rules are fetched by the product and stored locally. These files, known as definitions, or "defs", can classify a virus, but provide little context to the AV product about the file's global behavior. Data such as how often the file is seen in the world, how many other users have been exposed, and the rate at which it first emerged is completely lacking. Information on the flow of files, both clean and malicious, can be as valuable for classifying files in near real time as rules written by an analyst for malware that is several days old. 

The problem with AV that does not have a cloud component is that there is no way for a global analytics system to acquire and act on that data in near real time, allowing malware to escape for several days until a team of analysts is able to catch up with the handcrafted definition. While our technology is still in its electronic equivalent of its teenage years, we are able to analyze our cloud lookups to make rapid decisions on new threats days before we see them discussed in the back channels constructed by AV developers. 

Malware is becoming more numerous in total volume, less frequently seen on a case by case basis, and shorter lived. All of these factors are pushing AV firms to Cloud-based models. Why wait for wait for traditional AV vendors to re-tool their technology into cloud-based solutions, when ours is ready and working now?

Arguably the biggest desktop security story of the last few years was the mass propagation of the Conficker worm.  The worm had all the hallmarks of a great news story as well as a security event.  It was found on millions of computers almost overnight, it touched government and military networks, and it had a mysterious date hard coded where it would "do something different", but no one knew what.  The concern was so great that numerous security researchers formed a task group to actively counter the worm, and people like my parents called knowledgeable friends and family to see if they should keep their PC disconnected on the turn-on date.

The story should have been completely ignored by end users beyond the standard mantras of computer hygiene: keep your backups and AV software fresh.

I am not saying that the thousands of man-hours put in by the security community to stop the virus was for naught.  Their work went a long way towards containing the expansion of the network and keeping the bot authors focused on defense rather than leveraging their network.  I am saying that the average user shouldn't care.

A computer is not like your body.  Your body has an immune system that has evolved to take care of the vast majority of external threats, with modern technology providing augmentation whenever our individual immune systems can't deal with an infection, say smallpox, polio, or hepatitis.  Viruses evolve based upon their environment without a intelligent being behind them trying to figure out how to evade a human's immune system.  A computer has no immune system whatsoever beyond what you install and what your security vendor provides.  Viruses are built by other human beings, and any successes they experience are in turn the failures of your software vendor.

You should be less concerned about the specific strain of virus and far more concerned about why your single vendor can't stop the threat, and what additional software you need to install to have them stop the threat.

I would like to thank an anonymous audience member for a question he submitted that started me on this thread.  We do read all of your e-mails and blog comments, so even if we don't have the time to reply immediately, we do appreciate them and they do help shape our priorities.  For this, I and everyone else at Immunet thanks you.

Many of you, my dear readers, are not subscribed to our newsletter.  For shame!  You can easily do so when you download our AV software.  Below you will find some of the pearls of wisdom that you are missing by NOT being on our newsletter list.  

Lillith, from Wauwatosa, WI, writes in:

Q: Can I use my system for online banking if it had a virus and the virus was removed?

A: There are a lot of great anti-virus and anti-malware packages out there that do a fine job of stopping viruses from coming in and removing them from your system if one sneaks past. No technology is 100% effective, however. Even after removal, remnants of the malware may still exist on your system. If a significant portion of the malware is still resident in the computer, then it is possible for the malware to pull down updates and reinfect the machine. While the situation may be rare, there will always be a risk of reinfection after malware removal. As is true with anything in life, there is going to be risk associated with using a PC for any financial transactions after removing resident malware.

Here is yet another reason to keep good, local backups of your system: If you want to be completely certain that there is no remnants of malware on the system, you have to restore the machine from a recent, uninfected, complete system backup. Online backups rarely provide coverage over all of the operating system components, which are likely to contain the malware components. As Sigourney Weaver said in "Aliens", you need to "take off and nuke the entire site from orbit. It's the only way to be sure."

Drop us an e-mail with any other questions you would like us to address at doctor@immunet.com.

Every so often I am asked by a friend or a family member if I can tell if a file is a virus using just cursory inspection, and more often than not I receive a follow-up question on why it is so hard to do so. Before I get into why malware detection is so incredibly hard, it is helpful to take a brief diversion into the theoretical underpinnings of computer science.

Click to read more ...

Bruce Schneier, one of the leading voices of our community, took a stand on the controversial position held by many security researchers that anti-virus is dead. Bruce disagrees with this position and reaffirmed the necessity of anti-virus this week. He makes the sound argument that the reduction in efficacy of traditional anti-virus technologies is not a reason to eliminate them from your desktop. Saying otherwise would be akin to throwing out all antibiotics because a certain class of them became less effective. Even if old-school anti-virus products become less effective, they are better than nothing.

Click to read more ...