Part 2 of 5: Antivirus Software with Up-to-Date Signatures
What Is It? Like floppy disks, CRT monitors, and short commutes in light traffic, Anti-Virus seems to have fallen to the deep, dark recesses of the past. There was a time when we happily went about using our computers with little more than the operating system and a few basic applications and without the fear of the big, bad Internet. Fast-forward a few years to when Anti-Virus software became the norm and you wouldn’t think of having a computer without it. Now, with all the advanced endpoint protection suites with all their bells and whistles, we consider Anti-Virus technology by itself…… antiquated, ineffective, and incomplete.
There is a good reason you need Anti-Virus software with current signatures, so allow me to explain it in a roundabout way. We seem to obsess with the latest and greatest technology, concerning ourselves with the latest and greatest threats, and focusing on the outrage-of-the day. Have you ever noticed how a headline about a big scandal disappears after a few days when a new one takes its place? We falsely believe the original scandal no longer exists and internalise that it has somehow been resolved until it rears its ugly head again in the future. Modern technology doesn’t necessarily render legacy technology useless. Less effective, perhaps, but rarely, if ever, useless.
Threats are like that as well. We all remember the WannaCry ransomware incident and we remember some of the older viruses such as “ILoveYou” or compromises like Heartbleed. Just because they’re not in the headlines doesn’t mean they’re not still wreaking havoc, but perhaps in smaller numbers. The impact to those affected is the same. Let me put it to you this way: do you still get emails from some foreign despot dictator, desperate for you, yes YOU, to help him somehow get his money out of whichever country he happens to rule that day? It’s because they still work. Spam emails, legacy technology, and viruses are still around because they work.
Where Do I Start? Odds are you’ve already got this under control, so it may be fair to say you’ve already started, and it probably started a long time ago when your business first deployed its first endpoint protection suite. Maybe it was individually managed, maybe centrally managed. Over time, you’ve probably updated the version of that suite, added features, maybe moved to a different suite. Odds are also that whatever you are using does more than just Anti-Virus. Perhaps it also does host-based IDS or IPS, Anti-Spam, and Anti-Malware. Maybe it also does application whitelisting and control, even using multiple profiles for when you are on or off the corporate network.
If you are a home or small business user, maybe you don’t have the latest and greatest suite, but you probably have some form of endpoint protection for Anti-Virus-Malware-Spam. It may be free, or it may be commercial. Offerings from the mainstream vendors all provide relatively the same protection but for a few different features and capabilities. Long story short, you probably have something because you know you need something and yes, something is almost always better than nothing. Even the built-in protection that comes with operating systems is pretty good these days.
For what it’s worth, consider more than just desktops and laptops as endpoints to be protected by Anti-Virus. Those endpoints should also include tablets, phones, and servers with most vendors having a product that will suit.
How do I make It Work? You focus should instead be on schedules and updates, assuming you’ve already got an Anti-Virus (plus whatever else) application. This is where the “Up-To-Date Signatures” comes into play. Like operating systems and other applications, Anti-Virus systems quickly lose their defence capability if not updated regularly. Whether you are using a stand-alone, unmanaged system or a full-blown corporate system with centralised management, you need to keep it updated. Manual? Automatic? Scheduled? Don’t care – just do it and stay on top of it to make sure it IS updating when it’s supposed to.
For a distributed system, make sure the endpoints are receiving their updates and be especially wary of systems that are off the network, such as laptops, for extended periods.
Fine, so let’s say all the endpoints (including those I mentioned above) have an Anti-Virus solution in place to protect them and you pull down and distribute the updates as necessary. Now you have end-to-end coverage with up to date signatures. Are you safe? Not quite yet. You need to run regular scans on the clients to make sure there is nothing lurking in the weeds. Updated software and signatures can often pick up something earlier versions did not, so regular scanning is a must.
Viruses mutate, much like those in the human world, so up to date signatures should ideally scan for and catch these, especially if it skipped over one the first time only to have it mutate in the meanwhile. Regular, scheduled scans are strongly recommended, but ideally during off-peak hours. Also consider running scans on all introduced media (USB sticks, CDs, DVDs, connected devices like mobile phones) when connected and running scans on computers that have been off the network for extended periods such as powered off systems or, more likely, laptops with travelling employees.
Pitfalls? Signatures have limited effectiveness against modern threats, but they’re still worthy mitigation strategies. Just don’t rely exclusively on them anymore but be sure to include it as part of your overall endpoint protection. Many modern threats cannot be detected using signatures alone, so I like to think of this as a way of keeping the ghosts of threats past in check. Remember the part in the original Ghostbusters when Walter Peck from the EPA had the containment unit shut off? Yeah….
Ghosts in The Machine? Speaking of ghosts (nice segue) be wary of any “exempt” areas that do not get scanned. Not every solution will scan every nook and cranny of your computers, and knowing this, attackers may like to keep their viruses hidden in the deep, dark corners. Be sure to run full (and we mean FULL) scans regularly to smoke them out (kind of like how Venkman played the keys on the piano in Dana’s apartment – they hate that). You must love Ghostbusters!
Anything Missing? Aside from not having any anti-virus protection, odds are you have most of the other angles covered – or should. There is a reason this strategy is rated low on the ASD list and it’s because it has limited effectiveness – but it still has effectiveness. Be sure to cover ALL your endpoints, keep it up to date, and run regular scans. For what it’s worth, test it regularly as well to make sure it works.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock