Future of Antivirus :

Before we talk about the future of Antivirus, we need to understand the different stages in the malware defense and how the traditional antivirus protect us from various threats.

Stage 1. Protecting against ‘Less than Zero Day Threats’. A new malware has been developed but Antivirus vendors and/or public are not aware of the threat. Systems are most vulnerable at this stage. There is no or little protection at this stage.

Stage 2. Zero Day Threats. Details about the new malware is publicly known but no solution is available. The antivirus vendors normally start working on a new signature definition at this stage. Systems are more vulnerable at this stage. There might or might not be a workaround available.

Stage 3. A new signature is available but the Antivirus software is not updated with the latest signature. Systems are still vulnerable at this stage.

Stage 4. All or most of the machines are updated with the latest signature and the threat is under control.

Signature based Antivirus: A broken Model?

The traditional antivirus software (Signature based) uses device drivers that work in conjunction with a process to scan files for viruses. These drivers reside above the file system recognizer and scan files as they are accessed on a local hard disk.

When a process request access to a file, the device (filter) driver intercepts the call and pass the file handler (It either use the same handle created by the requesting process or create a new handle) to the antivirus scan engine. The scan engine will then check the real-time scan configuration and match patterns found in the file against a signature database.

The file is considered as safe if no matching result is found in the signature database. But the antivirus might leave the system in a danger, if it is an unknown threat or if a trusted application is trying to access an infected file.

When the computing world started developing a defense mechanism against malware threats, we started with a simple modal which was more or less similar to our own immune system. It was more like - ‘Take the required vaccinations and stop worrying about the known diseases’. It was a proven model until recently. But now signature based antivirus software is struggling to survive.

Until recently, malware writers were not well organized and they didn’t have the infrastructure or sophisticated tools to coordinate there activities. Now, it is a well organized, multibillion dollar ‘Industry’, with highly skilled and motivated people working in the underground.

Here, the real question is what are we trying to protect - Data or System?

We are not isolated anymore

Traditional Antivirus software is installed on the local machine and is developed to protect the end point. Resource consumption is always a problem with this method. Percentage of CPU and memory usage largely depends on the size of the signature file.

We moved away from the traditional computing model where monolithic applications processed enterprise data. Now, the client/server modal is also getting replaced by software services that allow lot more flexibility and reusability. Now, applications are developed as software services which can be used on-demand.

Antivirus as a Service

What we need to protect is the data. And we need to protect the integrity, availability and confidentiality of the data irrespective of whether the data reside on the local machine or not. All applications/services should be authenticated before they can access/modify the data. In ‘Antivirus as a service’ model, antivirus software is running as a service on the local machine and it should authenticate applications/services which request access to the data. The Antivirus Server is installed on a cloud and agents are deployed to all client machines. The agents will compare the application fingerprints against the local database before an application is granted permission to create, access, modify data. We will still need to maintain a database of known applications. But it is much better to have a database of a few 100 authenticated application ‘Finger-prints’ than having a database of a million virus signatures.

The Antivirus Service installed on a system should be able to communicate with the Antivirus Service installed on another machine and verify if the application is authenticated, before allowing an application or service from that machine to access the local data. If an application fingerprint is not found on the local database, then the agent can communicate with the server to see if the application is authenticated on any other server. The file integrity and modification details should also be verified for any unauthorized modification.

Any new process creation or registry modification requests should be allowed only if the request came from an authorized application.

This model has it own advantages and disadvantages. Next week, I would be sharing more details on this topic.

Next Week. Antivirus as a Service

Disclaimer: "What ever I discussed here are my personal opinions and they do not represent the opinions or positions of my employer".