‘Powershifter’ – Its not the antivirus update, its you
Title inspired by ‘Fear Factory’
It took many years and a lot of preaching to end users and business folks but by now I would argue it is safe to claim that antivirus has been accepted as a necessity by most people. Mind you I’m not claiming it is a perfect solution in every situation but it is a step in the right direction.
If you successfully preached the necessity of antivirus to your boss, organization or customers and happen to have suggested a deployment of BitDefender the last few days were probably not very enjoyable. As seen on e.g. PC World “Bad BitDefender Update Clobbers Windows PCs” the update files from 20th march caused some issues with legitimate files (aka false positive detection) on Windows 64bit systems. As you would expect a public outrage followed and BitDefender took some serious heat from their customers. Some of it was probably deserved as you would expect this to be one of the most scrutinized areas during quality and release testing but let’s step back a second and think again.
25. April 2005 - Trend Micro Antivirus Update Slows PCs
30. July 2006 – Faulty Update Stymies Norton Users
12. November 2008 – AVG bug leaves Windows unbootable
9. July 2009 – CA antivirus trashing Windows system files
Looking at news reports during the last few years we notice that most of the major antivirus vendors struggled with similar issues so it shouldn’t be a big surprise that this might happen again at some point. It seems the solid job antivirus vendors do with their release management caused them a bit of a disadvantage as customers get too comfortable with the update reliability and do not perceive pattern updates to be a risk factor. This is understandable considering the low rate of occurrence and the high workload proper pattern testing would incur but this does not mean that the pattern release process should be totally neglected. Without any statistical data to prove my assumption I would assume that most environments out there do not need the latest and greatest pattern updates on their end points right away. An organizations antivirus pattern update policy might be as simple as following the principle “let the others go first and see if they survive”; instead of actively testing daily pattern updates (yeah, right) simply deferring the deployment by 24 hours should sort out most of the false positive issues. A basic policy might dictate to download pattern updates from the vendor every day at 11am but to not make them available to the end points before 8am the next morning and limit the update period to 2 hours. To be flexible enough to cope with outbreaks a separate process should be defined to ensure the end points can be forced to immediately call in and acquire an updated pattern file.
Antivirus tends to have a reputation to be a boring operational function and not the most exciting security technology to play with so IT and security staff tends to treat it in a set-and-forget way. As long as the planning and design was done properly and the basics are covered this should be fine and ultimately leaves more time to play with innovative technologies.
‘Electronegative’ – Free QualysGuard Malware Detection scan
Title inspired by ‘Sybreed’
Just in time for RSA 2010 Qualys announced their new (beta) service “QualysGuard Malware Detection“. According to their site it’s a ‘ground breaking free service that scans your web site for malware infections and threats’ and since it is free i thought I’d give it a try.
Once you’ve registered and followed through the usual account creation process you’re looking at a nicely made interface where you can start a new scan for a website of your choice. Should you want to scan a site that is not corresponding to your registered email domain you have to provide an email address for that domain for confirmation purposes.
The next step gives you the opportunity to set the scan job as a scheduled event and provides few options to influence the depth of scan.
And that is all information Qualys needs to go and scan your site. My web site security skills are virtually non existant but i expected at least a few more tuning options. The service seems clearly aimed towards SoHo users which is fine of course if it does it’s job. The scan ran through fairly quick and found no issues with my blog.
I decided to give it one more test before i set up a scheduled scan job to monitor my site and call it a day. “Inspired” by a posting on the PaulDotCom mailing list where Irongeek discovered a suspicious PHP file on one of his web sites i deemed this to be a sufficient (and quick) test for the ‘malware infection and threat’ diagnostic service. I uploaded a c99 shell, made sure it is accessible and working externally and started the scan again. Unfortunately the result was exactly the same as before even with the ‘intensity’ slider all the way to the right. No mention of any issue or possible threat.
After reading a bit in the ‘Support/How it works’ section i’m not sure if this is something the service is supposed to find as it seems to be more focused on ‘drive-by’ stuff, but honestly - why bother with a malware infection and threat scan service if the obvious and easy stuff is not covered? That said it really was just a quick test and more in depth testing might paint a completely different picture. Anyway, the service is free and Qualys should be commended for their good intentions. Give it a try yourself and see if it does what you are looking for.
