My oh my how the landscape of malware has changed over the last 10 years. The traditional “virus” is all but dead, and the transports for new threats are evolving almost faster than the security services can adapt. The latest trend of malware is web-borne annoyance-ware like FakeAV, which tries to trick you into buying something and then essentially makes doing any task on your computer so obnoxious that you can’t even use it. Is FakeAV dangerous? That depends on how you look at it. Is FakeAV a big problem? Absolutely.
The big problem with these new malware types is that they get you via compromised websites, don’t get picked up by older client security programs, and infect you whether you’re running as local admin or not. Add to that the fact that there are so many variants of the same infection that none of the published data is relevant by the time you get infected. This means potentially excessive downtime for cleanup tasks, which is a serious issue in the enterprise.
So what is going on here and where should we direct our focus? Is client protection paramount? Is gateway protection paramount? No. Should we run the #1 solution at every level? In an ideal world with blistering fast hardware and networks and an unlimited budget, probably, but that isn’t reality is it? No.
We have several layers of security in place, and it’s not enough. Email comes in through MessageLabs where it is scanned for viruses and spam, then it comes into our network through SpamSentinel where it is scanned for viruses and spam again (because honestly, nothing on the market is better at stopping spam than SpamSentinel), and then Symantec Antivirus Corporate Edition v10 scans mail again at the client level. We are controlling access to known malware sites with OpenDNS and Websense, and running gateway antivirus on our Watchguard firewall. We have SAV CE v10 running on all clients and servers with an aggressive definition update schedule and all of the most thorough scanning options enabled and enforced. The majority of our users do not have local admin rights to their systems. We still get nailed with infections on a regular basis.
Here’s my quick list of options to consider from here. Should we…
- Upgrade to Symantec Endpoint Protection 11? Yes.
- Implement an enterprise-class IDS/IPS security solution? Yes.
- Be proactive and (gasp) focus on securing websites against the worms that started this mess? YES!
This is where Qualys (and probably some other vendors) comes in. Remote vulnerability scanning of websites. Use it. Love it. Stop web-borne malware. While I haven’t actually tested their tools yet, I feel strongly that this type of service will develop into a promenant fixture in the IT world and will become standard best-practice for all. The web is a great platform for spreading malware, but only because we’ve ignored the threat for so long.
Twitter
