There is no such thing as good malware

July 9, 2017 | By David Liff

There used to be a meme going around that stated “there are two types of companies in the world, those who know they have been hacked, and those that don’t know they have been hacked”. We all used to read the various versions of this meme, nod, smile and move on.

Maybe we didn’t take all hacks seriously in the past, or maybe we just didn’t understand the importance of security, or maybe we just realized at the time that being hacked was inevitable and we felt powerless to act in a way to stop in from happening.

The issue today is absolutely everything is connected, and the potential risk from giving control of everything or at least a large part of everything to an unknown illicit force is shocking. The impact of stolen security credentials disrupted computing environments and stopped manufacturing and infrastructure are equivalent to blanket bombing a city, both in terms of gold and blood. People die and billions can be lost when computers break, it’s that simple.

There is no such thing as good malware

The classic model of security, one that dates back to the beginning of policing, is to identify a bad guy and tell everyone to look out for the bad guy. And just like in the days of the Wild West, the bad guys can use disguises to defeat most levels of detection (wanted posters = digital signatures).

Policing has got a lot smarter over the years, and it’s time for computer security to make a significant improvement. It is no longer acceptable to wait for “experts” to first see a new piece of malicious code (malware) and update their customers. What is needed is a system that treats every file of an unknown security state with prejudice. This is not a trivial task, technically, but is critical to ensure all malware can be defeated.

Here’s what is needed (and I’m simplifying)

1. All files entering a system must be scanned to identify their already known security status.

a. If they are already known to be malware, block them!
b. If they have previously been assessed and are known to be safe, allow them in!
c. If they are of an unknown security condition, i.e. Have not been seen before then they must be contained and their actions monitored and any potentially malicious activity stopped from doing anything evil.

When an “unknown “ file is encountered then the following process must be enacted.

1. A copy of the file must be made in the cloud where is can be analyzed by artificial intelligence to determine if it will perform any malicious act or not.
2. Some files will not perform a malicious act until some future event takes place, to ensure these are trapped, humans must also engage to identify really sneaky malware (if you are a computer scIentist, this is to avoid what Alan Turing referred to as the halting problem)
3. Once a file is determined to be malware, it is blocked and the signatures identified used by all available systems are updated to block all future copies.
4. Once a fIle is determined to be good, it is allowed into the system, and the white list is updated so all future copies of this file are allowed into systems, without needing further containment and evaluation.

While the copy of the file is being evaluated in the cloud, a copy is also made available to the target system within a virtual container. This allows the host system to continue to use the file, but the virtual container stops the file from doing anything that could be malicious. This works by providing the file access to only a virtual registry, a virtual com and a virtual hard disk. As these are the only interfaces available through a modern operating system, any and all potentially malicious acts are stopped.

To date the system that I have described is only available for a single vendor. And to date the 100 million end points running this particular system have had a total of zero infections. This is the only system that does not rely on prior knowledge of any malware to ensure protection.

It works, it requires zero user retaining, doesn’t slow down the users system in any noticeable way, and stops all types of malware.

RANSOMWARE – stopped
Viruses – stopped
Worms – stopped
Bots – stopped
Key loggers – stopped
If it’s malware – it’s stopped.

The days when the lab test was “which anti virus scanner can detect the most malware” are over. The issue today is what do you do with any unknown file.

If your system has a default allow policy for unknown files – you are at risk

If your system has a default deny policy for unknown files – you cannot live in today’s digital world, as you won’t be able to use web, email or files in a timely manner.

What you need is a default deny level of security with a default allow level of usability. And this can only be delivered with the system I’ve described above.

Want to find out how exposed you currently are. Run the free analysis of unknown files in our environment

https://enterprise.comodo.com/forensic-analysis-free/

Online Security

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>