Virtual malware labs are 'broken': Webroot
Using virtual labs to understand and dissect malware is a "broken" malware defence technique, according to Webroot managing director for Asia Pacific Crispin Kerr, who says that while the method may help detection, it doesn't provide a cure for computers that get infected.
(08/18 - Pulling the CPU image by Erik Ogan, CC BY-SA 2.0)
In an interview with ZDNet Australia, Kerr said that the traditional method of analysing malware simply doesn't work anymore, and that greater emphasis needs to be placed on providing forensic analysis of unknown or suspicious-looking applications.
"The current way that antivirus is delivered to end users, whether it be consumer or enterprise, is broken."
Kerr's philosophy on catching malware is to closely monitor applications that aren't known in the user's own environment, rather than by sending information or a sample to a lab to be tested under controlled conditions. His idea is that by examining everything that a program does, and by keeping a forensic log of its actions, it is possible to completely remove it if it turns rogue.
Kerr argued that each user's machine is unique, and that virtual environments, while helping to detect malware, don't help to untangle malware once it has taken root. He said that most often, a lack of understanding of the virus in situ will mean the re-imaging of the end user's machine.
"If you're trying to replicate the problem in a virtual environment, then you're missing the point. Yes, you're going to be able to generate a signature that's taking down the problem going forward, but people need help remediating, and they don't want to have to do it themselves," he said.
"All [that] these antivirus technologies are doing today are saying, 'Hey, we found a virus!' and you go, 'Great! The [antivirus] product's working!' ... but you still then have to go and re-image the machine, so a lot of the work is being put back on the user."
"[They] tell you, as the admin, to go and do the work so they can help you, which is basically go back to your network and generate a whole bunch of logs so that we try and replicate what's happening in your environment in our virtual environment. That sort of ... environment doesn't look like the customer's environment at all. It'll take a number of days for them to process that information and produce a signature that will ultimately detect that problem that you've got, but it won't actually remediate what's happened. The answer more often than not for most organisations is to re-image the machine."
Re-imaging a computer would require the admin to restore the machine from a previously saved state, but it also means that the user needs to have taken a "snapshot" of their system prior to the malware running. While this restores the computer to its condition prior to any malware being installed, it also means that any other legitimate changes made to a system are lost.
Kerr also criticised the use of scripts to remove malware that has had its behaviours mapped out in a virtual environment.
"You're relying on these vendors to be able to replicate the problem exactly. You remove the virus, and often the user still complains that the machine is running slowly. That's because the removal script there hasn't done an effective job, and it's left [things like] registry settings," he said.
"Businesses want to know that when they've run a script that it's cleaned the infection completely and restored the computer to its previous state before it was infected. Because traditional antivirus solutions have no understanding of exactly what that virus has done; you can't have 100 per cent confidence, and that's why more and more people are actually turning to re-imaging."