What is "up to date anti-virus software"?
On the heels of my post on Microsoft's SIRv4 earlier this week, reader Ray posed a great question that elicited some nuanced responses from fellow handlers Mark H and Swa F. All parties have agreed to allow me to share the conversation with the ISC readership.
From Ray:
What is, "up to date anti-virus software"? Is there a de facto standard of how often or what defines when a system is up to date or not up to date? My goal isn't to split hairs. There are a lot of moving pieces (in the background) to this question & where I work. I would like to know what other organizations use; besides sooner is better.
Mark H's response:
To me the definition of up to date is the latest pattern file for that particular application. So I tend to configure AV products to check at least hourly for updates and apply them. Some product interestingly however still consider daily or weekly to be ok. Putting on my QSA hat usually I accept daily updates as being ok (assuming that the AV product is therefore at the lates pattern update), go beyond that and you'd best have a very good reason for lagging.
Ray's reply:
While wearing the AV hat at my last company I expected a drop in infections when I stabilized our (pattern file) distributions, but didn't expect such a dramatic drop in the rate. With three updates a day I hit < .5% systems were more than one day out of date. Since moving to a different company with different responsibilities I see one update a day and a 5 day window for updates with the target of only 90% of systems updated I see...room for improvement but face a mind set challenge. I was curious what other "standards" were.
Swa's feedback:
Agreement with Mark: hourly is THE way to go.
Photo courtesy of nukeitfromorbit.com
Great discussion, Ray and handlers. Thanks for letting us share.
Comments
However, what would you do in the event of a zero-day attack that infects a good number of your nodes- let's say, over 100? In this case, having a tool (antivirus, etc.) that can scan, detect, and "clean" the infected systems would be useful. At least, it would buy you time (and act as a triage unit) while you are running around the building responding to all of the infected nodes...
JacCO
Apr 26th 2013
1 decade ago
If you do hourly updates and your vendor puts out a bad set of defs, you just DoS'd your entire company.
Our perimeter systems (proxy, email, IPS) check for updates every fifteen minutes but we have ways of rolling those back fast and people can keep right on working. Trying to rollback a thousand PCs when the AV has rendered them unbootable is a bit more problematic.
If malware gets to the desktop yo have a lot bigger problem than wondering how many times a day the product needs to get updated.
JJ
Apr 27th 2013
1 decade ago
Joshua
Apr 27th 2013
1 decade ago
Update checks cost resources; therefore I recommend once a day for antivirus, or once a week.
AND do something else, in addition to antivirus.
Preferably (1) Application whitelisting -- use a solution that detects potential malware, using a whitelist instead of a blacklist; or detects suspicious software.
(2) HIPS -- software detecting suspicious behavior
(3) Group policy software restrictions, Applocker -- only software approved by IT can run.
Go for those 3, before something silly, like attempting hourly updates.
It's not that having AV software "fully up to date" is bad; it's that, having AV software is almost silly these days, when there are billions of malware samples out there, and a small number of rules, that don't detect plenty of threats, even fully updated.
The difference between "weekly update" and "hourly update", from a security standpoint, is in a sense -- negligible.
Neither will help you against the zero days. Heck, it takes the antivirus companies more than a few hours to make the rules, based on samples that were submitted to them days ago.
You're trying to add granularity to your update regimen that doesn't exist in the data available for your antivirus in the first place. Do something else.
Get a good IDS. Update the IDS hourly, because that's more useful.
Mysid
Apr 27th 2013
1 decade ago
In the end no one security solution or countermeasure will protect your network. The best bet against an attack is having a proactive defense-in-depth strategy. This includes maintaining the strictest firewall ruleset possible, using a well tuned IPS (not IDS which is no different than a passive reporter), strong host security, strong network policies, and yes, as a last defense, updated AV/Malware definitions.
JacCO
Apr 29th 2013
1 decade ago
The costs for new acquisition of hardware would be lower than cleaning up the infected ones, the responsible department said.
They estimated 130.000 Euro for disinfection and 35.000 Euro for reinstalling software.
WOW!
Makes approximately 1000,-Euro (1300,-USD) per PC for wiping a drive and rebuild the OS.
If this is the daily rate for cleaning up infected machines I probably would quit my job for that reason.
Robert
Apr 29th 2013
1 decade ago
If you have 1,500 systems, having a central authority that can PUSH updates is a much better solution. Especially if it can get updates from the vendor as soon as they are released and schedule staggered pushes across regions and time.
But, honestly, AV should be a part of your solution, not THE solution. We should be stopping most malware at the gateway, whether firewall, application proxy, or email.
If you can run an network IPS or IDS that does decent anomaly detection, you can even catch 0-days before you have a signature at all.
I think daily updates for AV are quite sufficient if you have other layers of defense and is probably a good tradeoff between resource usage and protection.
JRD
Apr 29th 2013
1 decade ago
As someone else said, if having your A/V update to date is what keeps you protected, you've got other problems. You should have many lines of defense.
Jason R
Apr 29th 2013
1 decade ago
https://isc.sans.edu/diary/McAfee+DAT+5958+Update+Issues/8656
Jason R
Apr 29th 2013
1 decade ago
I also have to question the viability of replacing infected machines with new ones mentioned in another comment. Sooner or later the employees will notice and deliberately infect their computers to get new hardware.
KBR
Apr 29th 2013
1 decade ago