July 26, 2018

Malware Defense-in-Depth – Antivirus is just a start – WST

Antivirus/antimalware software has been around a long time.  It has evolved from simple endpoint agents with definitions and daily scanning, to larger, comprehensive agents that hook into every corner of a system. From file system scanning; to URL scanning and browser protection, today’s antivirus does a lot more – which is good!

The unfortunate truth, however, is that antivirus software is still vulnerable to the same weakness it has always had; It can only stop what it knows how to stop.  Whether it is using blacklists, definitions, heuristic rules, or cloud-based detection networks; antivirus/antimalware products need to know what to look for.   New malware that uses a new technique or code block can often slip right by, at least for a little while.  This is true of EVERY product, regardless of the marketing claims.  This is why it is important to consider antimalware controls as the base layer of multiple lines of defense.

Your other layers should assume that your endpoint virus controls have failed.  If this happens, malicious code is going to run on your endpoint, so you need other ways to stop it.  These ways should include:

  • Restrict user privileges on workstations – Users should never have administrative privileges on their own systems.  Any malware they encounter will run with their privileges, so if they are an administrator on one or more systems, so is the attacker.
  • MS Office macro restrictions – You can control the execution of MS Office macros via Group Policy.  If users do not need macros, they should be blocked.
  • Stop script file execution – End users rarely if ever need to run scripts.  Files such as JS, HTA, VBS, and other should not run if opened by end users. Again, Group Policy can be used to associate these file types with a text editor like notepad, which will essentially keep them from running when double-clicked.  This can be enforced by user groups, so admins and other power users can still run scripts when needed.
  • Block or log PowerShell usage – Many attackers utilize PowerShell for part if not all of their payload.  It is present on all modern Windows systems and is very powerful.  Consider ways to block the execution of powershell.exe by standard users.  Again, this can be done via Group Policy per user group.  This is not 100% effective but can stop many off-the-shelf type payloads.  At a minimum, log and alert on the usage of PowerShell commands by end-users.  This can notify you to potential trouble.

Lastly, consider application whitelisting (blocking the execution of any process that is not trusted).  This is a complicated control to implement but can be highly effective at stopping malware.

We are by no means advocating not having antivirus software, but it does have blind spots.  IT Security staff needs to be aware of its limitations and implement other controls accordingly.

Past Weekly Security Tips – WST