Antivirus Weaknesses

 

Poor signature-based detection

Antivirus or antimalware software runs on the endpoint and watches for malicious binaries.  The antivirus may include the inability to detect newer malicious binaries because the antivirus needs to be updated once the new malware is discovered.  In this case, some businesses and users’ systems are compromised because the attack is using a newly developed binary, and their antivirus does not know about it.  After the successful attack, the antivirus vendor updates their product, and all their customers are now protected.  Malware writers evaluate the antivirus detection and alter their binary, so it is no longer detected before deploying it again.    

Incomplete Detection

Another possible antivirus weakness is the inability to detect malware that uses certain parts of the operating system.  The attacker entices the user to download software that appears to be an “update”.  The “update” enters a registry key that holds the script for performing the malicious activity along with a shortcut in the user’s startup folder for persistence.  Not all antivirus is able to detect malicious scripts contained in the windows registry. 

Antivirus Self-Protection

Once a malware operator accesses a Windows target, perhaps by brute forcing the RDP server or exploiting a vulnerability, he or she will begin deploying and running tools.  Antivirus tends to block and quarantine hacking tools such as Mimi Katz or Gsecdump frustrating the malware operator’s progress, so he or she will disable the antivirus in some fashion.  Antivirus that does not report and prevent unauthorized changes is subject to being circumvented.    

False Status Report

Antivirus reports that it has cleaned and quarantined the threat, but the threat remains, or the system is re-infected.  The administrator will need to identify the threat and reference online threat intelligence to determine if the antivirus is failing to remove it completely.  Otherwise, the malware is possibly exploiting a vulnerability.  The administrator will need to deploy the patch and clean the malware. 

Computers without antivirus or damaged antivirus installation

The administrator deploys antivirus to all the online and present systems but misses systems that are shutdown or laptops in the field.  The application list shows the antivirus product, and the antivirus icon is present in the system tray, but the service is stopped, or the driver is not installed.  The system in this case becomes an easy target for attackers to run malicious software or launch further attacks into the network.

Network Containment/Isolation

 The antivirus is not able to network contain or isolate a host from the rest of the network.  When a host is infected with malware, the network administrator may not know the extent of the infection or if the antivirus is effective in removing it.  He or she uses the antivirus console to contain or isolate the system to prevent further attacks and incursion to neighboring devices until the system is deemed safe.     

Lack of Monitoring

The antivirus product will produce alerts for what it finds on the network.  The administrator will need to configure the product send an alert, so they can contain the affected system and investigate the activity.   

Comments

Post a Comment

Popular posts from this blog

Application Control - AppLocker and Windows Defender Application Control Overview

  Process to reduce risk The administrator uses application control to restrict applications users are allowed to run.   Application control policies are used to block unsigned scripts and MSIs and implement Windows PowerShell constrained mode.   Security administrators will want to use application control alongside endpoint protection products such as antivirus and endpoint detection and response. Application control uses a predetermined list of parameters to allow applications to be trusted to run on the endpoint while blocking others.   Implementing application control can stop malware and unauthorized software.   Microsoft implements application control for their operating systems.   Microsoft Windows 10 and Windows 11 include Windows Defender Application Control (WDAC) and AppLocker.   AppLocker will run on older Windows versions such as Windows 7, Windows 8/8.1, and Windows Server 2008 up through Windows 11 and Windows Server 2019.   I...
Read more

Software Firewall

A software firewall or host-based firewall runs on a each server or workstation rather than being a separate device or hardware appliance.  In some cases, host-based firewalls are available as part of the operating system or the user can download and install one from software firewall vendors.  The host-based firewall settings can vary from host to host and can protect the host from attacks on the local network as well as from other networks.        The value of a host-based firewall is that it works against threats that pass through the network firewall. For example, if an attacker uses a malicious email to compromise one of the network hosts, and it attempts to spread to neighboring computers, the host-based firewall will block those attempts.  Using a host-based firewall is an important step in preventing reconnaissance, lateral movement or the spread of malware.  Once an attacker compromises a workstation, he or she may use tools to scan the...
Read more