Browse by year:
February - 2015 - issue > CXO View Point
Unknown Files Closing the holes in Antivirus Security
Umesh Kumar Gupta
Head of Antivirus Research-Comodo Group
Wednesday, February 4, 2015
In a new world of constant threat hackers around the globe are working feverishly every hour, attacking large and small companies across every industry, writing malicious code to exploit your website and computer network.
Every computer, laptop and mobile device connected to your network represents a vulnerable endpoint for viruses, worms, spyware, rootkits, trojan horses and other malicious software – all of it designed to either disrupt your operations or gain access to proprietary data and information.
All of these forms of malware started out as an unknown file that was allowed to pass through into your system.
Why? Because traditional antivirus technology doesn’t prevent infection of a system, it only detects infection of a system after the breach has happened.
It’s like getting the flu shot after you have the flu.

Where are the threats happening?
With so many employees today accessing their corporate networks through endpoints such as smartphones, PCs, laptops, tablets and other mobile devices, it’s no surprise that a vast majority of businesses have already experience some sort of mobile security data breach. And companies that allow their employees to utilize personal mobile devices say the number of devices connecting to corporate networks is growing. Most estimate they have more than five times as many personal mobile devices connecting to their corporate networks than they had two years ago.

How are the attacks happening?
A zero-day attack targets a previously unknown vulnerability in a computer application. Because it occurs on the first day of awareness, developers have had zero time to address the problem.
This goes right back to the unknown files issue – of not having technology in place that can prevent an unknown file from penetrating a system.
Malware writers are able to exploit zero-day vulnerabilities through several different attack vectors. Web browsers are often a primary target because of their widespread distribution and usage. Attackers can also send e-mail attachments that exploit vulnerabilities in the application when the attachment is opened. Vulnerabilities discovered by hackers will be kept secret for as long as possible and will circulate only through the ranks of hackers until the software or security companies become aware of the vulnerability or the attack targeting it.
Antivirus systems use a file called a "blacklist" to prevent such attacks by determining which programs are safe to run. The problem is that a blacklist requires that a threat has already been identified, diagnosed and the antivirus system’s blacklist file updated. Given the unidentified nature of a zero-day attack, it’s impossible for a blacklist to be up-to-date 100 percent of the time for 100 percent of the threats.
No protection can be comprehensive unless it addresses the gray area where a program is not on a blacklist, but also is not confirmed safe on a whitelist.
Again, we come back to unknown files.

The Case for Sandboxing
A sandbox enables you to safely run suspected programs in a virtual environment. By sandboxing a program, you prevent it from making any permanent changes to your files or system. If the program turns out to be malicious, no harm is done. Sandboxing protects against zero day attacks that take advantage of unknown security holes in web software. While blacklists cannot protect you against these threats because they haven’t yet been identified, a sandbox can.
Running suspicious applications in a sandbox provides protection that a blacklist cannot. If an exploit downloads malicious software while in a sandbox it will be isolated and unable to spread.

Why "Default Deny" is the Only Guaranteed Solution
A sandbox employs a "Default Deny" strategy to restrict the access of all unknown applications to important files, folders and settings.
Default Deny refuses all files permission to install or execute outside of its virtual sandbox except when specifically allowed by the user or when the file appears on a whitelist. The whitelist identifies binaries that are known to be safe, such as signed code.
The benefit of Default Deny is that it closes the hole that other antivirus systems leave open thereby eliminating the risk of unknown threats. Where other antivirus solutions are limited to protecting you against files they are able to definitively identify as dangerous, Default Deny is the only strategy that protects you against any file not fully confirmed as safe.
The Default Deny approach used in Sandboxing authenticates every executable and process running on your computer and prevents them from taking actions that could compromise or harm your files. Equally important, it enables you to access and work with the files as they execute within the sandbox’s virtual environment. The result is total guaranteed protection without the loss of time, money or productivity.

Share on LinkedIn