Making AV Better

You’ve already heard this from your desktop security team: Anti-virus software doesn’t seem to work. And while the best security vendors have done a credible job (in my estimation) of maximizing the degree to which behavioral analytic, traditional signature, and even machine learning methods can detect endpoint malware instances, existing AV software remains a partial control for your PC.

The idea of partial control, by the way, is hardly new in cyber security. Those who make their living managing perimeters, for example, will laugh at the idea that a five-tuple or next generation firewall can keep hackers outside an enterprise. Instead, the security gateway, like most cyber security mechanisms, will do a partial job, then handing things off to the next layer in the defense-in-depth architecture.

These familiar themes were front and center during a technical review held earlier this week on Fulton Street with Lenny Zeltser, VP of Products for Minerva Labs, an Israeli cyber security company. I’d run into the Minerva team during a speed-dating security analyst session held earlier in the month. I liked what I saw and asked if the principals would be willing to explain more. Lenny agreed to chat – and here is what I learned:

In a nutshell, Minerva improves the partial AV controls on your Windows PC (and soon Mac) – and this is done using clever anti-evasive techniques. The company has its roots, like most Israeli cyber security companies, in national defense. It is therefore not surprising that their solution derives its design and operation from an intimate technical understanding of how malware operates and tries to get around AV software.

As security experts know, AV software detects malware through patterns or actions that are pre-classified or dynamically interpreted as suspicious. The challenge, as any endpoint team will attest, is that malware designers have learned to evade such detection. We refer to the result of such evasion as a variant, and this attack strategy has become a nightmare for AV providers to say the least.

Minerva is pioneering an augmentation that makes the AV better by focusing on the evasion. The theory is that by addressing evasion, Minerva leaves malware designers with two options: Evade the AV and get caught by Minerva, or leave out the evasion and get caught by the AV. Zeltser put it this way: “We use anti-evasion algorithms based on thousands of artifacts to make AV more effective on the endpoint.”

Here's an example: Malware commonly unpacks into the memory of a legitimate app to hide from the AV software. Minerva focuses on interfering with the evasive action itself. “Our goal is to create challenges for an adversary trying to create evasive action,” Zeltser said. “For example, our solution will cause malware to stop working if it attempts to unpack itself into other processes as a way of getting around AV.”

Another common attack technique is that malware often checks whether it is executing in a containerized sandbox. The typical programmed response to sandboxes is that the malware will simply stop executing. Minerva takes advantage of this design decision by simply fooling the malware into believing it is operating in a sandbox. This deception effectively stops the malware from executing.

Minerva installs adjacent to existing AV software. McAfee users, for example, can deploy the Minerva Anti-Evasion Platform using their existing ePO deployment, which will simplify roll-out. Those who share a generation with me will remember that running multiple AV software was often impossible, since parallel AV software has traditionally been prone to collisions on shared resources. This is not an issue here.

I asked Zeltser if detecting evasive actions, such as memory obfuscation or use of on-line debuggers, is just a new form of signature. His response was that the evasion techniques they maintain are consistently used by malware authors, and generally don’t change even across variants of a given malware sample. This, he explained, is a different situation than one finds with AV software – and I think that sounds reasonable.

I know that many of you have soured on the idea of your AV solution providing any reasonable level of protection for PC endpoints. And your concerns are justified. But in any environment where such protections will continue to operate as an auditable control, the use of an augmentation like Minerva that makes the AV work better seems like an important and justifiable approach.

Give them a call and see what you think. Let us know what you learn.