AntiVirus scanning for potentially misused tools is a doomed security strategy.

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: darek.milewski () us pwcglobal com

http://www.hackernews.com/bufferoverflow/99/avscanning.html

AntiVirus scanning for potentially misused tools is a doomed security
strategy.
By: Weld Pond, weld () l0pht com
L0pht Heavy Industries
December 20, 1999

There is a growing trend with AntiVirus scanners today. The scanners are
scanning for more and more software that does not contain virus or trojan
code. The new category of software the scanners are looking for is common
software that has the *potential* to be misused by malicious persons.
Usually this software is in the security auditing tool, network
monitoring, or remote control category.

Corporate customers of AntiVirus software have requested that these
potentially misuseable programs be flagged and, in some cases,
"disinfected" by the scanning software. The AntiVirus vendors seem more
than happy to comply. Even going so far as to label this new category of
detected software as a "virus" or "trojan" when found, no matter how
misleading to the user this label is.

Another controvertial twist in this new AntiVirus category is the fact
that the AntiVirus vendors do not scan for their own tools that fall into
the new "potentially misusable program" categories. Symantec's Norton
AntiVirus will scan for the remote control programs, NetBus or BO2K, but
not the company's own PC Anywhere. Network Associates' McAfee VirusScan
will detect the NT password auditing tool, L0phtCrack, but will not detect
the company's own vulnerability auditing tool, Cybercop scanner, or their
network sniffers, Sniffer Basic or Sniffer Pro.

It is a fallacy that commercial tools are not misued by malicious
individuals. They are usually available as free trial downloads or
available on pirate software sites. However, the whole notion of
protecting a network by scanning for potentially misuseable tools is a
fallacy unto itself!

Using AntiVirus client scanning technology to find programs that can
exploit the security problems on a network is a losing battle. AntiVirus
software can be turned off. New tools or new versions of older tools will
soon become available. Other machines without AntiVirus software can be
attached to the network. Machines can be booted with alternative OSes.

You need to actually fix the network security problems! It is foolhardy to
scan for tools that could exploit problems rather than just fixing the
problems. This scanning scenario just gets OS and application vendors off
the hook. Now they don't have to fix the problems. They will just rely on
the AV vendors to scan for programs or code that can exploit the problems.
Why fix, for example, Win 95/98 challenge-response network authentication?
Each client on the network should be scanning for all known tools that can
sniff the network or crack the passwords. Obviously this is not a good
security model.

Scanning for potentially misused tools is leading network security down
the path to the horrible situation we have with mobile code sent through
email or through the web. The current industry accepted solution is not to
solve the problem with a proper security architecture for hostile mail or
web content. But instead just scan for all *known* malicious mobile code.
Ugh!  The AntiVirus vendors have a vested interest in the status quo but
this is not bringing the industry closer to a solution. To broaden this
approach to cover network security problems is clearly heading in the
wrong direction.

Can you imagine a day when a vendor responds to an intranet security
vulnerability by saying, "This is not a problem with our product. We do,
as always, recommend that all customers keep their AV software updated."
It is time to start making networks or computers secure without relying on
the approach of client code scanning. A false sense of security is worse
than known poor security. If your network security cannot survive well
known tools being installed and executed then you need to start addressing
your problems, not sweeping them under the rug.


Weld Pond weld () l0pht com

ISN is sponsored by Security-Focus.COM