AntiVirus scanning for potentially misused tools is a doomed
security strategy.
By: Weld Pond, weld@l0pht.com
L0pht Heavy Industries
December 20, 1999
There is a growing trend with AntiVirus scanners today. The scanners
are scanning for more and more software that does not contain virus or
trojan code. The new category of software the scanners are looking for
is common software that has the *potential* to be misused by malicious
persons. Usually this software is in the security auditing tool, network
monitoring, or remote control category.
Corporate customers of AntiVirus software have requested that these
potentially misuseable programs be flagged and, in some cases,
"disinfected" by the scanning software. The AntiVirus vendors seem more
than happy to comply. Even going so far as to label this new category of
detected software as a "virus" or "trojan" when found, no matter how
misleading to the user this label is.
Another controvertial twist in this new AntiVirus category is the fact
that the AntiVirus vendors do not scan for their own tools that fall
into the new "potentially misusable program" categories. Symantec's
Norton AntiVirus will scan for the remote control programs, NetBus or
BO2K, but not the company's own PC Anywhere. Network Associates' McAfee
VirusScan will detect the NT password auditing tool, L0phtCrack, but
will not detect the company's own vulnerability auditing tool, Cybercop
scanner, or their network sniffers, Sniffer Basic or Sniffer Pro.
It is a fallacy that commercial tools are not misued by malicious
individuals. They are usually available as free trial downloads or
available on pirate software sites. However, the whole notion of
protecting a network by scanning for potentially misuseable tools is a
fallacy unto itself!
Using AntiVirus client scanning technology to find programs that can
exploit the security problems on a network is a losing battle. AntiVirus
software can be turned off. New tools or new versions of older tools
will soon become available. Other machines without AntiVirus software
can be attached to the network. Machines can be booted with alternative
OSes.
You need to actually fix the network security problems! It is foolhardy
to scan for tools that could exploit problems rather than just fixing
the problems. This scanning scenario just gets OS and application
vendors off the hook. Now they don't have to fix the problems. They
will just rely on the AV vendors to scan for programs or code that can
exploit the problems. Why fix, for example, Win 95/98 challenge-response
network authentication? Each client on the network should be scanning
for all known tools that can sniff the network or crack the passwords.
Obviously this is not a good security model.
Scanning for potentially misused tools is leading network security down
the path to the horrible situation we have with mobile code sent through
email or through the web. The current industry accepted solution is not
to solve the problem with a proper security architecture for hostile
mail or web content. But instead just scan for all *known* malicious
mobile code. Ugh! The AntiVirus vendors have a vested interest in the
status quo but this is not bringing the industry closer to a solution.
To broaden this approach to cover network security problems is clearly
heading in the wrong direction.
Can you imagine a day when a vendor responds to an intranet security
vulnerability by saying, "This is not a problem with our product. We
do, as always, recommend that all customers keep their AV software
updated." It is time to start making networks or computers secure
without relying on the approach of client code scanning. A false sense
of security is worse than known poor security. If your network security
cannot survive well known tools being installed and executed then you
need to start addressing your problems, not sweeping them under the rug.
Weld Pond
weld@l0pht.com