AntiVirus scanning for potentially misused tools is a doomed security strategy.

By: Weld Pond, weld@l0pht.com
L0pht Heavy Industries
December 20, 1999

There is a growing trend with AntiVirus scanners today. The scanners are scanning for more and more software that does not contain virus or trojan code. The new category of software the scanners are looking for is common software that has the *potential* to be misused by malicious persons. Usually this software is in the security auditing tool, network monitoring, or remote control category.

Corporate customers of AntiVirus software have requested that these potentially misuseable programs be flagged and, in some cases, "disinfected" by the scanning software. The AntiVirus vendors seem more than happy to comply. Even going so far as to label this new category of detected software as a "virus" or "trojan" when found, no matter how misleading to the user this label is.

Another controvertial twist in this new AntiVirus category is the fact that the AntiVirus vendors do not scan for their own tools that fall into the new "potentially misusable program" categories. Symantec's Norton AntiVirus will scan for the remote control programs, NetBus or BO2K, but not the company's own PC Anywhere. Network Associates' McAfee VirusScan will detect the NT password auditing tool, L0phtCrack, but will not detect the company's own vulnerability auditing tool, Cybercop scanner, or their network sniffers, Sniffer Basic or Sniffer Pro.

It is a fallacy that commercial tools are not misued by malicious individuals. They are usually available as free trial downloads or available on pirate software sites. However, the whole notion of protecting a network by scanning for potentially misuseable tools is a fallacy unto itself!

Using AntiVirus client scanning technology to find programs that can exploit the security problems on a network is a losing battle. AntiVirus software can be turned off. New tools or new versions of older tools will soon become available. Other machines without AntiVirus software can be attached to the network. Machines can be booted with alternative OSes.

You need to actually fix the network security problems! It is foolhardy to scan for tools that could exploit problems rather than just fixing the problems. This scanning scenario just gets OS and application vendors off the hook. Now they don't have to fix the problems. They will just rely on the AV vendors to scan for programs or code that can exploit the problems. Why fix, for example, Win 95/98 challenge-response network authentication? Each client on the network should be scanning for all known tools that can sniff the network or crack the passwords. Obviously this is not a good security model.

Scanning for potentially misused tools is leading network security down the path to the horrible situation we have with mobile code sent through email or through the web. The current industry accepted solution is not to solve the problem with a proper security architecture for hostile mail or web content. But instead just scan for all *known* malicious mobile code. Ugh! The AntiVirus vendors have a vested interest in the status quo but this is not bringing the industry closer to a solution. To broaden this approach to cover network security problems is clearly heading in the wrong direction.

Can you imagine a day when a vendor responds to an intranet security vulnerability by saying, "This is not a problem with our product. We do, as always, recommend that all customers keep their AV software updated." It is time to start making networks or computers secure without relying on the approach of client code scanning. A false sense of security is worse than known poor security. If your network security cannot survive well known tools being installed and executed then you need to start addressing your problems, not sweeping them under the rug.