IT Consultant Group

Hi all.  This is a request for clarification about how it is that malware can bypass SEP (or any AV).  I'm not asking how to do it, rather I need to understand better how it happens in order to carry on intelligent discussions with colleagues and customers alike about how important patching is.    

You see in IT security discussions/blogs all the time how they say some zero-day flaw exposes a host to infection, and you see statistics about percent of unpatched systems to known flaws, etc.  That recent one from Talos about 3 million unpatched Internet-facing servers running Destiny (the middleware, not the game :) ) is a good example. 

But what I never did look into was, is that a moot point if the computer in question is using a commercial endpoint security solution?  Let's assume there is no network-level IPS or anything and we're talking just endpoint security.  And I fully understand that AV and hostt-based IPS etc. is not 100% effective and that's fine, but does exploiting zero-day or unpatched known flaws somehow bypass endpoing security?  I'm sure the answer is not black and white, so perhaps the question is more about proportion - how much more likely are systems with unpatched holes to get infected if they happen to also be running current and commercial grade endpoint security. 

And again this stems from how I contiuously see artidcles that talk about how some unpatched flaw was used to allow infection to occur, yet these same articles never talk about how effective or not was the endpoint security.  You almost have to wonder if endpoint security does anything at all in these situations. 

Thanks, sorry if this request is long-winded, haven't had my coffee yet. 

Not sure if you're looking for a long, detailed answer but with AV only, there isn't one. AV detects/protects against only what it knows. If it doesn't have a signature, it doesn't have a chance. Which is why the other components of SEP are a must to have enabled. AV alone doesn't stand a chance today.
 

It's a very difficult question to answer a signature based AV system can only detect what it knows about in it's database. So to fully protect you have to take a multi layered technolgy and used all the elements of symantec endpoint protection to your advantage. While patching you're AV system for possible vulnerabilites with symantec endpoint protection managers and clients. Not patching these when available gimes the criminals an extra element to exploit when they become known issues.

So using elements like applications & device control and lockdown polices become dependant on how well you know your estate and how restrictive you want to be with users. So while patching mitigates vulnerabilities it also give you new functionality you can use in your finght to keep your environment safe. 

Below is an interesting read
http://www.webroot.com/blog/2012/02/23/why-relying-on-antivirus-signatures-is-simply-not-enough-anymore/

I would say I'm looking for a detailed answer, or rather I'm open to as much detail as anyone has to share.  But I'm hoping to avoid getting into a discussion about the differnces between traditional AV and current multi-component suites such as SEP.  I'm more interested in understanding how malware can use vulnerabilities in the OS itself to bypass SEP completely. 

IT security articles always talk about how hackers got into a network, planted malware on systems to allow backdoor access, and used said malware-provided access for future exploitation.  Many articles talk about how these APT style attacks allowed attackers onto networks for months or years. 

So one has to wonder, what is SEP's role in all that?  Is it that the detection rates for products like SEP are wayt worse than anyone realizes, or is it that malware that exploits OS holes basically bypasses SEP's various scanning technologies completely?  Kind olf like you have a guard protecting the doors and windows, because your defense plan doesn't take into account somebody can get in through a crack in the basement floor.  

ATP attacks are little different because those folks are the best of the best and state sponsored - endless supply of cash - to get what they need, not to mention they work with bleeding edge technology that no one else has seen. SEP components are still largely based on signature detection and these guys simply encrypt or change up the payload and they know how to get around a network without making much noise. There are so many logs to comb through, admins are buried. Defense in depth is what's needed but there isn't a magic cure all solution.

Sorry guys you're faster than I am on replies :) I read that Webroot article, thanks for sharing.  It was informative.  To date, it has always been my understanding that a signature is a hash, and that hash is based on the bits in a given file.  Change even one bit, compute the hash, and you have a new signature.  If that's correct, then polymorphic malware, could it not simply keep a nearly identical file, but have say, an 8 byte hex field at the end of the code that increments a new digit every now and then, which in effect makes it a zero-day malware?  If it's that easy, I would imagine it would be so easy to bypass signature-based protection in terms of file-based threats anyway.  IPS is another issue, as I imagine there are only so many ways you can slide down a TCP connection with malformed packets or whatever else. 

So please correct me if I'm mistaken about how the virus signatures work, I honestly thought it was as simple as single bit or bype changes resulting in new hashes.  And following with that logic, one then wonders why anybody would bother encrypting malware payload unless it's to hedge against deeper scanning techniques. 

So my original question still maybe stands, how does malware bypass the likes of SEP entirely, not through the front door where it is scrutinized by SEP but makes it through due to limitations of signatures or behavior scanning, but rather makes it through the back door by cleverly avoiding being scanned at all (either in transit, or, later, at rest on the file system).  I always assumed holes in the OS itself allowed for this. 

I think it's safe to assume that APT's are not limited only to state-sponsored actors. Not to argue the point b elavorously as I don't know too much about this, but the assumption has to be if there's money to be made, it's simply an investment for organized cybercrime to engage in.  Of course it depends on where the people involved reside, as certain states like to get more involved in this stuff with privatezed cybercrime than others. 

Ugh, I am not at all looking forward to the Internet of Things.  Stupidest idea anyone ever had.  It'll likely be the catalyst towards real worldwide awareness of IT security but it'll be a painful 5-10 years methinks. 

On a related note, did Symantec stop offering Web Security.cloud? 

I'm seeing a slight mis-understanding of terms.  There's a difference between 0-day exploits and malware.  Malware take advantage of (exploits) previously unknown flaw(s) in OS's, or applications, or services (daemons), etc.

It's true that polymorphic malware will, by definition, produce a new hash value if any part of the code is changed, but that does not equal a new zero-day exploit.  It's simply a new signature.  It's an impossible task to publish new signatures for every piece of malware so that's where things like heuristics and reputation come into play.  And Brian noted, AV by itself just ain't gonna cut it anymore.  And as a number of other folks have noted, if the AV engine is unaware of the malware, it cannot find it.

Defense in depth

No silver bullet(s)