McAfee Debacle Shows Why Malware Defense Must Evolve

The flawed McAfee update illustrates why a new model for defending against malware is necessary.

Last week a flawed DAT file from McAfee led to false positives crashing Windows XP systems and leading to a massive cleanup effort. It would be very easy to simply point the finger at McAfee, terminate the employment of a scapegoat security engineer or two, and continue on with the status quo, however the whole incident is an illustration of why the anti-malware industry--not just McAfee--need to embrace the U.S. Marines mantra to improvise, adapt, and overcome.

The current model is like a war where the attacker gets to fire first, and only after some victims are hit can we take action to guard against a similar attack recurring. The reactionary, signature-based model is flawed by nature, and cumbersome to implement and maintain. It's a wonder that situations like the McAfee issue last week don't occur on a regular basis.

According to Symantec's Internet Security Threat Report XV, Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71 percent increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last week a flawed DAT file from McAfee led to false positives crashing Windows XP systems and leading to a massive cleanup effort. It would be very easy to simply point the finger at McAfee, terminate the employment of a scapegoat security engineer or two, and continue on with the status quo, however the whole incident is an illustration of why the anti-malware industry--not just McAfee--need to embrace the U.S. Marines mantra to improvise, adapt, and overcome.

The current model is like a war where the attacker gets to fire first, and only after some victims are hit can we take action to guard against a similar attack recurring. The reactionary, signature-based model is flawed by nature, and cumbersome to implement and maintain. It's a wonder that situations like the McAfee issue last week don't occur on a regular basis.

According to Symantec's Internet Security Threat Report XV, Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71 percent increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008.

A Symantec spokesperson stated "Knowing that Symantec produces up to 20,000 new malicious code signature each day, and that other security vendors face similar circumstances, it becomes easier to understand, while not making it any more acceptable, a situation like McAfee faced last week."

Andrew Brandt, lead threat research analyst at Webroot, told me "Being even more proactive, and building signatures based on what you think the malware authors might do with their creations, can also lead to situations where you create more false positives. The key is to be alert and responsive to malware (which is in a constant state of rapid evolution), to build signatures as quickly as possible, and then do thorough testing before releasing them to the wide world. After all, scientists need a sample of the new flu virus strains before they can make a vaccine. The analogy applies here, too."

Fair enough. Or, maybe there are simply too many "flu strains" for the reactionary model of developing a vaccine after the fact to be effective. Perhaps it's time for anti-malware vendors to evolve and adapt new models that can work more efficiently to provide the same level of protection with less effort on their part, and less room for error with impact such as with the McAfee incident.

There are a couple of approaches. One is to stick with the signature-based model, but apply it in the cloud rather than implementing it on an individual system basis. This is the direction Webroot is headed. Brandt explained "Putting the definitions into the cloud, instead of letting them reside on the endpoint has a clear advantage in cases like this. If a definition hosted in the cloud goes horribly, horribly wrong, we can pull that definition from circulation immediately, thereby limiting the scope of the damage, and hopefully containing it to the small number of users who happen to be in the unlucky position to be first to use a defective definition set."