Ken Munro, partner at Pen Test Partners
Ken Munro, partner at Pen Test Partners

Believe an anti-virus vendor's marketing spiel and you might end up with a naff product – so do your homework.

Anti-virus vendors are up against it. Sure, they need to be agile in identifying signatures and rolling them out to clients asap, but what could they learn from hackers? What should grab their attention?

How about an easily accessible resource, used by hackers to verify that their malware can bypass an AV vendor's top product? That would be crazy, right? Worse, you inadvertently tell them how to hack your company.

Go and search for VirusTotal. You upload a suspicious file and it reveals how many of the 46 AV products it uses recognise that file as heinous. It will also share this with the AV community, allowing them to improve detection.

VirusTotal is great for hackers, but only if they know which AV they're up against. How does an attacker know this? Check the footer of that email you've just sent externally. Does it advertise your anti-virus vendor (“This email has been scanned for viruses by product X”)? If so, you've just told attackers which product they have to work around to deliver their malware to your users. Turn it off: remove that footer!

Maybe you use more than just one AV product, or you've already sanitised your email footers. How does one bypass unknown or multiple products? Now is the time to use a ‘packer' to bypass signature-based detection.

Simple malware and virus detection involves matching signatures or checksums. So change the checksum by using a packer. There are many around: freeware offerings such as UPX and Mpress; and commercial tools such as Molebox. Often used to protect software from piracy or for reducing file size on disk, they're also handy for bypassing signature-based malware and virus detection.

Some AV products are quite good at detecting packers, but more recent packers are getting good at bypassing AV, particularly those using ‘metamorphic' engines.

The hacker packs the malware and uploads to VirusTotal. They check that none of the mainstream vendors detect it, and send the email.

What frustrates me is that even though VirusTotal  shares uploaded malware samples with the community, vendors seem desperately slow to respond to these. To illustrate this issue, we carried out an exercise for Infosec 2013. Two weeks before the show, we packed and uploaded a new malware sample to VirusTotal. No surprise: none detected it, as it was brand new. Two weeks later, only four vendors detected it. Even six weeks after the show, only five of the 46 vendors used by VirusTotal were detecting the file as malware. Incidentally, the vendors detecting it are not the major players that you might expect.

So, when you last reviewed your anti-virus product, did you actually review its ability to detect viruses and malware? Surely that's the most important feature, yet in my experience, many organisations rely on a vendor's marketing material and questionable third-party reviews when choosing their AV product.

Set up an isolated test bed, and test drive some products with known samples. Then pack them and try again. Finally, seed VirusTotal with some samples a few weeks before your evaluation, and see which products are good at keeping up to date with new samples. It won't take long to uncover significant gaps in coverage by the vendors, helping you to avoid a ropey product.

Execution of code in a sandbox is also an excellent idea. A small number of very interesting products are emerging that allow code to execute in a sandbox, analyse the activity, and then decide whether or not it's malicious. Then the email (or other content) can be delivered to the user safely. Be careful, though, as there is plenty of malware around that can detect and break out of some sandboxes.

Don't advertise your AV choice, but do have multiple layers of AV, using different vendors. Don't forget endpoint protection, evaluate AV performance properly, and don't believe the hype.