The Security Skeptic

Antispyware and AV software ought to be the sameware

12/03/2009 03:15:57 PM

Every network client must have antivirus software. We’ve been told so for years, and the message is finally sinking in. Network admission and integrity control are poised to enforce it today in enterrprise networks and hopefully soon for public Internet access as well. Concern over spyware is increasing so rapidly that I fully expect that antispyware, too, will be a prerequisite for network logon. The problem I foresee is that, if we instrument poorly, network admission will end up like the queues at customs and immigration services: long, slow, tedious, and frustrating.

Now that the tools are present to actually enforce network admission, pause to think of all the things an organization might really want to check before admitting a client to a trusted network (and by client, I include handhelds and phones):

  • firewall software
  • antivirus software
  • antispyware software
  • popup blocking software
  • antispam software
  • Operating System and application patches and hotfixes
  • VPN client

Now, it’s not enough to simply check to see if the software are present. Are all the software running? Are they applying known and trusted configurations and policies? Are they all current with detection and component updates (e.g., virus and infected file definition databases, enhancements to analysis engines)? Are logs being processed as the organization intends? The checklist is considerable, but checking items isn’t a meaningful source of delay. The killer question might be, “When was the last full scans of the client to detect and remove all forms of malware?”

If my PCs and laptops are typical clients, a full system antivirus scan is a 15-20 minute exercise. So is a full spyware scan. They don’t run real well together, even on fast CPU with 512 KB – 1 MB RAM. Consider the laptop-enabled mobile user: between the WiFi adapter, and between 30-45 minutes of disk accesses, it’s quite conceivable that batteries will run dry before network admission is completed.

The lesson should be familiar to CNN viewers: if admission controls are designed poorly, you’ll have immigrants passing out from exhaustion and starvation at your borders.

Network admission and integrity control advocates might reply, “we don’t have to force the user to full scan, we only have to check to see the last full scan was performed recently.”

The value of recently will of course vary, and so will the window of opportunity, but this is not an entirely bad strategy.

During recent client visits where we discussed spyware, I’ve been bombarded with the same question: why don’t antivirus products protect against spyware. The only answer that really matters is, “they will”.

Better, in my mind at least, is a strategy that says, “have fewer dependencies, make them more robust, and close the window entirely”. This is especially useful for organizations that concede desktop administration to employees, and for service providers, who concede admin to largely non-technical consumers. Best of breed works best when you have experts familiar with and catering to all the needs of each breed. To take network admission to large populations, we need desktop security suites, or operating systems that “do it all”.

Or, perhaps, they must.