Warning! Don't run Anti-Malware Software on Your Research Machine

I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. ...went to run some tool. Hey, where did that tool go? It was there when I left home?!? Turns out the anti-malware software that the company shoved down on my laptop had removed the tools I needed to do my job because they were deemed to be malware. Today I had another reminder of why this is probably a good policy for me.

On a whim I decided to run the latest beta of the OneCare Live Safety Scanner on my primary laptop. I was very surprised when the scanner actually found some malware on my computer. This was the first time any anti-malware had found any malware on any of my computers since some free anti-virus for the Macintosh found a virus on a floppy disk I put in my Mac II Se, in 1991. After a 17-year hiatus, I finally managed to contract some malware!

After the scan was finished I had my explanation:

The infection was in my dev projects directory, in a directory call moztests. That's where I put the files I wrote when I was working on what Mozilla eventually patched as MFSA2007-27. OneCare just cleaned my research off my computer!

Do not misunderstand me. I am not saying that you should not use anti-malware software. I am not even saying that you should do as I say, not as I do, as many security "experts" tend to say. All I am saying is that you need to consider the consequences of all software you install. While it is true that I do not see much malware on any of the computers I manage, that is not a reason to not run anti-malware on them. You need to consider the risks of not doing so. I would never leave our kitchen computer, the closest thing to a kiosk that we have in my house, without anti-malware. Likewise, I find it wise to run it on the kids' computer. My laptop, on the other hand, is used for all kinds of work where the anti-malware would get in the way, so I refrain from it, accepting the risk that I may, inadvertently, one day click on something I shouldn't. To at least minimize that risk I run as a standard user in Windows Vista.

Furthermore, there is one additional thing you should consider. If we took the advice of some authorities and stopped running anti-malware software, would the status quo - the state where we really do not find much active malware - remain? Of course not. Right now the malware purveyors are mutating their software at extremely rapid rates, producing, literally, millions of new malware every year. At an event last week I heard a figure that we are on track to see 5 million unique pieces of malware again this year. Yet, most people I talk to say their anti-malware solution never finds any of it on their computers. More than likely that is due in large part to the fact that the vast majority are mutations of earlier versions; created to stay ahead of the anti-malware software. If we remove anti-malware software from the eco-system we would make it that much easier for the bad guys to control us. They could stop the mutation arms race and focus instead on getting fewer versions deployed to more computers, and we would have no hope of catching any of it. Therefore, the advice to not run anti-malware is unsound at best. It has simply become a cost of using a computer these days; a cost of keeping the eco-system as sound as is possible with a technology-only solution.

However, you may want to think twice about anti-malware on a computer you use for vulnerability research.

Published 01 May 2008 12:20 PM by jesper
Filed under:

Comments

# ak said on 02 May, 2008 05:38 AM

Why not just exclude c:\dev\, c:\pentest\, etc. ?

# jesper said on 02 May, 2008 10:23 AM

Of course you can exclude directories, and I have in the past. You have to keep being careful to watch out though because things that weren't considered malicious before could now be, and, if you have a managed computer, the manager could remove the exclusions. Still, it is good advice, and may permit you to run anti-malware on a computer that would otherwise cause problems.

# JP Sugarbroad said on 02 May, 2008 02:54 PM

In my opinion, the lesson learned here is more subtle:

Don't let scanners auto-delete things from your computer.

Quarantine is fine. Auto-delete/clean is not.

# alerter said on 10 May, 2008 10:22 AM

Jesper, the previous tip about making Quarantine the default anti-malware response is one possible, weak mitigation, when the anti-malware actually respects that directive and you get to make it.  I've encountered name-brand anti-malware that reserves the right to delete certain,  select threats, even though I flat-out specified Quarantine.  This is also one of the drawbacks to wholesale conversions to aggressively pro-active NAC.  

Wholesale exclusions of local folders creates over broad opportunities for unsanctioned, non-research-related live attack-ware to gain undetected footholds.  

The same goes for numbskull filename-based exclusions.  Just because I sanction the presence of a spefically powerful and potentially dangerous filesystem object, in one specific location, on locally attached storage, does not mean that I openly invite all versions and variations of the same object to wildly riddle the rest of my locally attached storage.  And, of couse, I don't want totally unrelated malicious executable content to be able to elude/evade on the basis of a stolen filename.  

I have gone round and round with commercial vendors on this one.  My InfoSec tools are the a-V/a-Mw vendors' idea of unacceptable software.  So, I patiently explain that I need smart white listing:  strong, hash-based + location-based exclusions of executables and other files, not the typical numbskull exclusions.  

I have yet to encounter any forward thinking accomodation along these lines.  

a-V and a-M are increasingly becoming necessary computing evils.   Signature-based solutions routinely miss 0-Day variations that are fielded via relatively trivial evasion techniques.  Heuristics runs the range of responses from asleep-at-the-switch to excessive and sometimes crippling false positives.  

I also sorely miss hardware write protect switches

on portable USB flash storage.  For some cynical, cost cutting reason, write protect switched USB storage is becoming harder and harder to find.  

For obvious reasons, InfoSec practitioners have legitimate reasons to want to protect specially crafted USB storage devices, from which to run system tests and/or mount system recoveries, against unauthorized writes.  I don't want an already infected host to arbitrarily and/or automagically rewrite any of my USB storage.  

Why has that become too much to ask for???

# Wampiryczny blog said on 11 May, 2008 02:50 PM

Na moich komputerach od dłuższego czasu nie ma antywirusa (rezydenta). Po prostu w moim przypadku taki antywirus jest nieco szkodliwy. Poza tym bez antywirusa można całkiem nieźle żyć.Dlaczego nie używam antywirusa Nie używam antywirusa z kilku

Leave a Comment

(required) 
(required) 
(optional)
(required)