I was recently working on a project for publication with a research partner on the subject of the Microsoft Office exploit [CVE-2010-3333], first discovered some 18 months ago. As part of this engagement my research partner kindly shared with me some lines of code in the body of the email, along with a URL, along with an expectation that I would respond within an agreed window of time – a request I of course obliged. However, later that day, he called and enquired if I had managed to send the response as it had not been received – I informed him that I had, so something, somewhere had obviously gone wrong! When I eventually got to my workstation I noticed the following messages had been generated by the local Kaspersky client – see Fig 1 and 2 below.
Fig 1 – Kaspersky Detection
Fig 2 – Disinfect
After a few more frustrating blocks by the blasted local anti-virus application, we were now getting very, very frustrated, after all it was only lexical content in the email, but then, the anti-virus product was doing what it was supposed to – detecting, and blocking suspicious looking activity which it was picking up within the body of the email being identified as a threat associated with the ‘pFragments’ vulnerability, and this set my mind wandering.
So given that there were still a massive number of systems which were unpatched, to take a hit from successful exploit it was just a numbers game – and given that we are suffering a period of, what I feel resembles Car-Crash Security in a large number of organisations, it may be only a matter of time before those unprotected systems get abused by this adverse logical code – but as I said, my mind was wandering. And then I reflected on the statement made by Symantec that ‘Anti-Virus is Dead’!
For many years now I, and many others have been commenting that AV is no longer the Silver Bullet it once was, and that it looked to be in the final days of life, in its ‘current’ guise, but never for one moment would I be so arrogant to suggest it was ‘dead’ in particular to drive a marketing advantage, as that it just unethical, and dare I say, reckless to suggest such a thing from the mouth of an security vendor like Symantec.
The fact of the situation is, AV still has its place, it is still protecting many Corporate’s, SME’s and ‘end users’, and even when it gets in the way it [as with my task] it proves some people should think before they expose ‘your’ chips to allowing viral code impact operations.
The spooky thing is, it was only the day before that I dropped my Symantec AV Protect based on their wild comments, and installed Kaspersky – looks like I took the correct evasive action just in time – Well done Eugene.
Professor John Walker FMFSoc FBCS FRSA CITP CISM CRISC ITPC
Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia[to 2015], CTO and Company, Director of CSIRT, Cyber Forensics, and Research at INTEGRAL SECURITY XASSURNCE Ltd, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts, an Associate Researcher working on a Research Project with the University of Ontario, and a Member, and Advisor to the Forensic Science Society