Jul 142016
 

One of the throw-away statistics I tripped over recently was that there are 5 new malware releases every second.  Now many of those new releases are variations on a theme – there are pieces of software designed to distort a piece of malware into a new piece of malware with the same functionality. This is done deliberately to evade anti-virus software.

And it works. Every so often I feed some strange mail attachments into virustotal to find out how widely it is recognised. It is not uncommon to find that only 2-3 will recognise it as malware out of 50-odd virus checkers on that site. So if you happen to be dumb enough to download and activate the attachment, your anti-virus checker has a roughly 5% chance of protecting you.

Not exactly what you should expect.

I recently sat through a sales pitch for a not-so-new corporate product that does anti-malware protection very differently. Of course it is also insanely expensive, so I will not mention the actual product, but it does offer something new. Protection against malware by checking and blocking behaviour.

Whilst they add all sorts of clever data analysis tricks, fundamentally anti-virus products recognise malware because they recognise the data that makes up the malware. If they don’t recognise the signature of the malware, then they do not know it is malware; so they have an incredibly difficult time recognising new malware releases.

But recognising malware based on behaviour is far more likely to successfully recognise malware – for example by recognising an attempt to make itself persistent in a way that an ordinary application does not do, and blocking it. Which is a far more practicable method of blocking malware (if it works!).

It is also something that should probably be built into operating systems, which to a certain extent already has been.

The New Defence

The New Defence

 

 

Aug 192011
 

Revised answer: Yes

The longer answer gets a bit more involved. First of all, there is some level of protection built into OSX against malware called File Quarantine. There are limits to how much protection this provides compared with PC anti-virus and anti-malware products as it protects against known malware at the point where the malware is installed or run.

It is also limited by the frequency at which the OSX operating system is updated – OSX is typically updated once a week – unless you put off applying updates whereas a PC-style anti-virus product will typically update it’s virus definitions on an hourly basis. This would seem to make it totally inadequate, but OSX just doesn’t have as much malware as Windows.

There are a number of possible reasons for this including that OSX is inherently more secure and that OSX just doesn’t have enough of a market share for malware authors to bother with. The truth behind the lack of malware for OSX is only known to the malware authors, although it should be noted that OSX viruses do exist (as do Linux ones).

You could take the attitude that a flood of OSX malware is due any day now, and insist on running an anti-virus product in addition to the inbuilt protection OSX has. There are of course people warning that the flood of OSX malware is just around the corner, although they tend to be people connected to the anti-virus industry so are perhaps less than totally disinterested.

Of course if you have some seriously private data to protect, you should probably consider it. But most of us don’t work for the intelligence services, so can be a little less protected … for now. This of course can all change next month, next year, or sometime, so don’t take the word of this blog entry seriously especially if the date on it is a long time ago!

Of course now some time has passed, the situation has changed (with Flashback amongst others), so the answer is that yes you do need an anti-virus product. It is true that Apple has some built-in protection against Malware, but Apple is not an AV company and so they may well react too slowly to protect you.