December 16th, 2009, 08:38 PM
Anti-virus cleanup capabilities and it's importance.
I have an early morning flight and only few hours to go, instead of sleeping and dealing with the possibility of not making in time for the flight i decided to read around a bit. It was a year back when i was involved in a project to migrate from at then Trend's HIPS solution (Host based Intrusion Prevention Software) software to Symantec Endpoint protection software. I remember the nights (and days) I spent in sleeping on two chairs while dealing with failed migrations to rising infections. There were also minor problems like the IT head decided to go with testing and deployment just 30 days before trends license was suppose to expire. However my point is when they decided to go with symantec, their main reason's were reporting console, ease of deployment (*******s), market reputation and after sales we dont support you, support.
It's been a year, we still have out breaks, we still have critical systems being infected (i am not blaming the HIPS solution completely for this) and life is pretty much the same but
there is this question that comes up to my mind, while technical personnel will look for DETECTION RATE as main criteria for selection, what about "removal rate?". I am sure it has occurred to at least some of us here that with detection there should be complete removal. The idea that if the machine is going to offer critical services is infected its better to rebuild then just clean using an AV software (this might go true for desktops too, its the way you see it) This rule is because we all know that AV will not clean the infected machine completely and there will always be remnant files .
BUT: Does it matter to you, how much your anti-virus cleans a threat in the wild or basically a threat itself. Would you be okay if just the main executable was deleted with few remnant files and registry entries? Or would you want your AV vendor to ensure ALL portions of the malware (and it's actions) are cleaned off completely?
This question pop's to my mind because i wandered off to this report:
It's "sad" to me see that no AV was able to clean the machine completely. With AV vendors pushing to the "cloud" and releasing "pulse" (symantec terminology) updates to ensure malware is detected doesn't it matter that it cleans the machine completely? I am sure when you release updates every 15 minutes (or so) you will not be paying attention to the actions of the malware itself but just the executable and any drop off files (surprising some av's dont delete the drop off files !)..
What are your thoughts, knowing your AV solutions doesn't delete the threat completely (technically). Does it matter or it's okay knowing they actually aren't any destructive files but just few registry entries and few files without extensions.
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.