Is host-based antivirus software losing luster?

As virtualization and Web apps pick up steam, they are leaving traditional antivirus software behind

Traditional host-based antimalware packages just aren't that useful anymore, according to some companies that find it either doesn't protect against the main dangers they face from the Web or it simply doesn't run well in virtualized computer environments.

"We're hovering at 95 percent virtualized," and the move has necessitated a new approach to security, such as deploying virtual-machine-based intrusion detection and protection. But PrimeLending has also found some things that worked fine in the previrtualized era, such as traditional host-based antivirus software, just don't seem to run well in a virtualized environment, says Johnny Hernandez, vice president of information security at Dallas financial services firm PrimeLending.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

[ More on cybercrime: Apathy, law enforcement complications keep cybercrime hopping ]

The company has undergone a gradual transformation from traditional physical servers and desktops to virtualized ones based on VMware vSphere. "Today, we don't run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization," Hernandez says. PrimeLending has virtualized its internal financial databases, Exchange and SQL servers and SharePoint. Traditional anti-malware programs running in multiple virtual instances can disrupt application performance.

Perimeter-based malware filtering, in this case using a Cisco-based antimalware filter, is one line of defense for the company. Physical appliances used for security, however, generally face "blind spots" in terms of VMs. But PrimeLending is now monitoring and inspecting VMs for signs of malware or attack traffic in a way it couldn't before by using the HP TippingPoint Virtual Controller (vController), the version of TippingPoint's IPS (intrusion-prevention system) for VMware-based environments. It works like a software-based extension of the physical HP TippingPoint IPS.

That has worked well at overcoming the VM blind spot that was there, Hernandez says, though the unexpectedly high traffic speeds that were an unanticipated impact of virtualization itself meant switching to a higher-speed TippingPoint appliance.

The vController IPS has been able to identify potential problems, such as the document that had gotten infected, apparently because it was edited on an infected home PC by an employee and then uploaded to SharePoint. "The document stored internally was trying to gather information from another," Hernandez says. The vController IPS detected and blocked that.

PrimeLending is also using the TippingPoint vController capability to share security event data with the RSA data-loss prevention product it uses and the RSA security and event management product, EnVision.

But in the quest to find the suitable antimalware defense that could be used for VMs, PrimeLending plans to try Trend Micro's Deep Security, which uses VMware-based vShield APIs to do malware scans. But it doesn't yet have a way to automate removal of malware if it somehow sneaks in. "There will be limitations in the beginning," Hernandez says. "It's new ground, a new effort."

Others also say traditional host-based antimalware is not as valuable to them that it once was because the main problems they face are coming from Web-based malware.

"We were having a lot of infections in our environment, one to two, sometimes three infections per week," says Albert Gore, director of information technology operations at the John F. Kennedy Center for the Performing Arts in Washington, D.C. He doubts most desktop antivirus software, including the McAfee software used at the Kennedy Center, can do much against the malicious code that can be inadvertently spread via employee, contractor, and the performing artists using the Web.

Facebook and YouTube are the two biggest sources of infections in the experience of the Kennedy Center, Gore says. Infections mean "you have to go find out what happened, quarantine them, find out if data has been stolen, if any," he says. Malware attack episodes have shown people do lose files or find them deleted. However, the performing arts center needs to use social networking in its business.

The Kennedy Center found its virus-infection flare-ups were largely stamped out by using a Web filtering gateway. The one in use today, the Websense Web Security Gateway, lets the IT department provide broad access to social networking sites and the Web in general but blocks specific links that are dangerous sources of malware.

The Kennedy Center is hardly alone in coping with Web-based malware incidents.

According to a survey of 382 IT professionals published this week, 78 percent said their organizations had experienced at least one malware attack during the last 12 months, with a common experience being a malware attack every 73 days.

The survey, done by Osterman Research and sponsored by M86 Security, said 97 percent of the respondents indicated their organizations used a desktop antivirus product of some sort, but just 60 percent used a secure Web gateway. The most reported type of malware attack was traced to an infection from the Web, according to 70 percent. Fake software, such as fake antivirus, ranked high. Twenty-seven percent said their malware problems had increased over the past 12 months, and only 9 percent said it had decreased.

The survey found that 76 percent reported the need to re-image computers after malware attacks, and the typical malware attack requires a mean of 27.5 IT person-hours to remediate. It was also noted that 12 percent of employees in the average victimized organization had their work disrupted while a malware-related problem was being remediated.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Is host-based antivirus software losing luster?" was originally published by Network World.


Copyright © 2011 IDG Communications, Inc.