Chapter 39. What AV Companies Should Be Doing (AV 2.0)
I’ve talked a lot about what’s wrong with traditional AV systems that makes them work so poorly. Now I’m going to share my vision of what security vendors should be doing, which we’ll call AV 2.0 (even though we’re all sick of Whatever 2.0). I’ve been working toward this vision for a bit under three years now, primarily at McAfee. While no AV vendor is all the way there yet, the big ones are starting to move in the right direction.
AV vendors traditionally have kept a big blacklist of bad programs. Instead, AV vendors should keep a master list of programs, and for each one, keep track of whether it’s good, bad, or undetermined (the vendor doesn’t have enough information to say).
There’s not much reason to have big signature files on machines, or even to check traditional signatures. Instead, right before the computer runs a program, the AV software can ask the AV vendor, “Is this program safe to run?”
Now the AV vendors have to become a lot better at detection. To that end, the endpoint AV software should collect information about the programs people put on their machines, such as things like:
Where are files installed?
Which software vendor “signed” it?
What registry keys and other resources do programs use?
What other programs do programs install?
What things do programs delete?
Do programs do anything suspicious, such as keylogging?
This kind of information doesn’t need to be sent for every program. Generally, it should be sent just ...
Get The Myths of Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.