No, this isnt about lousy detection rate. I think were pretty much resigned to that, irrespective of the latest fancymarketing terms the industry uses to sell us the same failed concept. This is about the forensic quality, or rather lack thereof,of anti-virus.
Lets say your anti-virus (AV) happens to find a Spyware. Something like the spyware that I described in yesterdays ISC diary.What does it do with it? If your AV is anything like the products that Ive seen in use, it will display a Halloween-likescary pop-up (Danger! Virus!) and will delete or quarantine the threat.
So far so good. This used to be cool back when all we wanted our anti-virus to do was to get rid of the threat. But thesedays are over. Increasingly now, anti-virus alerts us (maybe) to a persistent threat that has been on the system for days, weeks, heck,even months. And deleting or quarantining such a threat causes a serious problem: It modifies or eradicates evidence. Yes,we get an alert, but then we are like the CSI guys who get called to a murder scene that doesnt have a body. Sure we canspend hours trying to lift DNA off cigarette stubs, but things would be so much easier if the caller could tell us what exactlyhe has seen where, and where the body was?
In other words: If anti-virus removes a registry key to unhook a DLL, why cant the AV log tell me (a) where this registry key was and(b) when it was created? You know, this would give a first indication on how far back we have to dig to determine what data was stolen. Thesame holds true for the actual threat files that get deleted or quarantined: A full MAC (modify/access/create) timestamp in the logs shouldnt be too much to ask for? Maybe garnished with an MD5 checksum for good measure, so that the analyst can tell right away if the exact same threat has been seen on another PC already?
I dont think the AV companies have caught on to this yet - they seem to be deleting and quarantining threats with the same casualindifference like they did 20 years ago, stomping all over the crime scene, and wiping out or contaminating important forensic evidence in the process.
If your enterprise-grade anti-virus software does any better in forensics than described above, please let us know via the contact page. If it has the same shortcomings, please let us know as well, but more importantly, please let your AV vendor know. Maybe, someone listens.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.