This issue came to a head recently when a colleague of mine attended an ISSA chapter meeting where there was a session given on anti-virus by someone from a US government intelligence operation. I had entirely forgotten about this until they brought it back up. The issue is the ineffectiveness of anti-virus solutions and why they are ineffective.
Most of us have seen the anti-virus testing results that are periodically pumped out by the various trade journals. They all point out that anti-virus is only around 30% to 40% effective in detecting malware. But what never seems to get brought up and clearly discussed is why anti-virus solutions are so bad at their job.
The reason is that anti-virus solution providers have taken a page out of the United States Centers for Disease Control (CDC) influenza playbook. The reason is the statistics that the speaker shared.
- For every current piece of original malware, there are around 400,000 variants of that malware making the rounds on the Internet. Variants are easy to make which is why there end up being so many so quickly.
- To scan a computer for every piece of malware developed since day one including variants would take around 40,000 hours (almost a month) to complete. And that is if you dedicate a core for that to run as well as a core to scan everything coming at you.
- The signature files required to track all malware and their variants from day one would take up a significant portion of your hard drive.
Like the CDC does a scientific wild-ass guess (SWAG) to figure out what influenza vaccine to make every spring, anti-virus vendors do the same thing with their signature files every day. What anti-virus vendors do is select the most likely malware and variants your computer will encounter and that is what your anti-virus signature file will contain. The idea is that their heuristic engines and firewalls will hopefully detect the malware not included in the signature file.
Getting back to the PCI DSS, requirement 5.1.1 states that anti-virus solutions:
“Detect all known types of malicious software, remove all known types of malicious software, and protect against all known types of malicious software.”
Guess what?
Given the aforementioned revelations that signature files are incomplete, there is no anti-virus solution available today that meets those requirements of detecting and protecting against “all known types of malicious software”. All of us have, unknowingly or not, been “checking the box” on this requirement.
I along with a number of other security professionals have stated for years that anti-virus alone has never been adequate for protecting systems as portrayed in the PCI DSS, by the PCI SSC and by the card brands. If you truly want to protect systems from “all” malware as specified in the requirement, you need to use anti-virus in conjunction with a whitelisting/blacklisting and/or file change detection solution. Anti-virus alone is just not enough as the repeated tests of these solutions have pointed out over the years.
The reason you still need to keep anti-virus is that these solutions do what the others do not – quarantine or remove the malware. Quarantining or removing malware is truly an art form and has gotten even more so as operating systems have become more sophisticated in how they manage applications. The reason for this is that, while it is easy to install software, it has become very tricky in uninstalling it, if you can even uninstall it at all.
Anti-virus vendors spend the bulk of their research and development time and money in determining the best way at quarantining and/or removing malware. While a lot of whitelisting/blacklisting vendors have promised to add the ability of quarantining and removing malware, most have come to the realization that providing such features are beyond their current capabilities and not as simple as they have portrayed it in their sales meetings. As a result, I would expect it will take these whitelisting/blacklisting vendors years to have this capability if they even bother to develop it.
So what should the PCI SSC do?
The Council needs to require additional malware detection measures to requirements 5 so that organizations are truly protecting their systems against malware. In the immortal words of Bruce Scheier, what we have now is “security theater” – the appearance of security without security. Anti-virus alone is not cutting it, so it is time to enhance that capability by requiring more than just anti-virus.
The Council should also work with and demand that the anti-virus, whitelisting/blacklisting and file monitoring vendors provide some sort of integration between their respective products. That way when the whitelisting/blacklisting or file monitoring solutions detect an issue, the anti-virus solution can do the quarantine or removal of the suspected malware which it is typically very good.
Is this going to detect every piece of malware?
Sorry, but some will still get through (remember, security is not perfect). But the amount that gets through should be significantly less than with just anti-virus alone.
How much gets through will be up to how the tools are configured. As a lot of you have found out, just installing file monitoring software does not detect all file changes. That is because the installation does not get tweaked to protect everything it should. That takes time and effort that a lot of people do not provide because they have other things to get done. The better you implement the other tools, the fewer pieces of malware that will get through.
Reach out to the Council and let them know that you also think that requirement 5 needs improvement.
PCI Guru 
Thoughts on what is considered as an OS not commonly affected by Malware.
1. In an “argument” here that Linux OS is NOT Commonly affected by malware…
2. I would like them to install our corporate AV solution (one of the bug players) and was told that would be too “expensive” testing is needed, blah blah. The tech ops team suggested installing ClamAV and i am fighting that we should be installing Freeware solutions on enterprise systems (especially those that manage CC data!)
Thoughts?
It’s really common for Linux and MacOS “bigots” to say that their OSes are not “commonly affected” by malware. I usually point them to the CVE database to prove that fact which they cannot.
Most of the big AV vendors have solutions for Linux, MacOS and other non-Windows OSes. However, ClamAV is just as good as those solutions. I have a lot of clients that use ClamAV instead of their Enterprise solutions. That said, the Enterprise solution will provide the monitoring and management just as it does for Windows which is why I prefer it to ClamAV. ClamAV requires a lot of individual monitoring and management which is why I only recommend it in small environments that do not have an Enterprise solution.
I am wondering what you know about the Bit9 methodology and compliance with Section 5 requirements?
Bit9 is a great enhancement for anti-virus, but it does not remove malware as required in requirement 5.1.1. So you still need something like anti-virus that will remove malware. Otherwise, Bit9 can meet all of the other requirements in 5.
Security in layers, or defense in depth is, has been, and should always be considered a good idea. I think anyone practicing security would agree that expecting one product to be effective for total defense is unreasonable and ineffective.
Agreed.
However, a lot of people in the senior management ranks believe that there is a “silver bullet” technology solution to these issues because of their lack of knowledge on the subject. Since they are the ones that sign the check in a lot of instances, they become a barrier to getting a proper program in place.
I agree with that as well. I usually talk about brand reputation and customer service. The number one priority of management should be the safety and security of their employees and customers. Without that solid base, don’t expect to be in business long.
I have to point out that you missed the key word in that requirement that means that merchants and service providers can legitimately ‘check the box’ on it as actually being compliant. That word is ‘types’, the intent of the requirement is that your AV solution is able to protect from all known ‘types’ of mal-ware not all known mal-ware – those two are very different categories.
Of course no AV solution can deal with anywhere close to all known mal-ware as there are to many out there and any security professional should be aware of that (i’ll admit that many probably aren’t!), but it is very possible for an AV solution to deal with all known types, in fact the examples that the SSC give as types are: viruses, trojans, worms, spyware, adware, and rootkits. I can think of a few others that aren’t mentioned such as: ransonware, logic / zip bombs, cyberweapons. So in my opinion its not too difficult to find a AV solution that the PCI DSS requires to be compliant.
Having said that you make a very good point about AV not being enough on its own, and I agree that the SSC needs to address that issue perhaps as you suggested, by requiring integration with other security solutions.