Antivirus is Dead. Long live EDR!

Antivirus is Dead. Long live EDR!

News Security Uncategorized

Computer security is a constant battle with an ever changing landscape. Protection strategies that were top of the line are now no longer effective. This is now true of Antivirus software. In the past many organization’s only type of security was Antivirus and a firewall. However, new malware and ransomware techniques in use by the bad guys render Antivirus ineffective, and worse, provide a false sense of security. This is where a new technology called Endpoint Detection & Response (EDR) comes in. You may also see the terms MDR or XDR which are types of EDR deployments and/or feature sets.

Why Antivirus Can’t Protect You Anymore.

So why do we need EDR exactly? To understand the answer you first need to know how standard Antivirus software works.  The oversimplified version is that when a program is run or downloaded the AV software will scan it to see if it is a known threat, such as a virus or malware. If the scan sees something it recognizes it will delete or quarantine the file. If you look closely at that process you may see the two big problem already.

  • What if the threat was not previously known?

If the Antivirus does not recognize the threat then it allows it to run. That is not good. These types of threats can be new viruses, malware that has been obfuscated, or threats leveraging zero-day exploits (new, unpatched, security bugs in software such as Windows, MacOS, Adobe, Office, Zoom, etc.).

  • What if the threat does not a use a malicious file to infect the machine?   

If there is nothing to scan then, you guessed it, it runs (still not good). These are known as Fileless attacks and may also be referred to as Living off the Land (LOTL). This is a fairly new and evolving threat methodology and can be executed in various ways. Examples include Memory-only threats (Duqu worm), Windows registry resident malware (Poweliks), Powershell / Macro based tools (exploit kits), and various other technical methods I will not go into (DLL injection, DotNetToJScript technique, Reflective loading, etc.).

As you might have guessed, once malware gets past the Antivirus software it’s game over. Your computers, data, and network are now open to attack.

Detecting & Stopping Unknown Threats

EDR fills the gaps in Antivirus’s blind spots and then some. While Antivirus just scans for known threats, EDR also looks for malicious behaviors in applications and running processes utilizing a technique known as Machine Learning (a type of Artificial Intelligence). It does not need to know if a program is a threat, but acting in a threatening manner.  In this way it works based on how real world threats are determined. Police don’t keep a list of known offenders in their pocket, but identify the bad guys based on what they are doing and how they are acting.

Assume You Will Not Prevent All Attacks

When you get a new car you know it is just a matter of time before someone scratches it. You can park all the way in the back lot and you will still have someone dent it. Computer security should be thought of in the same manner. It is not a matter of if you will be breached, but when. Antivirus products are useless once an attack successfully executes but EDR has the ability to detect an active infection, kill it, and more importantly, reverse any changes made to the system. Not only does this limit the damage being done, it also saves an enormous amount of time on the IT side as computers no longer need to be brought offline to perform an erase and full reinstall of the computer and applications. In addition many EDR products can automatically disconnect an infected device from the network to help limit the spread of worms, ransomware, and hackers trying to move through your network.

Only Wireguided Includes the Worlds #1 EDR with it’s Managed Services

Wireguided makes the security of our clients our #1 priority (as well as great customer service!). We are constantly evaluating new security solutions and evaluating new threats so our customers are always protected. With this in mind we are now including the worlds #1 EDR / XDR software with our  Managed Services Plan, SentinelOne Singularity XDR. No other MSP offers this level of protection to their customers. If you would like to know more about EDR and how Wireguided can help your organization please click here to contact us.

You’re Infected. You just don’t know it yet.

You’re Infected. You just don’t know it yet.

Security

7/10/2013 – Update #1: Click here for more information on SEP SBE 2013 Cloud

7/11/2013 – Update #2: Click here for the technical details 

If you or an employee has received an email attachment, clicked on a link, or surfed the web in the past few months there is a good chance that you have an infected computer on your network. A new version of a nasty piece of malware is spreading like wildfire. Now researches have just uncovered that it is not just one malware package, but two working as a team. Did I mention it spreads via USB drives and network shares too?

[quote]The antivirus software you have probably does not detect the infection. If it does, the removal process does not work even when it reports success. [/quote]

The antivirus software you have probably does not detect the infection. If it does, the removal process does not work even when it reports success. The malware hides on your system and downloads more malware, keyloggers, pop-up generators, botnet clients, or whatever onto your computer.  

But I have the latest antivirus software. I’m fine..right??

Look in the lower right hand corner of your PC next to the clock (system tray). Does your antivirus icon look like any of the icons below? If Yes, you are vulnerable.

Antivirus-Vendor-Icons

McAfee, Microsoft Security Essentials, Kaspersky, AVG, Avast, Norton, Symantec Endpoint Protection 12 or earlier, Trendmicro, etc. do not detect it. Specialized tools such as Malwarebytes and combofix also do not remove it (or even detect it depending on version).

How do I protect myself?

While we normally do not push any single product we have had great results with Symantec Endpoint Protection Small Business Edition 2013. It is cloud based and it is only $2.50/month per PC. Since we have installed it our clients using it have gone to zero infections from anything. If you would like more information on purchasing or installing this product or have a general question about malware please contact us.

-Tim