Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Thursday, October 11, 2012

Protecting yourself when an antivirus update fails

In case you hadn't heard, McAfee had two bad updates recently (one in April 2010 and one in August of 2012), and so did Sophos in September of 2012.  You'd think after the first botched update there would be procedures in place at McAfee to prevent it from happening again, and for Sophos, they would have seen what an embarassment it was for McAfee and put in procedures in their update process to make sure it wouldn't happen to them.

So how does a botched update happen?  Most likely it's complacency.  It happens to all of us, we get too comfortable with our daily routine, so much so we don't notice when something does go wrong.  With the looming possibility that a desktop antivirus update can fail and cause problems again in the future, what can you do to protect yourself?

The best defense against failure in the desktop antivirus solution is to have protection at the gateway, that's from a different vendor.  So if you're using McAfee at the desktop, make sure you web security gateway is using Sophos, Symantec, or another antivirus vendor, as it's unlikely two different vendors will have broken updates at the same time.  That way if a broken update allows malware through, you're still protected from it getting to the end-user at the gateway level.

I often get asked why you would need redundant anti-malware scanning at both the gateway and desktop.  If you're using the same vendor, then yes, it does seem a bit redundant, which is why you really need different anti-malware vendors at the gateway and the desktop.

In a conversation with one security product manager, he mentioned to me that in his analysis of their customer data, for any new malware outbreak, there was only an 80% overlap between vendors.  Meaning if you only went with one vendor, you'd only catch about 80% of the known malware out in the wild.  You really need a second vendor to close that 20% gap.

So make sure you've got an added layer of defense.  It may save you a lot of headaches the next time there's a problematic anti-virus pattern update.

No comments: