Why Antivirus Isn’t Enough
Why Antivirus Isn’t Enough
I have come to realize recently that almost all computer security products (including antivirus) are what I call “detection-based.” The problem though is that when (not if) the filter is wrong, the user’s security is compromised.
What Is Detection-Based Security?
A detection-based security product is any security product which roots its security in the premise that it can filter all the bad things that might happen away from the non-bad things. So for anything that a user tries to do, the security product first attempts to decide if that thing is bad. If it’s bad, the product will stop that thing from happening. Thus, the effectiveness of the product is totally dependent on the accuracy of the filter.
For example, antivirus software maintains a huge list of malware signatures that is used as it’s filter. Any time a process tries to run, or a file gets saved to your disk, the antivirus will compare it to all its known signatures. If a match is found, it must be bad, and the antivirus will stop it. This is why antivirus products are always downloading new signatures, and why out-of-date antivirus is not very effective.
Personal firewalls work in a similar way, except the filter list is mostly curated by the user. If an unknown program attempts to access the internet, the firewall will just ask the user if its OK or not. In this case, the correctness of the filter list is in the hands of the user.
In the realm of web browsing security, the technology is similar. One approach is used by very popular tools such as Web Of Trust (or WOT) and Google’s Safe Browsing. These products maintain a huge list of known websites, along with a trustworthiness score for each one. In WOT’s case, the trustworthiness scores are decided directly by its users. If one user says a certain website is bad, then that site’s score is lowered for all the users of WOT. In the case of Google’s Safe Browsing, the trustworthiness is decided by Google. In both cases, if a user tries to go to a site, the tool first determines the site’s trustworthiness, and if it is too low, the tool will try to stop the user from visiting the site.
The other tactic used in web browsing security is taken by NoScript. The makers of NoScript realize it is the scripting present in a webpage that poses the most danger to a user. For any website a user attempts to visit, the HTML will be fetched and rendered, but scripts will only run if a user has granted permission. By default NoScript will stop all scripts, and a user must manually build a list of trusted scripts. There are 2 related problems with this. First, scripting is heavily relied on these days for most of a website’s functionality. If the scripts are blocked, the sites just don’t work. The second problem is that it is too hard for a user to correctly decide if a script should be allowed or not.
What Alternative Is There?
A popular alternative is using a Virtual Machine. For web browsing, a lot of advanced users will create a virtual machine that they can use to browse the web. The advantage of doing this is two-fold. First, the dangerous task of web browsing is moved off of their real computer. Second, and equally as important, is that virtual machines allow the user to revert all the changes made to the machine to a known good state.
The virtual machine approach is very safe, but also very tedious. For one, starting a virtual machine can take a few minutes. When you are finished, you must then revert all your changes, which can also take a while. In addition, virtual machines take up a lot of resources, usually at least 1 Gigabyte of RAM. This can slow down your whole computer while it is active. The workflow goes like this:
- A user decides to browse the web.
- Wait a couple minutes while the virtual machine starts.
- Browse the web.
- Wait a minute while the virtual machine shuts down and reverts changes.
- In addition, the user needs to keep their virtual machine up-to-date.
This is a good approach, but it is not for everyone. Light Point Web, our Remote Browser Isolation product, was created to give all users access to this level of safety, but without any of the tedium.
Light Point Security’s Approach
Light Point Security is a pioneer in Browser Isolation – an alternative to detection-based security. We believe that building a filter that can identify all the bad operations and to be right 100% of the time is simply impossible. Our approach to security is to move all potentially dangerous activities off of the user’s computer. By doing this, it doesn’t matter if something is good or bad. We can run it in a controlled environment that can be restored to a pristine state whenever we want.
Light Point Web lets you browse the web from our computers instead of yours. Using this approach, it is like each time you browse the web, you do it from a brand new computer that has never been used before, and when you are finished, you throw the computer away, never to be used again. If you think about it like this, it doesn’t matter how bad the sites are that you visit.
If you are interested in learning more about Light Point Web, please contact us here.