Signatures Not the Root of Prevention
- Faulty file definitions strike once again!
- On April 24, anti-virus provider Webroot issued an automated update to its signature definitions.
- This inadvertently quarantined hundreds of critical customer files and applications that it erroneously flagged as malicious.
At one time or another, it seems that every anti-malware endpoint security provider has fallen victim to the same tired, flawed paradigm of releasing signature updates that inadvertently create false-positive identifications of necessary Windows files or valid business applications, hobbling their unfortunate customers for hours or days in the process. Currently it’s Webroot’s time in the barrel.
On April 24, anti-virus provider Webroot issued an automated update to its signature definitions. This inadvertently quarantined hundreds of critical customer files and applications that it erroneously flagged as malicious, with no way to automatically roll back the process and restore the wrongly-prohibited items. Angry customers lit up social media in apoplexy— citing lost time, money, and productivity—with some even threatening to change AV providers over the incident.
Anti-malware providers put customers at risk when they push file-based updates.
Bromium has great sympathy for everyone at Webroot and their customers who have suffered through this regrettable, yet entirely predictable mishap. But it’s not just Webroot. Nearly every anti-malware provider out there operates in more-or-less the same way by pushing out file-based definition updates as frequently as every 15 minutes. This puts each and every one of those providers—and their customers—at risk of suffering the same ignominious fate of being frozen out of their business critical files.
With several hundred thousand new malicious files released into the wild each day, who can possibly keep up with the volume and complexity on a file definition basis alone? In fact, it’s absolutely inevitable as we have seen, that every AV provider will eventually encounter the same situation.
Try something fundamentally different.
Bromium is fundamentally different, turning endpoint protection completely on its head and creating a whole new category of isolation-based security. Instead of relying on detection, Bromium isolates all untrusted content—entering from the web, email, USB, etc.—within individual task-based micro-VMs, just in case it’s bad. We never rely on file definition updates, ever. We recognize this flawed pseudo-security strategy is a losing battle. Instead, Bromium only issues updates when applications themselves change, which happens far less frequently.
Although we isolate everything, we also perform detection inside the micro-VM, generating threat intelligence and documenting the kill-chain. Why don’t we require file definition updates for our analysis? Because of our revolutionary design, each micro-VM is intended for exactly one purpose—one browser tab, one document, or one application—completely isolating it from the host PC, the operating system, the file system, and the network. This allows us to make very broad-brush determinations concerning what behavior is actually malicious.
For example, simply dropping and executing a binary is usually a good sign of malicious activity—something which should never happen in a micro-VM but happens very often on the host. Because of the precise known purpose of each micro-VM, we are able to use generalized rules for detecting malicious activity, instead of detailed, regularly-updated definition files. As a failsafe, even if we are unable to detect that something is malicious, it simply doesn’t matter because the threat is still 100% isolated!
Bottom line … we sympathize with Webroot and their ilk, but fortunately for Bromium customers, we cannot empathize with them since our unique and forward-looking design completely eliminates their problem. So go ahead, click with confidence—we’ll never freeze you out of your legitimate files or applications—and leave false positives behind forever!