The expert shares some valuable insight regarding the threat landscape2012 was a good year for Romania-based security solutions provider Bitdefender. Bitdefender Internet Security has been named the product of the year by AV-Comparatives.
In addition, the product ranked number one in the tests performed by AV-TEST in September and October. AV-TEST has also awarded Bitdefender the “Best Repair” title for 2012.
Given their impressive performance, we’ve asked Viorel Canja, Head of Antimalware and Antispam Labs at Bitdefender, to do an interview with us. Mr. Canja coordinates a team made up of some of the world’s leading virologists.
He also manages engine development and virus research efforts for Bitdefender.
Softpedia: How does it feel to know that all your hard work has been rewarded?
Viorel Canja: The antivirus business is focused on keeping the user safe. If, at the end of the day, you managed to cater to the security needs of 400 million users who depend on our technologies for safeguarding their online experience and businesses, it’s mission accomplished.
Of course, we’re also proud of the international recognition: we managed to put Romania on the map as the country where the world’s best antivirus solution was born and perfected.
Softpedia: Bitdefender is currently in a tight competition with Kaspersky. Do you have any aces up your sleeve to make sure you’ll overrun them in 2013 as well?
Viorel Canja: We’re continuously working to improve our products and we believe the performance test results we scored in 2012 are an indicator of that.
We have invested a lot of effort in improving detection, as well as in the quality assurance and software engineering to ensure our product does not only offer top-notch performance, but is also easy to use and has minimal impact on the system’s resources.
Softpedia: The threat landscape is constantly changing and security solutions must keep up. What areas will you focus on to make sure Bitdefender products can handle any cyber threat? Are there any particular areas in which you feel you could make your products better?
Viorel Canja: At the moment, a huge pool of malware shows up on the Internet every day. Custom packers, server-side obfuscation and do-it-yourself malware creation toolkits allow cyber-criminals to produce code that mutates quickly to evade detection.
Additionally, the number of exploits targeting third-party applications the user may have installed on the PC (like the Java incidents) have also increased considerably. Our immediate goal is to improve existing technologies to mitigate the threat, no matter how new it is.
Softpedia: In the 2012 Summary Report published by AV-Comparatives, the testing company makes some suggestions regarding Internet Security 2013, and even points out that there might be a flaw in the inbound firewall settings. Have these issues been investigated?
Viorel Canja: The feedback we receive from independent testing organizations and customers is of utmost importance to us. We are investigating to see if it can be reproduced or if it only occurs in specific laboratory circumstances.
Softpedia: In their attacks, cybercriminals are turning more and more to legitimate applications. For instance, they’re using WinRar to compress their files before uploading them and they use FTP apps to transfer the loot. Can security solutions identify such threats based on their behavior?
Viorel Canja: It’s not the tool we’re after, but the behavior. To stick to the point of your question, open-source or even highly popular packers are not the issue here, as even the lowest-scoring antivirus products can unpack and scan the archive’s contents.
What is becoming a problem nowadays is that legit applications and code can be instructed to turn against the user. For instance, code that copies files from one location to a removable drive – it’s a benign operation that, in the wrong context, can lead to incidents of the magnitude of Flamer.
Softpedia: There has been a lot of controversy lately regarding antivirus product testing that was based on results from VirusTotal. What do you think about the accuracy of such tests?
Viorel Canja: Product testing based on VirusTotal is definitely wrong. This service has been built with something other than performance comparison in mind.
The engines aggregated into the system are command-line versions of each product and lack some features, while the commercial version of the antivirus is usually optimized for real-life usage so they would perform better in real-life tests. VirusTotal themselves have a Q&A covering the topic here.
Softpedia: Some security researchers have lost faith in today’s antivirus products and their efficiency because malicious attacks rely on new vectors and have become more targeted. In what way will this change the evolution of security products?
Viorel Canja: Targeted attacks are specific to an individual or an organization. Most malicious code is still targeted at consumers, as general-spectrum malware is easier to build and offers immediate financial gains. For regular end-users, the antivirus is the first line of defense.
However, when it comes to highly-targeted – and probably state-sponsored – attacks of the complexity of Stuxnet or Flamer, commercial antivirus solutions should be complemented with advanced layers of defense running at the network perimeter, such as intrusion detection systems and real-time packet analysis appliances.
Softpedia: How efficient are malware signatures today compared to other layers of protection, such as behavioral analysis, heuristics, whitelisting and sandboxing?
Viorel Canja: Classical pattern-matching as the only means of identifying malware has been obsolete for quite a while.
Modern malware writers use advanced obfuscation techniques to render malicious code unrecognizable from one infection to another, making pattern-based detection nearly impossible. Heuristics, sandboxing and behavioral analysis are mandatory technologies to successfully identify brand-new malware.
While whitelisting is the safest way for corporate or mission-critical environments, it is still not enough for consumer purposes.
The future of antivirus solutions, however, is built on an intelligent combination of whitelisting, blacklisting and in-the-cloud interrogation. We’re looking to ensure the perfect balance between protection and usability.
Softpedia: Mobile devices (tablets and phones) are in the crosshair of malware developers, and companies such as Bitdefender have already released apps to counter possible threats. How sophisticated are these kinds of threats at the moment?
Viorel Canja: Mobile malware is following the same path as malware targeting Windows did in the early 2000s. Most of these e-threats are either aggressive adware or premium-rate number dialers that abuse the basic functionality of a smartphone.
Also, while malware written for Windows has a long history, Android threats are relatively new. Presumably, they’re in the experimentation stage, seeking to find out what works best in the wild.
However, the increasingly large number of infected applications, paired with lack of consumer awareness (few users actually know their phone can get infected) compensates for lack of sophistication. One thing that makes mobile malware particularly important is that mobile phones are frequently used as payment mechanisms themselves.
Most smartphone users have the capability to pay for digital goods via premium-rate SMS or by tapping into the associated Google Wallet account. Malware that controls the mobile phone also controls these payment mechanisms.
Softpedia: As the number of computing gadgets keeps growing per household, wouldn’t a solution implemented at network level be a better alternative to software products running on each device?
Viorel Canja: This would mean an appliance that sits behind the router – or even replacing it altogether – that could filter Internet traffic as well. How far are security developers from launching such products for consumers?
Except for the Smart TV set and the home media center, most household devices are mobile and spend little time connected to the home network. We firmly believe that mobile devices such as smartphones, tablets and laptops should be secured individually so they could enjoy protection regardless of the network they may be connected to at a specific time of the day.
We are also experimenting with gateway-based security solutions as we see great potential in the area of securing intelligent devices (smart TVs, media boxes, even intelligent fridges and household appliances) that do not run a fully-fledged operating system or that do not support third-party software installations such as antivirus products.