Beyond AV Protection with Web Filtering

If you’re looking to breathe extra life into your fleet of PCs and to keep your network as secure as possible, make sure you’re using a secure Web filter.

By Patrick Walsh

Companies replace PCs about twice as often as they should need to. A one-year-old PC frequently acts like it’s a five-year-old computer. Even with anti-virus software running and gateway scanning of all e-mail, the culprit is nearly always malware.

Although it’s true that Windows machines tend to “gum up” over time as drivers and software are added, dramatic slowdowns and frequent crashes are often the result of stealthy malware programs that have made it onto the system before the installed anti-virus software was aware of it. This malware will typically try to disable anti-virus software or hide itself in such a way that it can’t be detected or removed. Often the only choice is to reinstall the entire system and start over.

The Attack of the Bots

This is a common problem. One out of four PCs is infected with a form of stealthy malware called a “bot.” The bot software uses a victim computer to direct spam, phishing, and denial-of-service attacks towards other computers at the direction of an underground “bot-herder.” The victim computer’s resources could be -- and are likely -- being used for illegal activities without user permission or knowledge.

Reinstalling the operating system and all applications might not be so bad except that the PC could be back in the same position, having to do the same thing over again within weeks or months; which leads us back to prevention and why that anti-virus software wasn’t able to keep the computer clean.

The Race is On

The fact is that malware authors test their malware against the major anti-virus software before they release it into the wild so that at the time of release, most major anti-virus companies probably can’t detect the malware. At that point it becomes a race. The anti-virus companies try to get a sample of the malware, make a signature for it, and release the signature as fast as they can, while the malware author tries to infect as many machines as possible before the new anti-virus signatures are deployed. It is inside that time window, anywhere from hours to days, when even protected computers are infected.

Part of the solution lies in layered protection. In addition to anti-virus software, there are other tools in the anti-malware battle that every organization should be using. Most organizations already block executable attachments in e-mail (files that end in extensions such as .exe, for example). This is an important measure and one that has had a dramatic impact on malware distribution. In fact, this configuration is primarily responsible for the dramatic drop-off in malware attachments. As a result, malware authors have resorted to the Web to distribute their malware. In many cases they still send e-mails, but these e-mails now contain links to Web sites instead of attachments. If a user clicks the link, the Web site will try to trick the user’s browser into installing the malware or trick the user into downloading and installing the malware.

Common tricks include messages that say software is required to view a movie or greeting card (or some other medium) and the software should be downloaded. Other tricks include messages that say that the computer is already infected with malware, but the user’s attempt to install software that fixes the problem is the very act that infects the computer.

Effectively combating these lines of attack requires secure Web filtering. Modern browsers (such as the current versions of Firefox and Internet Explorer) are doing more to alert people when they are about to visit a potentially malicious Web site, but they don’t go far enough to block sites that host malware.

Secure Web Filtering: Start at the Source

Secure Web filtering is a new type of technology with many pretenders and only a few real providers. The goal is to identify malware distribution sites and block them quickly and completely. While the malware itself changes frequently and is tested to beat anti-virus software before release, the number of distribution points is far fewer. The eSoft Threat Center, a threat identification source, reports over 6,000 new, never-before-seen malware variants every day, but only 1,000 to 2,000 unique distribution points for that malware on any given day. Most of those distribution points are reused numerous times to deliver several different pieces of malware.

The challenge with secure Web filtering is very much the same as with anti-virus -- the vendor must identify the malware distribution point and deploy updated block lists before any customers visit it. This challenge is compounded by the modern nature of the Web.

Web 2.0

The term Web 2.0 has many meanings, but in essence it captures the move from islands of information controlled and updated by small handfuls of people to sites with unlimited amounts of information constantly modified by thousands or millions of contributors. Think of Facebook, Wikipedia, and YouTube. The content on these sites is being updated constantly without any real moderation or central control. In a Web 2.0 world, sites do not fit into easy, one-category-describes-all models. The content changes constantly and a Web filtering vendor must revisit the site constantly to update the labeling of new and changed pages, which may have had financial content one day, porn the next, and malware several hours after later.

With billions of pages on the Internet, finding a new malware distribution point in a timely manner would be impossible to do by simply crawling the Web. Vendors need feedback loops from customers that allow targeted analysis of pages actually being visited on any given day regardless of whether or not they are linked from another website.

Real-time Updates

Once detected by a vendor, there’s still a window before customers get the update. Most web filters update somewhere between once a day and once a week. In a Web 2.0 world, this leaves customers at risk. Real-time updates are required for secure web filtering and to bridge the gap between malware release and anti-virus signature protection.

Looking Forward

Companies looking to breathe extra life into their fleet of PCs and to keep their network as secure as possible need to review their current security practices to make sure that they currently use a secure Web filter that is able to quickly detect and block new malware distribution points before users can be tricked into visiting them. Standard security best practices dictate layered security with anti-virus at the gateway as well as on the Desktop, plus intrusion prevention, anti-spam, and other elements. Looking forward, in a world where the vast majority of malware is distributed over the Web, secure Web filtering is critical for organizations of any size.

Patrick Walsh is director of product management and marketing at eSoft, a network security vendor of integrated Internet security solutions. You can reach the author at
comments powered by Disqus