Antivirus Software using Reputation Rating Checking

Download ASD Protect: Antivirus Software using Reputation Rating Checking (PDF), January 2018
First published 2017; updated January 2018

Introduction

  1. Organisations are increasingly being targeted by new and complex malware. In order to respond to these cyber threats, antivirus vendors continue to evolve their services.
  2. Historically, antivirus software used the Internet to access antivirus vendors’ servers to download up-to-date information on cyber threats. Modern antivirus software, however, increasingly requires the ability to transmit information back to antivirus vendors to assist with determining whether files are suspicious or malicious.
  3. Antivirus vendors collect information from their customers into large databases helping to ensure that their information is as current and accurate as possible. Communicating with these databases not only increases an organisation’s chance of finding malware, but can also contribute to the defence of other organisations as well.

Transmitting information to antivirus vendors

  1. ASD’s Strategies to Mitigate Cyber Security Incidents encourages the adoption of ‘antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution,’ while the Australian Government Information Security Manual (ISM) advises that ‘antivirus or internet security software should have reputation ratings enabled’.
  2. With reputation rating checking, files are given reputation ratings based on various aspects, including their prevalence among vendors’ customers. This creates a fast and useful gauge of their safety. Organisations that block or otherwise disable the transmission of information to antivirus vendors will not be able to receive the benefit of this functionality.

A word of caution

  1. Organisations need to exercise caution when configuring antivirus software to ensure that any information transmitted to antivirus vendors is not of a sensitive or classified nature, as antivirus vendors are unlikely to be certified to handle such information. Furthermore, antivirus vendors may even share such information with others, expanding the scope of potential data spills (Threat Post: Malware Scanning Services Containers for Sensitive Business Information).
  2. Further, organisations should consider the risks of using antivirus software from foreign vendors or cloud-based services hosted in foreign countries. Such vendors or cloud service providers may be compelled or legally obligated to either disclose the information they collect from their customers or to assist governments with intelligence activities. Finally, organisations should choose antivirus vendors that have a strong track record of securing their systems and services (The Conversation: As More Vulnerabilities are Discovered, Is It Time to Uninstall Antivirus Software?), especially their source code repositories. This will assist organisations in protecting themselves against the antivirus vendor’s services being compromised by an adversary and used against them (Wired: The Clever DoubleAgent Attack turns Antivirus into Malware).

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
  2. The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.

Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).