Your Antivirus Software Isn’t Set Up Properly. Here’s How to Fix It

Many organizations think that simply having antivirus software puts them in a safe position. But antivirus tools need to be properly set up and configured to be effective.

Here are the most common antivirus misperceptions organizations run into and some best practices to help you avoid them.

Common Misconceptions About Antivirus

A lot of organizations believe antivirus is the be all, end all of security. They think, “I have antivirus, it’s up to date, I’m good.” Maybe back in the ‘90s that was a legitimate thought, but times have changed. Solving security problems has become a much more complex issue.

Antivirus Can’t Protect You Against Every Kind of Breach

The most common misperception about antivirus is connected to how organizations believe they’ll be breached. To them, a security breach only happens when someone mistakenly downloads something malicious because they clicked a link in an email. So having antivirus will supposedly stop those potential breach avenues.

Unfortunately, antivirus is only one piece of the security puzzle. Without a variety of other tools that cover other threat vectors, this can create numerous blind spots, leaving you vulnerable to a number of other threats.

Just because you have antivirus software and it’s up to date, that doesn’t mean you’re protected. You also need to have other types of endpoint detection and response (EDR) tools monitoring your network for unexpected or malicious behavior.

How Does Antivirus Function?

Another type of misconception is about how antivirus functions. Most antivirus tools still work off of signatures. Once malware is seen, security researchers determine a set of criteria that can be used to identify specific malware. Those can be bit strings, handles, mutexes, or other types of information that are embedded.

The problem here is that the antivirus tool has to have seen that particular threat before, and it has to understand that it is actually a threat. Static antivirus works off of DATs. If some human somewhere didn’t decide that it was a threat and didn’t put it in the DAT file, then the antivirus tool won’t know it’s a threat.

More modern antivirus solutions operate via heuristics, so they can determine on their own if something is a threat. For example, let’s say you have a binary sideloading a DLL. There aren’t many great reasons to do that in programming as a practice. The antivirus tool can set up a heuristic and flag any piece of software if it sideloads a DLL.

In that respect, these more modern solutions are better than traditional antivirus because they can catch unknown threats. But even then, the antivirus might not understand what to do with new behaviors it encounters. It may or may not flag the threat until after it sees the behavior—or at all.

Antivirus Needs to Update Frequently

One of the most common misconfigurations I see in antivirus is not setting it to update frequently. if you’re not updating your DAT files often enough, then you don’t have the latest signatures. There may be new or zero-day threats that you’re not protected from.

Sometimes, when organizations are trying to do the right thing, they lock down their network and inadvertently lock down the antivirus’s ability to reach through that network and update itself.

Another issue is organizations relegating antivirus updates to traditional software patching cycles. It’s not a great idea to leave antivirus to be updated on that monthly basis. If there are new DATs being released, they’re being released for a reason. It’s important to get those threat updates out as soon as possible.

It’s also important to understand that there’s a difference between updating an antivirus engine (the binary) and updating those signatures or DAT files, although both are important.

Antivirus Should Report to a Centralized Console

In smaller organizations, you can get away with standalone antivirus, but for larger organizations, it’s absolutely imperative that antivirus reports to a centralized console. You need to be able to see and understand the nature of how threats spread within an organization.

For example, if you have a single pane of glass, you can quickly see if one person downloads ransomware before it starts to spread laterally. If you don’t have a centralized view of threats detected and blocked, then you probably aren’t going to know there’s a ransomware incident until calls start rolling into your help desk that systems have been encrypted.

Having that single pane of glass is critical so you can get ahead of lateral movement and react to an incident as quickly as possible.

How Can Misconceptions About Antivirus Affect Your Business?

If you don’t have a solid grasp of what antivirus does, that can create blind spots. In many cases, it creates a false sense of security where you think your systems are covered, but they’re actually quite vulnerable.

Those blind spots can be something relatively minor. If your antivirus is misconfigured, then maybe you’re not pushing the latest DATs. You might get lucky, and an employee only downloads some sort of nagware that generates pop-ups or advertisements. Those are things that can be easily cleaned and have minimal impact on the organization.

More often than not, these blind spots result in a threat actor gaining access to company resources. Inevitably, if you’re not watching something that’s when the bad guys will find it. They’re not running around to check the locks on your front and back door—they’re checking your second-floor windows to see if something is unlocked.

Ultimately, those types of events can be catastrophic. They can result in a data breach or some other public event for your organization.

Cybersecurity isn’t about blocking every threat and canceling every possible risk that’s out there. It’s about managing risk. For the threats you know about, and can afford to cost-effectively block and handle, proactively block those. For the ones you can’t, that’s where things like risk acceptance come in — as well as mitigation and recovery planning, both complex topics for a later article.

Best Practices for Installing Antivirus

Update Your Software

Traditional antivirus tools should be updated as frequently as possible. You should be automatically downloading the most recent DAT files. If a security patch is released, apply it as quickly as possible. If it’s a critical security patch, then get the update no later than a few days after its release.

If it’s a garden variety or functional patch, then you can take more time on those. However, it’s still a good idea to get those ones out at least monthly. Just like any other software updates, follow the critical vulnerability scoring practices—for antivirus, updating monthly meets these guidelines.

Consider Paying for Your Antivirus Software

If you’re using free antivirus, you should strongly consider paying for a tool. Free antivirus solutions tend to run up to 30 days behind on DATs, which presents risk for your organization. You’ll still eventually get the same coverage, but the delay means you’re not as protected as you think you are.

Establish Centralized Antivirus Reporting

If your organization is any larger than a dozen people, you need to be able to report centrally on antivirus incidents. This allows you to understand whether you have an isolated problem or a serious issue has popped up across your organization.

If you have one dot light up on your board because of a particular threat, it’s not a big deal. But seeing a dozen or more machines light up at the same time—especially if they’re in different divisions—indicates there’s cause for concern and the problem needs to be addressed immediately in order to protect the business.

Antivirus Can’t Get the Job Done Alone

Antivirus is just one tool in your portfolio. It should be paired with a suite of complementary tools, including other enterprise detection and response tools. EDR, network traffic inspection, and even data loss prevention tools search for maliciousness in ways antivirus can’t.

For example, if you’re a US-based business that only works with domestic clients and suppliers, geofencing your network could flag and even block a suspicious incident where one of your machines is trying to access something in another country. An event like that can seriously compromise your business, but antivirus can’t flag it because it doesn’t have that capability.

Use Antivirus with Advanced Quarantining Capabilities

Your antivirus tooling should be able to both quarantine suspicious individual files and quarantine an entire machine from your network. In the case of ransomware, you may not be able to contain individual files rapidly enough. Maybe you don’t know which files have been compromised, or maybe the antivirus isn’t familiar with this specific ransomware variant.

In this scenario, you need to be able to close off that machine from the rest of your network so that the infection doesn’t spread laterally to the rest of your organization. It’s better to unnecessarily quarantine a single machine than to allow ransomware any kind of lateral movement.

Leverage Black Kilt’s Experience to Protect Your Business

Black Kilt worked with one particular cost-conscious company that was doing a good job with their antivirus. They had a key individual that was phished for credentials, and a threat actor gained access to their email system. The crooks tried to social engineer their way into finance systems using the compromised email.

Luckily, we caught this attempt early on when the threat actor reached out to us, demanding access to finance accounts. That behavior clearly didn’t match policies and procedures, so we shut it down and cleaned it up without any financial harm or impact to the organization. But we also had discussions with the client about beefing up their security portfolio beyond just antivirus.

Black Kilt will not only help you find the right antivirus solution for your organization’s security portfolio, we’re with you from start to finish. That means purchasing, implementing, and training your organization on your new tools. Most of all, we’re vendor agnostic—we will help you find the solution that best fits your organization’s needs without any agendas or sales pressure.

Related Posts