Wish-List for Endpoint Anti-Malware Products

Endpoint security products should be unobtrusive by auto-tuning UI complexity based on user proficiency and only interrupting for critical alerts. They should baseline browsing patterns to flag anomalies, safeguard social networking activities, and leverage community intelligence and hardware security features.

The makers of anti-virus and other endpoint security products keep improving their products to keep up with the competitive marketplace and with the threat landscape. As I consider the features I’d like to see in such tools, the following wish list comes to mind. Some tools incorporate a few of these features, but there’s much room for improvement.

Make the product as unobtrusive as possible, balancing the ease of use with the strength of protection. (I wrote about ease of use as a competitive advantage earlier.) Specifically:

If the user needs to be interrupted with a question or an alert, it better be critically-important.
Auto-tune the complexity of the product’s user interfacing by profiling the user’s activities to determine whether he is an expert, a novice or somewhere in-between.
Only show those product user interface elements that the user is likely to need and want to see at a given time.
If the user wants to dig into the details of an alert, provide contextual data that helps the user make a decision.
Use the operating system’s native user interface elements, so that the person doesn’t need to learn new interface metaphors and actions.

Flag anomalous web-browsing activities by automatically building a baseline of the user’s browsing patterns. Use the strength of the deviation from the norm as part of the calculation when identifying malware. Track behavioral characteristics such as:

What content does the user normally view?
What documents and other file types does the user normally download?
What type of websites does the user normally visit?
When does the user normally visit websites of in a given category?

Safeguard the user’s on-line social networking activities, flagging anomalies and providing guidance based on data collected across the large user base. Track behavioral characteristics such as:

With whom does the user usually interact using email, chat and website messaging tools?
What type of content does the user usually send or receive through social networking sites?
What links does the user typically click on when engaged on a social networking site?

Consider incorporating the following technological improvements into the product:

Incorporate community intelligence into the product. (I wrote about how cloud anti-virus works earlier.)
Compile all components of the product using the latest compiler and operating system security technologies, such as DEP and ASLR.
Identify and alert upon the behavior of fake anti-virus tools attempting to install themselves on the protected system.
Use hardware components of the system to watch over the key features of the product outside the operating system (e.g., CPU virtualization support and the TPM chip).

What recommendations would you make to product managers of anti-virus products and other endpoint security tools?

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →