Wish-List for Endpoint Anti-Malware Products

The makers of anti-virus and other endpoint security products keep improving their products to keep up with the competitive marketplace and with the threat landscape. As I consider the features I’d like to see in such tools, the following wish list comes to mind. Some tools incorporate a few of these features, but there’s much room for improvement.

Make the product as unobtrusive as possible, balancing the ease of use with the strength of protection. (I wrote about ease of use as a competitive advantage earlier.) Specifically:

  • If the user needs to be interrupted with a question or an alert, it better be critically-important.
  • Auto-tune the complexity of the product’s user interfacing by profiling the user’s activities to determine whether he is an expert, a novice or somewhere in-between.
  • Only show those product user interface elements that the user is likely to need and want to see at a given time.
  • If the user wants to dig into the details of an alert, provide contextual data that helps the user make a decision.
  • Use the operating system’s native user interface elements, so that the person doesn’t need to learn new interface metaphors and actions.

Flag anomalous web-browsing activities by automatically building a baseline of the user’s browsing patterns. Use the strength of the deviation from the norm as part of the calculation when identifying malware. Track behavioral characteristics such as:

  • What content does the user normally view?
  • What documents and other file types does the user normally download?
  • What type of websites does the user normally visit?
  • When does the user normally visit websites of in a given category?

Safeguard the user’s on-line social networking activities, flagging anomalies and providing guidance based on data collected across the large user base. Track behavioral characteristics such as:

  • With whom does the user usually interact using email, chat and website messaging tools?
  • What type of content does the user usually send or receive through social networking sites?
  • What links does the user typically click on when engaged on a social networking site?

Consider incorporating the following technological improvements into the product:

  • Incorporate community intelligence into the product. (I wrote about how cloud anti-virus works earlier.)
  • Compile all components of the product using the latest compiler and operating system security technologies, such as DEP and ASLR.
  • Identify and alert upon the behavior of fake anti-virus tools attempting to install themselves on the protected system.
  • Use hardware components of the system to watch over the key features of the product outside the operating system (e.g., CPU virtualization support and the TPM chip).

What recommendations would you make to product managers of anti-virus products and other endpoint security tools?

Lenny Zeltser


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more