Exclusive Interview: AVAST Software CTO Ondrej Vlcek

AVAST Software
In our recent trip to Prague, the Czech Republic, we had the opportunity to visit the headquarters of AVAST Software, the company developing one of the most popular AV products on the market today - avast! Free Antivirus. While there, we also got to meet the AVAST management team and we jumped at the occasion to ask them a few questions about their business plans, the future of their products, as well as current security trends.

We already published the interview we did in Prague with Vincent Steckler, CEO of AVAST Software. However, we also had the chance to speak with Ondrej Vlcek, the company's chief technology officer, who was very forthcoming with answers to our more technical questions.

Due to the lengthy nature of the interview we split it in two for an easier reading. This is the first part and deals with the more general questions about security in operating systems, browsers and other popular applications. You can also read the second part, which covers new features in avast! Antivirus.

So, Windows 8 has reportedly reached Milestone 1. Have you had any talks with Microsoft about your future plans on Windows 8?

Ondrej Vlcek: At least twice a year we are in Redmond talking to Microsoft about the new trends and also do some testing of avast! on yet unreleased versions of Windows. We haven't on Windows 8 yet, but we're testing on Windows 7 SP1, which is coming soon.

It's in Beta right now.

Ondrej Vlcek: Yes, but normally we'd have access before the public – the public build.

Regarding the architecture of the upcoming Windows, that's also something we keep discussing. Not only us necessarily; other AV companies as well. Twice a year, we meet in Redmond with all the AV companies and discuss the trends and also what changes in the kernel would be appreciated by the security industry.

For example, 64-bit Windows is known for the PatchGuard. That's the component that is basically preventing direct patching of the kernel. Implementing the PatchGuard meant that there are a lot less rootkits on 64-bit than on 32-bit. But, at the same time it makes it difficult for the more traditional anti-rootkit and HIPS-type applications to be ported to 64-bit, because they rely on hooking functions and kernel patching. So, right now we are trying to come up with solutions to these problems by having Microsoft implement more functionality that wouldn't disrupt the system and could be used to protect the users.

There have been rumors that Microsoft is considering dropping support for 32-bit entirely. The latest version of Windows Server (Windows Server 2008 R2) is already 64-bit only.

Ondrej Vlcek: I've heard rumors of this for many years. The problem is that Windows' success is entirely driven by compatibility with other software. The biggest problem of Vista and the main reason why it wasn't very successful is that it had issues with lots of hardware and software. So, dropping support for 32-bit altogether is maybe just too early.

If you look even today at 64-bit Windows 7, there's still a lot of stuff that just doesn't work there, like older printers. In most cases it's hardware, but not necessarily; some software doesn't work very well either. And people don't want to get rid of their hardware, even when it's sort of dated.

For example, my dad has a printer, which he bought five years ago. It's called N2500 and it's a perfectly fine printer; it prints nicely. The problem is there's no driver for 64-bit. And I can't tell him to get a new printer, because he's not the type of person who would get new hardware just because there's no driver for it.

So, regarding the end of 32-bit support, I don't think it's happening anytime soon.

What do you think about the security of Windows 7 compared to Vista and XP?

Ondrej Vlcek: The security model in Windows 7 is very similar to how it was in Vista, because the most important parts were implemented in Vista. I see more differences between the 32-bit and 64-bit versions. I do agree with the statement that 64-bit is currently more secure and there are two reasons for this.

One is that there are almost no rootkits for 64-bits. That is very important.

There is a new one with signed drivers. [Stuxnet]

Ondrej Vlcek: Correct. But if you look at the magnitude of the problem on 32- and on 64-bit, it's just incomparable. The other reason is that 64-bit users are still in minority and the bad guys will always focus on the majority.

Generally I think that even though UAC is something that most people hate, from the global point of view it had one significant effect on the whole ecosystem and that is that software vendors finally started digitally signing their code. Because with UAC you get the prompt that looks very different whether the code is signed or not.

Most of the software companies now sign their code and that is very very helpful for the AV industry as a whole, because it's much easier to whitelist for example. Before that, there was no easy way to find the origin of files. Now with digital signatures in place it's much easier and much more transparent. This is one of the indirect effects of UAC that we really value and we think it was a great thing.

There's been some recent research from Secunia, which looked into how popular applications implement DEP and ASLR. The conclusion was that very few support both, or support them completely. How do you feel about this?

Ondrej Vlcek: Maybe one of the reasons for this is that implementing these features, especially ASLR, makes it harder to debug. Post-mortem debugging is sort of more difficult. But otherwise, I think it might be an educational problem. Microsoft probably needs to work more closely with its partners.

Force their hand a little bit?

Ondrej Vlcek: Yes. But if you look back, a few years ago the big companies weren't even signing their files. So, having them use this new stuff, like ASLR in Windows 7, would be great, but I think it will take some time.

How do you view the overall security in Windows, compared to Mac or Linux?

Ondrej Vlcek:
I think we will be seeing more and more attacks towards Mac. Of course, it's still a minor platform in terms of market share, currently estimated to be between 6% and 7%, compared to something like 92% or 93% for Windows. For attackers it's much easier to focus on 90+%, but that's changing; the market share is growing all the time.

And also as the platform is getting more popular it's quite evident that there are a lot problems in the security of the Mac OS in general. What I mean is that Apple's approach towards security vulnerabilities is not very fortunate. It somehow reminds me of Microsoft's style from maybe eight, ten years ago.

That's actually reflected in the results of another Secunia research effort regarding vulnerability trends. It showed that at the beginning of 2009 Oracle was leading in terms of number of vulnerabilities recorded per year, however, Apple has since taken over the first position. Meanwhile, Microsoft's place in the top has remained unchanged since 2006 and its yearly stream of vulnerabilities is pretty much constant.

Ondrej Vlcek: I'm not a big fan of the total numbers. I don't think they are very indicative. I mean, I just don't think comparing that Mac had 127, while Windows 156 is completely fair. You cannot compare the absolute numbers, because the severity of the vulnerabilities can be very different. And even if you somehow manage to count in the severity aspect and look for high criticality, their global impact may be very different as well.

So, the total number isn't that important. But Windows has undergone huge scrutiny from all researchers in the world. During the last years, basically all security researchers focused on Windows and the browsers. Apple and Mac OS were sort of left aside. I think it's really only a matter of time until those people turn their attention towards the minor platforms, or maybe they'll no longer be minor then, and at that point I assume you'll see many more problems on these OSs.

What do you think about security in IE compared to the other browsers?

Ondrej Vlcek: We don't see any meaningful difference in the security of IE8 versus that of the newest Firefox or even Chrome, which has the tab sandboxing. I don't think the Chrome sandbox was really designed as an anti-malware measure. It's more about the stability of the individual tabs – crashing of one tab not injuring the others. It's not really that efficient against malware.

But, in general I'd say that the browsers – all major browsers on the market – are probably the most secure pieces of software that you can ever meet, because they've been scrutinized so many times and there are so many eyes looking at them. They're really quite safe compared to all the other components which are addressable from the browsers, but are not part of them, such as PDF readers, etc., that are usually more problematic.

Yes, but Google is looking into sandboxing plug-ins now. They've already implemented a native PDF reader. They've also worked with Adobe to get a native Flash Player. So, it's a lot less exploitable. Do you think this gives them the upper hand at the moment, as far as browser security goes?

Ondrej Vlcek: It's really appreciated that they do these things. It's very hard to estimate whether it will be effective against malware, but we obviously support all attempts to improve security and find new innovative ways to fight the problem.

What do you think about the plans to introduce sandboxing in Adobe Reader, which is clearly targeted in a lot of attacks and is the source of many problems like drive-by downloads, etc.. Do you think it will solve the majority of the issues? Or do you think it's only a temporary solution and that they should focus on fixing the underlying problems in the software rather than relying on a sandbox?

Ondrej Vlcek: Again, it's difficult to estimate. I don't have a crystal ball. It's a move in the right direction, but I can't comment on the actual implementation. It all depends on how well it is implemented. The idea I think is very good.

It's better than how things are handled now anyway...

Ondrej Vlcek: Absolutely. It's just that I don't think there's a silver bullet. There will always be problems, but any method of mitigation is a move in the right direction.

You mentioned kernel hooking. There's been some recently published research from matousec regarding the kernel hooking performed by host intrusion prevention systems (HIPS) in antivirus products. Their conclusion was that many of these implementations are vulnerable and could enable attackers to bypass such components, which usually serve as a last line of defense. I've spoken with other AV vendors about it and some said their new versions will stop using kernel hooking. Do you plan to remove it from your products as well?

Ondrej Vlcek: None of our core functionality relies on hooks. We do some hooking, but it's not related to the core functionality. Some of it is in the Behavior Shield where we have no other choice. The problem with this test is that what matousec described basically looked like a complete breach of all the antiviruses, but there are much easier ways to do what he did.

What he's trying to do are things like bypasing the sub-defense of the antivirus. But, there is no AV that has a sub-defense that is completely bulletproof and everyone knows this; also in underground circles I'm afraid. This is just one of the methods to do it, but a very difficult one actually. It would take a lot of resources and a lot of time. So, why do something complex when there are easier ways to achieve the same thing?

But the practice in general, hooking the kernel, Microsoft is trying to get developers to drop it.

Ondrej Vlcek: Correct. That's something they've been doing for many years. But, the reason for this really is that they've found out that many of the blue screens were directly caused by hooks. And that's because there is just no way to implement them one hundred percent reliably in Windows.

It's really about synchronization issues. In the moment when you install the hook, if someone else does the same thing, the system will crash. And there are also other situations. For example, there's no way to reliably unhook, to remove the hook, because you don't know if someone else is on top of you. That person who is hooked on top of you doesn't know where to jump if you unload.

There are issues like these and I can sort of understand that. But, the AV or security vendors aren't hooking the kernel because its fun. There are some legitimate reasons for doing this and unless there are some replacement APIs that we could use, there is probably no way we could stop hooking.

But, they're working on offering you alternatives, right?

Ondrej Vlcek: Yes. We work together, but it's a very very lengthy process. The first draft of these dates since before Vista. So, Vista brought some improvements, Windows 7 added a few more, but generally for HIPS-like solutions or sandbox-like solutions, it's insufficient. We need to continue with that.

Exclusive Interview: AVAST Software CTO Ondrej Vlcek - Part 2

In this second part we ask Mr. Vlcek about upcoming features in avast! Antivirus, as well as other products the company might have in store for us. We hope you'll enjoy reading it.

The new management console in the upcoming avast! Antivirus 5.1 can function both as a Web interface accessible via the browser, as well as a Silverlight-based Rich Internet Application (RIA) running on the desktop. Why have you chosen Silverlight and not some other RIA technology like Adobe AIR or JavaFX?

Ondrej Vlcek: That was a practical decision, because the people that we had here were more experienced in Silverlight. Also the technology was sufficient for us, allowing us to provide what we intended. There wasn't any other specific reason.

So the decision was solely based on expertise.

Ondrej Vlcek: Yes. We had some very good people for .NET, the platform used inside Silverlight. Also we have a very good relationship with Microsoft, so chances of getting good support from them were high.

What kind of a solution do you see for combating black hat search engine optimization (BHSEO)? To warn users in advance that they shouldn't click on certain search results. A blacklist or maybe a real time thing?

Ondrej Vlcek: Currently we rely on the Web Shield to do the filtering for us. That's scanning in real time, so it doesn't use any static blacklist, which is very good. On the other hand we understand that, for example, giving users hints on search results may be very appreciated. It's a nice feature to have a certain understanding of whether a site can be trusted or not in advance.

We are also looking into a web reputation type of thing. Like a voting platform that would allow our community to decide if a website is malicious or not.

But if, for example, one of your users goes to a website and something on that website triggers a detection from their antivirus, you could use that to inform others in real time that at least for a certain period of time that website shouldn't be trusted.

Ondrej Vlcek: Yes. We can display an exclamation mark next to the search result. That's very likely coming in version 6, together with the voting. It's more about reputation really.

So, something like McAfee SiteAdvisor or similar?

Ondrej Vlcek: Well, McAfee SiteAdvisor is about malware and stuff like that, because they use crawlers.

Ok. So then, more like WOT (Web of Trust)?

Ondrej Vlcek: More like that, yes. I think WOT also tries to market itself as a security solution. For us, the voting will probably be very similar to product ratings on Amazon.com – one to five stars.

It's very subjective, but if you have sufficient number of votes than it has some value. People are pretty good at understanding whether a given site ripped them off or offered a good experience. Especially for e-commerce sites it's very important.

But you're also considering leveraging what avast! installations report in real time?

Ondrej Vlcek: Yes.

Can you disclose other noteworthy features you plan for version 6?

Ondrej Vlcek: Version 6 will have a lot of cloud infrastructure. I have to say, I hate the word cloud.

So let's say server-assisted.

Ondrej Vlcek: Server-assisted infrastructure. We don't really have a problem with the delivery of updates or definitions. That's what most so called "cloud antiviruses" do. They use the cloud to get rid of the problem of delivering updates to users. We can do this even better than many of the paid vendors.

On the other hand, we understand some of the things that could be done like a dialog between the client and the server.

Like building a signature for a file, then taking it to the server to check in real time if other people have it.

Ondrej Vlcek: Yes. If it's more like a ping pong conversation between the client and the server, then it can have some very good meaning and can bring good value to our users. That's something we are in the process of implementing and we believe that it will substantially improve things.

Increase performance and detection.

Ondrej Vlcek: Yes. Performance we always worry about, because we have a huge user base and people use different Internet connections. Even people who normally use broadband, from time to time when they travel, they have to go with mobile connections.

And in order for an antivirus to be truly unobtrusive, you have to make it so that even with these connections it doesn't slow things down. Obviously we can't upload files on dial-up, because it will take a long time. You have to be very careful about implementing it, so that its all done very transparently and very fast.

Some of the current vendors of so called cloud antiviruses claim that one of the biggest advantage of cloud AVs is that they're lighter than the normal, more traditional products. I don't believe this is the case really. Because you can't really do all the processing in the cloud.You still need to have some logic on the client.

And the other thing is that, even if you have a very good network and geographic spread, the latencies that users will see will probably be much higher than what it normally takes to scan a file using traditional methods. That's one of the main focuses of the project – speed and performance optimization. We definitely want to have avast! 6 at least as fast as version 5 is.

So, cloud technology and website reputation. Those are two features to expect in version 6.

Ondrej Vlcek: Yes.

Compromised legit websites are amongst the primary attack vectors today. We think webmasters would benefit from a system that could alert them if some unauthorized change is made to their website. As a security vendor are you considering providing such a website integrity monitoring service?

Ondrej Vlcek: It's interesting that you ask this, because it's one of the projects we are currently working on. We're still developing it, but it will be ready before the end of this year.

Does it scan in real-time?

Ondrej Vlcek: It will use intelligence from our user base. So, basically when we'll see any avast! installation triggering an alert on a specific website, we will be able to notify its owner.

What about mobile malware? Are you preparing any solutions for such threats?

Ondrej Vlcek: The situation is actually quite calm for now. I think the main reason for that is that most of the mobile platforms enforce digital signatures on all code. And not only that, but signatures are issued by the phone operator.

The only platform that doesn't do this is Android. It does require digitally signed binaries, but on the other hand it also accepts self-signed certificates so it's easy to sign a package and distribute it.

So yes, we think there is a potential for malware. We're not developing any Android or other mobile anti-malware solution for now, but we want to be ready and we're monitoring the situation.

False positive incidents can affect a lot of people and can leave computers unable to boot. There have been some big cases this year from vendors like BitDefender or McAfee. What are you doing to avoid such issues?

Ondrej Vlcek: We try to fight the false positive problem on many fronts. First there is our quality assurance process, which dictates that all definition updates must first be used to scan our internal clean sets of files – one bigger one smaller. Before they go out to users the updates need to pass both scans without any incidents.

We also keep a whitelist of digital certificates from software publishers that we trust unconditionally, like Microsoft or Adobe, which we can revoke at any time. Every time a detection is triggered in our user base on any file that is signed by these vendors, the product doesn't take any protective action. It doesn't quarantine it or anything. Instead, it creates a package with information about the file, which gets uploaded to our servers and we get notified to investigate.

We also have a community phone number, that we give out to our evangelists. These are over one hundred people, who are most active in our community and can call and alert us of any major problem. This number should get through at least seven or eight people here, so even if it's the middle of the night it's very likely that someone will pick up the phone and be able to do something about it. This is like a last line of defense.

Tell us more about how the certificate revoking works, because revoking a certificate doesn't mean the already-signed malware will stop working. It just mean the certificate can't be used to sign new malware.

Ondrej Vlcek: We use our own algorithms for digital signature verification. We don't trust Windows' digital signature infrastructure. The reason for this is that it's very easy for malware to hook into this infrastructure.

Image you have a computer that already has some piece of malware installed on it. It's actually very easy for the malware to hook the verify-trust type of functions, basically the API for digital signature verification. So, we don't trust this at all. We have our own system for verification, our own certificates that are trusted, root certificates, etc.. So if there is a signed rootkit, we can easily block it.

Like this article? Spread this word to your Friends and Peers
Digg Google Bookmarks StumbleUpon Technorati Yahoo! Buzz Delicious Furl


Post a Comment

Related Posts with Thumbnails