Security Agent Bloat: A Growing Concern

“Computer viruses are an urban myth.”

Peter Norton, circa 1988

The 1990s

In the 1990s, having a security agent on your computer meant having an antivirus software package installed (or pre-installed in many cases). The most popular two solutions at the time were McAfee Antivirus and Symantec Antivirus, because they had worked out licensing deals with most Original Equipment Manufacturers (OEMs) to have their software pre-installed on each system their respective OEM sold. Most malicious software at the time was benign, such as the Morris worm or Melissa virus, which seemed to be written more as a proof of concept than to actually cause harm. Most businesses of the era were just starting to adopt computer systems and learn of the potential it could unlock for their workforce and their bottom line.

The 2000s

By the turn of the century, after the DotCom Era Bubble burst, many companies were left picking up the pieces. Attackers, on the other hand, did not slow down. As more money was transacted across the Internet thanks to companies like eBay and Amazon, attackers started to see an opportunity to profit from their nefarious skills. No longer would malicious software be written by highly skilled academics as a proof of concept or unintentionally released by a graduate student to lament his lost girlfriend. It was quickly becoming evident that traditional antivirus software would no longer be adequate. It was time for a new era of security software to step up.

“Hackers are breaking the systems for profit. Before, it was about intellectual curiosity and pursuit of knowledge and thrill, and now hacking is big business.”

Kevin Mitnick

The Mid-2000s

By the mid-2000s, as broadband service providers began to become ubiquitous across America, Internet Commerce began to rise from the ashes of the DotCom Era Bubble and take flight. This also marked the era of spyware and adware software. Seemingly overnight, companies such as Gator Corporation created free software to fill web page forms and help manage financial information like credit card numbers. This software was almost never open-source or made by a community of loving developers. Instead, it was created to collect sites visited, credit card numbers, and other data, all while posing as simple and helpful software. This rise of objectionable software brought us the likes of Spybot Search & Destroy, Malwarebytes Anti-Malware, SUPERAntiSpyware, AdwCleaner, SpywareBlaster, and a whole host of free, online scanners as antivirus manufacturers attempted to innovate. But, most of these solutions would be uninstalled once the system was cleaned, leaving it highly vulnerable to re-infection. Businesses often operated in the same manner, relying on their trusty fallback of a good antivirus solution. The only real innovations in the antivirus market at the time was implementing real-time scanning (in memory), heuristics scanning, and a higher frequency of definition updates.

The 2010s

Around the turn of the decade, Information Security as an industry began to take shape. Many people outside of the industry also began to realize this problem was not going to go away and we could not create the perfect protection mechanism. Security experts knew this in the 1980s, but it took awhile for it to spread as common knowledge.

“Attacks always get better; they never get worse.”

Attributed to NSA by Bruce Schneier

The 2010s quickly escalated things by bringing us Nation State sponsored attacks like Stuxnet, which spread unintentionally; Botnets, or zombie computers used collectively for malicious intent; Ransomware, which encrypted user data for ransom, further enabled by anonymous payments; File-less malware, which could cleanup behind itself; Polymorphic malware, which could create a delta of itself with each install, becoming virtually undetectable with traditional scanning techniques; Crypto-Jacking, or the misuse of computing resources for the purposes of mining cryptocurrencies; and every combination of all of the solutions above.

Along with these new, emerging threats came companies with innovative solutions, such as SentinelOne, CrowdStrike, FireEye, Cylance, Carbon Black, Forcepoint and many, many others. Not only was it becoming important to stop outside threats, it was just as important to stop inside threats. What seemed like overnight, companies began to track file integrity, network traffic, user behavior, database access, and many other aspects of their environments. Being attacked was no longer a question of “if”, but “when”.

All of these solutions required an agent or multiple agents. All of those agents required resources. Each one generally consumed 1-3% of CPU cycles here or 100-200 MBs of RAM there. Added together, they began to form a formidable obstruction to productivity.

All of this brings us to today. This is our current state. At the time of this writing, most experts and practitioners believe our best solution is to deploy threat management technologies in layers. This means, if one layer is compromised or vulnerable, there will still be yet another layer of protection. On the endpoint, having multiple solutions leads to one glaring issue: agent bloat.


A Discussion of Solutions

Due to businesses still facing this issue and the Information Security industry not yet collectively deciding on a path forward, companies must face this challenge independently. Since each selection of deployed threat management solutions is driven by different factors such as cost, features, unique business requirements, and threat models, a common solution to agent bloat may still yet be out of reach for some time. Still, there are some possible commonalities at which to look.

Feature Overlap

Due to the nature of each threat management vendor effectively completing a similar task, many times purchased solutions will be deployed with duplicate features enabled. Each feature should be identified for each deployed solution and disabled in sister products if they cause conflicts in a computing environment. The most robust feature should remain enabled in the intended solution and disabled elsewhere.

Scheduled Scans

Many agents scan in real-time, which in itself can be problematic, but they also often perform periodic full scans of the file system. These full scans should never be scheduled at the same time as another product. Full system scans should be completed outside of business hours, naturally, but also within their own scan window. Scan windows should be maintained meticulously and re-evaluated with the purchase of a new solution or at the time of of renewal or upgrade of the current product.

Whitelisting Products

Most vendors maintain a list of files and directories they recommend whitelisting in other threat management solutions. These lists should be followed, maintained, and re-visited often, to ensure the lowest performance impact for a computing environment. If it is not easily found in the provided documentation, ask for it. Customer Support can often provide this documentation.


While there is still no silver bullet to fix our current predicament, there are still many good steps to take to help cut back on agent bloat. If you find yourself stuck, ask for help. Reach out to Customer Support or your Technical Account Manager to seek out solutions.

In all of our efforts to stay secure, one thing we must keep in mind is to never become a roadblock in the business. Security is not about saying no, it is about making smart decisions to innovate a business and find new ways to stay secure.

“Security should help and enable the business.”

Dr. Eric Cole

New Upcoming Feature in Windows: Controlled Folder Access and More…

This fall, just a few short months from the time of this writing, Microsoft will be releasing a minor update to follow the most recent Windows 10 Creators Update from earlier this year. It will include some new features, including a few that revolve around their built-in Windows Defender suite. With these changes to Windows Defender, Microsoft hopes to make their latest operating system more resistant to ransomware attacks which have become prolific over the last several years.

One of the features coming with the update is called Controlled Folder Access. Microsoft touts the feature as a direct response to ransomware. It will work via a whitelist approach, with Windows Defender only granting certain applications the privilege to access the data of a protected user account; otherwise, the application is not allowed to read, write, or modify any data a user might own such as documents, pictures, or videos.

The default folder list includes Documents, Pictures, Movies, and Desktop and are hard-coded into the feature with no option for removal, but additional folders can be added manually through the Windows Defender Security Center. There will also be an option to add custom software to the whitelist, but Microsoft states that most software should already be pre-whitelisted. If an application is not whitelisted and attempts to alter data within a protected folder it will be automatically blacklisted and the user will be notified. Although this feature has many benefits, Microsoft will have the feature disabled by default. It can also be enabled in the Windows Defender Security Center under Virus & threat protection settings, as seen below.

How to enable Controlled Folder Access in Windows Defender Security Center Diagram
Controlled Folder Access settings window, courtesy of Microsoft Blog.

Other features coming with the Fall Creators Update include a Cloud Clipboard which will allow copy and pasting between multiple Windows 10 devices; a Timeline feature, which will be similar to the app switcher found on many mobile phone operating systems; Pick Up Where You Left Off, which will be an application synchronization service that developers can use much like the Cloud Clipboard; and OneDrive Files On-Demand, which will allow access to files, even if they are only stored in the cloud and not locally.

Windows 10 is also getting a design language refresh. Microsoft is moving away from the Metro UI to offer a more consistent, depth-enabled interface with lighting and motion effects. It is being likened to Google’s own Material Design. Overall, a welcome change, but one that may be more resource demanding.

Will you be upgrading? What feature do you look forward to most? Leave a comment below!

8 Common Types of Malware

Malware is a common term heard throughout the security industry, but it is also heard a lot outside the industry, because it has become so ubiquitous in the computing landscape. Many users have to deal with it often, in its many different forms, on their personal computers, their computers at work, and more recently, even their smartphones. Malware, commonly defined as “malicious software,” is any software that was developed with nefarious intentions. It can be as harmless as a prank or as serious as a complete takeover of one’s computer. Malware can take many forms, but rest assured, none of them are pleasant.


Virus

A virus is a software that is self-replicating and designed to spread from host to host. In the dawn of the computing era, every malicious software was referred to as a virus, but as time has progressed, the term malware has taken its place. A virus will often attach to a host file, replacing it or modifying it, so it can then be transported to another host, almost always by user intervention. Early viruses spread through floppy disks, but then transitioned to Internet downloads, jump drives, and emails. One of the first viruses found in the wild was called Elk Cloner. It spread through floppy disks, and upon being ran for the 50th time, would take over the victim’s computer and display a short poem dedicated to itself. A less common form of a virus is a boot sector virus. This type of virus copies itself to the boot sector of a hard drive or floppy disk, allowing it to load itself into memory before the operating system or typical anti-virus software has a chance to run. This allows the virus to be persistent and much harder to remove.

Adware

Adware, alone, tends to carry the lowest risk of all of the different types of malware. It is often installed with user consent in a bundle with other software. A lot of download sites bundle adware with the free software they offer for download, in order to generate more revenue. On a side note, that is why software should be downloaded from the original author’s website, instead of download sites. The intention behind adware is to monetize software without consent of the original author. A lot of adware injects ads into webpages they do not own or into popular software they did not author. More aggressive adware has also been known to create popups that cannot be closed and generate an overwhelming number of popups with graphic advertisements. It is usually more annoying than harmful, but that does not exempt it from being malware.

Spyware

Spyware, while very similar to adware, is written for the specific purpose of capturing information generated by a user. It can also be installed in the same way adware is installed–with consent–or as part of a trojan, which we will discuss later. Some spyware can use a keylogger to steal credentials or just capture browsing habits in order to monetize that user’s browsing habits. While it seems closely related to adware, it takes things a step further by tracking usage habits, capturing keystrokes, and monetizing that information, among other things.

Worm

A worm, much like a virus, is self-replicating and designed to spread from host to host, but does not require user intervention. All that is required to be infected by a worm is to be on the Internet (or local network) and be vulnerable. Worms are designed to spread at an exponential rate, because as more systems are infected, they go on to infect more machines themselves. A worm combined with a virus can be even more devastating, because the virus then has a method of transportation that is highly efficient, that it did not have by itself. An example of well-known a worm was one named Code Red. It attacked vulnerable IIS web servers back in 2001, spreading across the entire world in less than 24 hours.

Trojan

Trojans, much like the story of antiquity, is a piece of software that is deceptive in nature. A trojan is often an executable file that looks legitimate, but is carrying a hidden payload of malware. Trojans are essentially a malware delivery vessel, in other words. An example of a trojan is a piece of software for which one would normally pay, being offered for free on a website that is commonly associated with pirated software. Always proceed with caution with any software that seems “too good to be true,” and always download software from the original author’s website when possible to avoid this type of situation.

Rootkit

A rootkit is one of the more dangerous forms of malware. Most rootkits go undetected, because of the way the malicious software manipulates the underlying file system and presents it to the operating system. Basically, it hides itself. One of the more famous uses of a rootkit was by Sony BMG. When a Sony copy-protected disc was inserted into a computer, a piece of software was automatically installed without user consent and hid itself from the operating system. After much public outcry, Sony released an “uninstaller” that merely un-hid the files, but also installed more software, unbeknownst to the user. These rootkits also introduced vulnerabilities for other malware and eventually led to Sony being hit with multiple class-action lawsuits.

Keylogger

A keylogger, as discussed earlier, logs all keystrokes on a computer. They will often dump all information into a log file which can then be retrieved by an attacker or can be automatically uploaded to a central server that is controlled by an attacker. Some keyloggers are more advanced than others, but they all serve a specific purpose, to log all data input through the keyboard of a computer so an attacker can look for usernames and passwords, credit card information, social security numbers, and other highly valuable information.

Ransomware

Ransomware is by far the most destructive form of malware, and also one of the newest. Ransomware took off around 2013 and has changed the face of malware in a large way. Ransomware, in its many forms, runs in the background encrypting certain file types, and then when it is complete, displays a warning that all of a user’s files are encrypted and holds them for a monetary ransom. That ransom is usually $300 or more dollars, at the time of this writing, per infected machine and is only payable through anonymous payment methods. If remediation is attempted and the malware removed, all files will remain encrypted. Security researchers have discovered decryption methods and keys for some forms of ransomware, but many forms still require payment. When it comes to ransomware, the best defense is prevention and backups.


Although there are many different forms of malware, they all have the same intent: causing issues for users. While malware was more demonstrative and harmless in the beginning, as time has progressed, it has become more destructive and monetized. Malware may be a catch-all phrase in the information technology industry, but now the differences are clear and well defined, and that is important in the information security industry.