Avoiding resource drain from antivirus software

October 17, 2016

Avoiding resource drain from antivirus software

The modus operandi of enterprise antivirus solutions involves watching with an eagle eye in the background, scrutinizing every link you click and file...

The modus operandi of enterprise antivirus solutions involves watching with an eagle eye in the background, scrutinizing every link you click and file you open. This approach satisfies the demands placed on the operating system (OS) due to the inherently unpredictable behavior of your typical desktop or laptop user, but this constant watching comes at a price to you (in the form of a monthly subscription) and to system resources. With processors that eclipse those of yesteryear, the resource drain is proportionally irrelevant these days, but we all remember when processor performance meant commercial antivirus solutions occupied tens of percentage of processor resource. In embedded, we still suffer those same problems as very few x86 embedded solutions are using enterprise performance processors.

With the launch of IoT the industry became distracted from addressing this issue. While it’s certainly true that IoT solutions predominantly manage security in hardware, their highly locked down micro footprint OSs also make this easier at device level. It’s not all plain sailing for IoT though, as the vast infrastructure and interoperability demands are enough to keep those ensuring IoT security up at night on their own. The reality is that while IoT is the future, there are innumerable applications using what are essentially enterprise Windows OSs – many using the embedded variants, others (including a shocking number of ATMs) not – my town still has ATMs running Windows 98!

The half-baked solution historically was shielding that embedded device from the monster that is the World Wide Web, either physically or via firewalls, which today are scarily out of date. These devices have been retrospectively connected and their firewalls only protecting pre-Millennium threats. So what is the solution?

Intel’s 2010 acquisition of McAfee was seen as bad business for many. Today the brand name remains though forming part of Intel Security – which, if you believe recent reports, may be heading towards sale itself. Their latest offering, McAfee Embedded Control, takes an entirely different approach to protecting those embedded devices – maintaining the integrity of your system by only allowing authorized code to run and only authorized changes to be made.

It achieves this by automatically creating a dynamic whitelist of authorized code within the embedded system. Once the whitelist is created, reviewed, and enabled, the system is locked down to that known good baseline, permitting no programs or software code outside the whitelist to be run, and absolutely no unauthorized changes can be made. It enables the “fit and forget” approach the embedded industry demands regardless of how embedded the OS actually is. Critically, as this methodology is merely checking the agreed whitelist prior to allowing code execution, the demand on system resources is magnitudes lower than the commercial antivirus approach of checking every action against a vast database of cataloged threats.

It’s no coincidence that the majority of these low-mid performance x86 embedded systems are powered by none other than Intel’s Atom range. For the first time those systems have protection that’s simple (configure in minutes), small footprint (<20Mb), low cost, and demands near zero system resource overheads. As we know in embedded, security is painted to be at the top of everyone’s list, but when it boils down to it, if it significantly impacts, cost, ease-of-use, or performance, it quickly falls down that list.

Intel Corporation will be exhibiting at electronica 2016 in Munich November 8-11th.

Rory Dear, European Editor/Technical Contributor