According to Bahat, comparative studies of antiviruses showing 100% efficacy are all lies, tests are done in a lab environment, with all the features turned "on". But false positives are too high when all the features are "on", no one use them all he argues.
"I have a problem with the entire idea of detection, looking at a code and deciding if it is good or not. It doesn't matter how good detection is, it is an impossible task. With the evasive techniques they use, hackers have become experts in hide & seek. We just lie to ourselves, pretending that if we can't see the attackers then they are not there".
Bahat took again the WannaCry worm as an example of environment-aware attacks, noting that first the worm had been cautiously isolated in a sandbox by most antiviruses, but then because it featured a time delay and stayed put for some days, it had been released again. As a response to hackers, Bahat proposes innovative defence scenarios, based mostly on re-enforced network isolation and hacker deception.
"We want to keep malicious stuff as contained and far away as possible, we need to assume that everything is bad. You must shut down all direct access to your assets", Bahat said, proposing what he calls "content disarmament & reconstruction" as one solution. "You take out everything that is important, take it apart and reconstruct it entirely with known safe code".
For web browsing isolation, Bahat suggests that all the information be processed via the proxy who only sends an interactive HTML5 video stream in real time instead of the real pages. The users doesn't even know the difference, but that keeps the end-points isolated. Then once the session is over, all the content together with the virtual browser is destroyed.
Deception is the all-time favourite of Bahat. "First we confuse the attacker, we fake the environment with simulation, it all starts with an endpoint. Since evasive malware uses environment awareness to detect what antiviruses are there, if it has been sandboxed or not, what analysis tools are there, why not put debuggers, sandboxes, virtual machines on all endpoints? Why not simulate a thousand guard dogs?