Issues with antivirus software

From Ganfyd

Jump to: navigation, search
LogoKeyPointsBox.pngCatches with Antivirus Software
  • No antivirus software can be ahead of all the virus writers, so you must also use other protection mechanisms.
  • Spyware is often not detected and some spyware such as key logging and rootkit software is very dangerous.
  • A free one might be better than a commercial one.
  • But only some commercial ones could detect viruses hidden in ADS files on Microsoft's default NTFS file system.

Catches with Antivirus Software

  • Only one commercial virus engine (used in 3 commercial products) was picking up a group of test trojans circulating in early 2006 and similar issues were reported in 2007 with no antiviral vendor, free or otherwise, being perfect but some are better than others at any point of time.

The following discussion will be based on the issues with Microsoft® operating systems, and provides background to help understand the limitations of such software. Antivirus software can be regarded as essential for users of Microsoft Windows, but is not included with the operating system (although later versions ship with Windows Defender, a product designed to stop certain types of malware). The major issue with antivirus software is that Microsoft operating systems are much easier to attack than other current main stream operating systems. However all computing systems are susceptible to attack by both computer viruses and other malware. If you follow the links on malware you will quickly realise the complexity of the situation. Indeed the Unix based operating systems such as Linux and the Mac OSX may be safer operating systems, but actually (many years ago) some of the software types such as internet worms and rootkits which have caused such recent problems for Microsoft operating systems first showed how destructive they could be on Unix systems.


The other issues

  1. There will be a lag time before antivirus software is updated
    • It is likely to take quite a bit of time to recognise and analyse a new virus. Typical lag times of more that 24 hours exist, but viruses have existed in the wild for weeks before being recognised as such. This is because someone has to recognise that they have a virus problem, someone who has enough understanding has to identify the problem, and solutions have to be developed that are specific to that virus. During this period anyone could be infected if they rely on the antiviral software alone to make their machine safe.
    • Automatic updating is disabled.
      1. Usually by human interaction
      2. In the relatively early days of the internet vendors did not enable automatic updating as default, and of course only enable it after product registration !.
  2. The software may be disabled.
    • It is typically disabled during the hopefully short period where an update takes place, but doing other things on the computer during even this brief period may mean no protection.
    • by user action
    • by interaction with other software (Two virus scanners are never better than one for this sort of reason)
  3. The antivirus software may interact with other software.
    • Because the low level hooks necessary for the software to work are often used by device drivers, spyware detecting programs and software firewalls it is possible to either lose protection or cause computer crashes. Indeed the later is particularly common.
    • the legitimate software may by coincidence (or otherwise) share common code with a virus.
  4. The antivirus software has other limitations.
    • The antivirus software may target only a subset of programs that most users would not want on their computers. The group term for such programs is malware.
      • There is a problem in both definition here and the abilities of the antivirus software itself. Indeed by restricting the detection abilities of anti-viral software to just computer viruses the job is made easier for the antivirus software team, and the product may get a high score at detecting viruses. However if the antivirus software is part of a 'security suite' of programs, it is often in the developers interest to detect and repair many other types of malware problem, using the anti-viral software.
    • A potential important example of this applies with the NTFS file system used in Windows XP by default (for good reason!). It is possible to hide files from the user because Microsoft designed in the ability to store supplementary details of files in other files called ADS files. Many virus scanners presently can not detect and remove viruses hidden in ADS files. McAfee and Kaspersky seemed to be ADS capable by September 2005, but like all such areas of software functionality you are advised to research up to date information, independent of a manufacturers claims.
    • The products are not equally good, and a good product this year may be problematical within a few months because of a new type of exploit.

What you can do

  1. Ensure you have a single functioning, automatically updating antivirus software on any Windows operating system computer.
  2. Ensure you have a functioning firewall on any computer system connected to the internet.
  3. Minimise use of Windows operating system computers in any networking environment (this includes any computer with internet access)) that you have responsibility for.
    • If you have to use Windows, use third part tools for basic Internet (web) and Email access.
      • Web access with other browsers based on different technology than Internet Explorer (some are based on Internet Explorer) tends to be safer. This situation may well change, as all browsers can have security issues, and a zero day exploit (exploits before exploit known to the browser designer/anti virus vendors) might happen with any, especially as popularity increases. Free browsers that most would regard as more secure and likely to be updated more promptly than Internet Explorer include Mozilla Firefox, Safari, Opera.
    • Only enable Windows printer and file sharing functionality behind a hardware firewall (router) and if you have a fall back dial out modem always have a software firewall blocking Windows printer and file sharing switched on before connecting to the net.
  4. Configure computers you use so as to show 'hidden' files and file extensions by default.
  5. Take warning messages seriously and read before hitting the <return> or <enter> key.
  6. Remove unnecessary potentially dangerous functionality.
    • At one extreme, removing all disk drives and network functionality will protect you against all malware that is not already on the computer or able to be introduced by someone with access to the computer itself.
    • Disabling automatic scripting and macro capacity can make any operating system much safer. In the case of Microsoft Windows every auto run option seems to have been exploited by someone. Most such automatic scripting and macro capacity is unnecessary for the home user. The major exception is javascript (not java) automatic scripting capacity with 'trusted' web sites. Javascript is a fairly safe scripting language with the weakness that extensions to the standard language that allow dangerous disk or other access will often be made available by software vendors.
  7. Only look at Email attachments, CD-ROMs/flash disks etc and run programs you fully Trust. The two extremes that prove this point are that
    • Someone you trust may have their computer infected unknown to them
    • Sony's recent copy protection problems which introduced exploitable root kit software on to many million Window's computers.
  8. If you must play dangerously as we all do
    1. backup your system (regularly)
    2. and ideally have an entire working more secure system in reserve. (This is especially recommended for games and those that expose other server functionality to the net, such as music sharing, blogging software, websites, Windows Media Player or remote system administration)

The problems in more detail

Humans are imperfect

  1. Someone's morals allow them to write a virus in the first place. Actually, this is not that hard to do in the context that the code to do the damage some viruses do could be useful in some circumstances. The morals get further confused when you consider that during the cold war the American's let the Russians steal software with code in it that caused major economic damage (destroyed an oil pipeline). Examples:
    • Criminals
    • Those wishing to demonstrate a technical skill
    • Those wishing to demonstrate proof of concept (There is a natural tendency to want to share the bad news, especially if you are ignored which has happened many times)
  2. Some one may let a virus on to a computer by reacting to an invitation even though warnings are generated. Examples:
    • The invitation is very attractive (a classic ploy often appealing to sex or hierarchical responses)
    • Warnings get boring, and you can also hit the wrong button/key
  3. Computer software (and hardware) has design faults. Examples:
    • Faults that allow software to run without any user interaction. Windows Internet Explorer and Outlook Express have had such faults
    • Poor separation of administration and user privileges (Windows vs Linux)
      • Despite many malware concepts being exploited first in Unix systems, the concept that the installation of any executable software should only be done in a special (password) protected user mode (superuser, root, administrator) has stood the test of time. The reason desktop users of Mac OS-X and Linux do not require virus scanners is because the user does not allow, by default, software the ability to execute on the system.
      • Interestingly with Windows systems the limited user mode introduced with XP is often unusable because of legacy software design issues. There are virus scanners that will only update in administration mode. And you can not enter easily temporarily such a mode presently with Microsoft operating systems.
    • Automatic network switch on
    • Auto running of programs for installation simplicity
    • Macro languages that allow access to basic disk and low level communication functions
    • COM/Active X model. Microsoft obtains much of its operating system functionality by allowing programs to borrow standard components. The problem is two fold.
      • Because the operating system is a de facto standard, these components are common to a large number of computers and there is wide understanding how to use them.
      • The security model for these components is inadequate in the real world. Often basic functionality in for example a corporate environment, involves turning off default warnings, such as for “unsigned” components. The components once activated can access all operating system functionality.
    • Controls in processor hardware on accessing memory outside the range assigned to a program. This is an example of a design decision where the quest for greater reliability and security has been traded off by chip designers against greater flexibility. The analogy with what has happened with software should be obvious, including the analogy that the most popular 'ware was not the best designed of the time.
  4. People alter default settings and then forget to return them to default
    • Enabling scripting on a browser for access to a safe site, and forgetting to turn it back off for your next google search

How Virus Scanners Work

This is by pattern matching. The software has to analyse (scan) a sequence of binary codes (bytes) for a pattern that suggests a virus, a method akin to detection of biological viruses using PCR to detect DNA/RNA sequences unique to the virus.

The pattern scan usually will be set to first look for the parts of the code that allow virus activity. These are the parts of the code also that heuristic scans detect. For example, to call an Active-X object (bit of code) that allows a certain naughty action will be the same whatever so a heuristic scan will identify it as suspicious. Indeed antivirus software may well be updated to detect a known possible exploit before a virus is written to do the exploit.

The binary codes ideally should be scanned before they are activated on your computer. To do this the antivirus software hooks into the operating system (usually Windows) at a very low level. Typically there will be hooks to examine programs before they are executed and while they are downloaded from the internet. It is these hooks that can interact with other programs, causing unexpected effects like crashes.

All scanners will also check your hard disk for viruses already on the disk.

All usually try to remove detected viruses. Removing a virus from your computer can be challenging, mainly because increasingly virus software does all it can to automatically execute and replace itself if removed. Generally entries in the registry (the Windows operating system database) and several active and passive components need to be removed and much expertise is needed to write into the antivirus scanner database ways to do this safely.

Regrettably, matters can be too much, especially if the virus payload actually has been used as a backdoor into your computer. This could mean lots of naughty software has been installed without your knowledge. The effort to remove rootkits, for example, would defeat all but those with the greatest understanding of the operating system, so do not expect all attempts to remove a virus to be possible. See backing up.

It is often only after people have had to do a total re-install of a Microsoft operating system that they finally start looking for alternatives.

LogoKeyPointsBox.pngCatches with Antispyware Software
  • No single spyware detecting and removing software can be recommended.
  • The best basic defense is to ditch Internet Explorer.
  • The best defence is to move to a Unix based operating system (still not perfect due to root kit potential problem).

Spyware removers

These work in the same general way to antivirus scanners. Some spyware can be detected by some antivirus scanners. However most can not be. As spyware is a major problem for Windows users, separate spyware scanning software is recommended. Presently no single spyware software can be recommended for Window's systems as experience has shown that at any one time important spyware can be missed by any single product. Many use one or more of the free spyware scanners for this reason. You will tend to have less need for spyware removers with other browsers based on different technology than Internet Explorer.