Internet Security Tips and Advice

Antivirus Myths Dispelled

April 18th, 2006 by Igor Pankov

In this article, we will review the main fallacies surrounding the modern antivirus industry and discuss real abilities and limitations of antivirus software.

Foreword

Antivirus(AV)software is a major constituent of any complete security package, which every security-savvy user should have on their desktop. AV helps protect against many threats and is an indispensable tool for verifying the safety of all incoming files and email messages before they are opened.

However, people mistakenly regard AV software as an all-encompassing solution that will forever defend them against all modern security woes. This belief is not even close to reality, for antivirus software has serious limitations when used on a standalone basis.

Types of threats

Viruses, spyware, Trojans and worms continue to dominate concerns for both home and corporate desktop users. These threats are constantly improving their resistance to security scanners and hardening their impact and mitigation proceedings on affected systems.

Before releasing their offspring into the wild, hardcore virus writers strenuously check their “wares” against a slate of antivirus and antispyware programs, making sure they are not detected by the most current AV/spyware signature definitions. This approach complicates security companies’ detection efforts.

A multitude of hacker forums and blogs have sprung up to discuss security vulnerabilities and share ways to circumvent virus detection. The antivirus industry is playing a catch-up game with the underground community, a community that tends to be one step ahead of generally-available vulnerability data.

Last year, vendor after vendor sent an advisory asking users to update their systems with patches to fix a problem that could result in users infecting their systems after a virus scan through a specially-crafted archive file. Strangely enough, the problem kept recurring over a three-month period, spurring fears of industry-wide inability to make their products secure and bug-free.

Attackers devise more vicious and cruel ways to bully victims—conducting online blackmail and racketeering activity; they send out malicious programs that encrypt victim’s documents and then ask for a fee to decrypt them. Those programs use virus-like methods to infect systems and can be removed only after the victim has paid a ransom or antivirus software has disinfected them.

It’s a new and frightening trend that goes one step beyond traditional intimidation schemes.

Reaction to virus epidemics is another acute problem today. It’s been estimated that the time gap between a virus launch and the most expeditious vendor response—issuing a fingerprint to detect the new virus sample—varies from a few hours to several weeks. That’s quite a long time to cause severe damage considering the velocity at which the new offence propagates.

Zero-day attacks and attacks stemming from consumer disregard for performing timely signature updates are the main sources of virus pandemics. As long as antivirus software continues to rely largely on signature-driven detection, defense will always trail offence by a margin that makes antivirus software quite an ineffective tool in fighting new, in-the-wild threats.

The growth of system stealthing techniques also seems to be proliferating. These techniques, called rootkits, hide the presence of a file on a system (hence a virus) by intercepting the system API functions. The rootkits then trick Explorer-like programs into not displaying the true contents of a folder.

Running tasks are also manipulated in such a way that a malicious application can cloak its presence in memory and run processes on a computer. The majority of modern antivirus programs have not yet learned to reliably detect and confront rootkits, so most of the complex malware using such elaborate methods will likely go unnoticed.

Detection of malware — where most AV programs stumble

Threat detection remains the main roadblock in challenging modern viruses. Complementary solutions have become necessary because weak object behavior analyzers (a.k.a. heuristics scans) fail to detect in-the-wild threats and many programs are ineffectual at unearthing rootkits. Quite often antivirus software that has successfully detected the previous version of a virus proves unsuccessful with a subsequent variation that is slightly modified to avert detection.

False positives continue to dog the industry. While no concrete figures are known, false positives (legitimate objects erroneously identified and treated as malicious) represent more than one percent of total scan results—quite a large quantity in that one accidentally deleted or modified file can cause serious distress.

Not long ago, a story was floating around of a major corporate antivirus program that mistakenly deleted an executive file of the railroad management agency in Japan. The mistake crippled traffic and it took significant effort to alleviate the situation.

Performance issues, though not as critical, seriously affect productivity at work and the experience of home users. It’s not uncommon for active antivirus monitoring run in the background to take up as much as 80 percent of total CPU power and a healthy chunk of memory.

You can clearly see this drain when you install a 4Gb-plus software product or play a processor-intensive game with monitoring on—your gameplay will demonstrably dwindle.

Threat removal and mitigation

After the AV program has detected a virus—the next phase is to wipe it out. This can be quite challenging, as more viruses tend to replicate on a system, mutate and download additional hostile pieces from the Internet. One virus or worm can exist in over a hundred locations; several viruses can co-exist and exchange components to resist removal, serving as backup points to each other.

Given the complexity of the problem, it’s no wonder that in some cases antivirus software fails to completely eradicate the threat. The task of removing hostile code from a file while preserving its original integrity proves tricky, and often antivirus software bites off a little more than it can chew, leaving the program or a component not working or useless.

Unfortunately this damage happens to many users, who see their files corrupted as a result of an unsuccessful attempt by AV software to cure a detected threat.

Security-tightening recommendations

  • Install a firewall to protect your computer against illegitimate or unneeded connections (such as Outpost Firewall Pro, which features additional spyware protection) and to pre-empt malware-triggered connections.

  • Use several antivirus programs at a time, including free and commercial options (for a free program, try ClamAV or Antivir). Even if concurrent real-time scanning is impossible, at least on-demand file check will work. Submit files for AV vendor’s evaluation through special forms available on the most AV vendors’ sites.

  • Don’t open suspicious or unknown files and email attachments

  • Use a backup utility and save critical files on diverse sources

  • Don’t work under the Administrator account until the situation warrants it (use the Restricted user account to browse the Internet)

  • Update the system and software with vendor patches

  • Try using an alternative browser such as Opera or Firefox

Conclusion

For the best protection, antivirus software should be used in conjunction with other security measures and prompt updates to the existing software; the best security comes from better knowledge, so stay tuned to our Security Insight newsletter and come back the next month for more!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in Security Insight

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

All rights reserved © 2009, Agnitum Ltd. Internet security tips and advice