Security Choices, Part 2: Anti-Virus Software
This is the second in our series of introductory articles intended for less-experienced users who wish to learn more about the security product options available to them today. Others may also find these articles interesting as a concise summary, update and review of what is frequently a disparate collection of information. The goal of the series is to provide a balanced overview of currently-available categories of security solution, citing their main uses and capabilities as well as their limitations and drawbacks.
This second article focuses on anti-virus functionality which, along with firewall software, is considered an essential part of computer security. The firewall article is available on our website here.
It’s rare to find a pure antivirus product today – viruses are losing ground to more commercially-motivated malware such as spyware, keyloggers, and information-stealing Trojans. Today, when we talk about anti-virus, we usually mean a security scanner capable of detecting and removing a whole range of malicious programs: viruses, spyware, botnets, Trojans, and more. Some of these ‘combination products’ are more successful than others, so it’s as well to understand the specific capabilities of each element as you consider the type of solution that’s right for you.
So what exactly is anti-virus and how does it work?
Anti-virus is essentially a type of security software that scans your computer for self-propagating malware (usually viruses and worms) and neutralizes them. To achieve this, it uses a number of detection techniques:
- Signature detection
Signature detection is the dominant technique used by anti-virus programs today; it involves analyzing the malware code for known “fingerprints”. To accomplish this, the anti-virus program inspects the files’ content for fragments that match a known pattern identified in their databases as malicious. If such a pattern is found, the infected file or file fragment is flagged as infected and is then quarantined, disinfected, or deleted according to the functionality of the individual anti-virus product. The method is based on pure comparison and is a quick, accurate way to identify infections from existing viruses. The downside of this method is that the user must always have an up-to-date virus database to benefit from accurate detection. Additionally, signature detection is not effective in dealing with new or polymorph (mutating) viruses that obscure their presence by modifying parts of the payload (the damage the virus delivers).
- Heuristics and approximation
As noted above, as threats mutate, traditional detection is less effective because it cannot detect that the original code has been altered. One way to address this deficiency is heuristics detection, which assesses the likelihood of slightly modified code being a copycat version of an original sample. This is a complex and demanding process, but is incorporated by most of the more technologically advanced anti-virus products. Due to its immaturity, heuristics still needs to be complemented by other types of detection; it is also somewhat error-prone, in that it can yield a high number of false positives (legitimate objects incorrectly identified as malicious).
- Virtualized simulation
This is a promising new approach that has potential to aid detection of new and unknown viruses. Instead of running a traditional signature scanner on a suspect file, virtualization creates a safe temporary environment in which to execute the file and examine it more closely. Because the environment is isolated from the rest of the PC, a possibly infected file can be run without endangering the security of the host PC – the virtualized operation cannot affect real user data. After the file has been started in this virtualized state and its payload activated, the techniques it uses to hide itself (we’ll briefly describe these later in the document) will no longer apply, because the code runs “in the clear” in memory. This means that the file’s internal workings are visible to the anti-virus software and can be scanned using traditional signature analysis. Due to its relative newness and complexity, virtualization is still in its infancy as a virus scanning technique, and is not widely available yet in anti-virus software designed for personal use. Virtualization works hand-in-hand with complementary technologies such as behavior blocking and sandboxing technologies, which we’ll discuss in detail in Part 3 of this series.
What happens once a virus has been detected?
After a malicious sample has been identified, it needs to be treated accordingly. If a normal, legitimate file has been infected by a virus that modified its contents, the malicious section of that file needs to be mapped and wiped out and the original content reinstated so that the file can be safely used again. Examples of this process might include an executable (*.exe) file or a software driver component (*.sys) file that has been damaged as a result of an attack being restored to its original state. This restoration process is quite complex, and is only handled effectively by a few commercial anti-virus products. Besides, each type of virus infection requires a different treatment approach: a file infected by a virus A can only be repaired by an anti-virus product that knows exactly what virus A does and how it operates, in order to undo the damage it causes. Providing this level of protection requires a skilled team of virus analysts to reverse-engineer each virus, understand what it does, and then carefully constructing the repair process. Even if you have a proactive security solution that blocks unknown files from entering your PC, it’s still a good idea to ensure that you back up all your valuable programs and data on a regular basis in case you encounter new virus for which no repair process yet exists.
Fortunately, viruses that insert infections into existing files happen very infrequently these days. Most often, infective malware comes in the form of a standalone program; in these cases, the program can simply be removed from the system in its entirety. These standalone malware programs serve no other purpose than to infect, steal, destroy or hijack – quite different from the infected legitimate files described earlier.
As soon as a malicious program is found, it is either automatically deleted or moved to a special quarantine folder to ensure it can no longer activate as originally intended. Users can view a list of quarantined objects at any time and choose whether to delete them permanently or restore any of the files to their original location if there is a certainty that the file is in fact not malicious. False positives do occur, and sometimes it’s advisable to temporarily store suspect files in a special secure location (quarantine) while more detailed analysis can be undertaken. A recent example of this was when an antivirus vendor mistakenly deleted a valid Windows file from users’ hard drives and then had to restore the file when the mistake was discovered.
Dealing with the consequences of a virus infection is another challenge for anti-virus programs. After a malicious program has been successfully removed from a computer, it might have left traces behind it. These “scars” may cause system-wide inconsistencies or filesystem errors (modified registry entries, networking stack changes, or altered browser settings) which can affect performance or render some Windows functions inoperable. In this case, it is really essential to have a ‘Plan B’ approach to protecting sensitive data, using proactive security and/or frequent backups.
There are a number of techniques that viruses employ to make the task of anti-virus software much harder; most use a variety of approaches to hide their presence and thus evade detection:
- Packers – a way to compress executable code using a special algorithm not known to the antivirus, so that the anti-virus software cannot uncompress the file and analyze the malware code in its raw form.
- Polymorph cryptors – similar to the above, the original executable is encrypted with variable keys so that the signature of the source code is new every time. This technique defeats any pure signature-based approach.
- Rootkits – a seemingly-innocent masking device to hide the presence of malware on a system.
Where anti-virus looks
To be optimally reliable, an anti-virus solution must examine all of the following locations/processes on a PC:
- Email. Almost all anti-virus solutions can scan incoming and outgoing email for malicious content and automatically remove it.
- Web traffic. Every item of data that you send and receive over the Internet should be scanned and verified for legitimacy. Web exploits – malicious code automatically loaded onto the system if you access an infected site using an unpatched browser – may also be analyzed and blocked by the more advanced anti-virus products.
- System configuration. This includes registry, start-up entries, drivers and services, network infrastructure data, browser add-ons, and other internal locations.
- Active processes. This includes all currently-active programs and other executable modules – everything that resides in the computer’s memory.
- Local file system. This refers to your PC’s files, folders and hard drives, including data that may be stored in alternate streams of the NTFS file system.
- Removable storage. This covers optical drives, flash thumb drives, and other digital gadgets with memory modules that can be plugged into a USB port, such as smart phones and iPods.
- Remote storage. This includes shared LAN folders, backup facilities, and web-based backup locations.
When anti-virus activates
The primary task of any anti-virus solution is to detect malware and prevent it from spreading infection by removing it before it can attack legitimate files. Anti-virus solutions generally offer three approaches to virus detection and removal:
- Real-time monitoring. This means that the anti-virus software watches the PC’s current activity and automatically blocks known malicious operations.
- On-demand scanning. This means that the anti-virus software scans the PC’s contents for malicious files when you tell it to do so.
- On-schedule scanning. You can set up a schedule for future scans to occur at a specified time and date, or in the event of some particular situation, such as the computer being left idle for a prolonged period of time.
What anti-virus can do:
- Check your PC’s contents for known or identifiable threats and remove or disable them
- Check individual files, such as those recently downloaded from the Internet, to see if they are clean
- Repair an already-infected legitimate file
- Prevent identifiable viruses from spreading
What anti-virus cannot do:
- Detect or remove threats that cannot be identified either by signature or heuristics
- Block network intrusions and the theft of personal data as a result of an attack by unknown malware
Potential drawbacks of anti-virus:
- Unknown threats cannot be stopped
- Reactive approach means delayed response to countering a virus
- Interoperability or stability issues can arise if more than one anti-virus program is running on a single machine.
While this has been a brief overview/refresher on what anti-virus software can and cannot do, it’s clear that anti-virus is a must-have element in any computer security product portfolio. Our next article will address the strengths and weaknesses of complementary technologies like sandboxing and behavior blocking, but if you have any questions in the meantime, please don’t hesitate to ask them now in the Security Teacher comments space.
Posted in Security Insight