Internet Security Tips and Advice

Security Choices, Part 2: Anti-Virus Software

February 13th, 2008 by Igor Pankov

Introduction

This is the second in our series of introductory articles intended for less-experienced users who wish to learn more about the security product options available to them today. Others may also find these articles interesting as a concise summary, update and review of what is frequently a disparate collection of information. The goal of the series is to provide a balanced overview of currently-available categories of security solution, citing their main uses and capabilities as well as their limitations and drawbacks.

This second article focuses on anti-virus functionality which, along with firewall software, is considered an essential part of computer security. The firewall article is available on our website here.

Essentials

It’s rare to find a pure antivirus product today – viruses are losing ground to more commercially-motivated malware such as spyware, keyloggers, and information-stealing Trojans. Today, when we talk about anti-virus, we usually mean a security scanner capable of detecting and removing a whole range of malicious programs: viruses, spyware, botnets, Trojans, and more. Some of these ‘combination products’ are more successful than others, so it’s as well to understand the specific capabilities of each element as you consider the type of solution that’s right for you.

So what exactly is anti-virus and how does it work?

Anti-virus is essentially a type of security software that scans your computer for self-propagating malware (usually viruses and worms) and neutralizes them. To achieve this, it uses a number of detection techniques:

  • Signature detection

    Signature detection is the dominant technique used by anti-virus programs today; it involves analyzing the malware code for known “fingerprints”. To accomplish this, the anti-virus program inspects the files’ content for fragments that match a known pattern identified in their databases as malicious. If such a pattern is found, the infected file or file fragment is flagged as infected and is then quarantined, disinfected, or deleted according to the functionality of the individual anti-virus product. The method is based on pure comparison and is a quick, accurate way to identify infections from existing viruses. The downside of this method is that the user must always have an up-to-date virus database to benefit from accurate detection. Additionally, signature detection is not effective in dealing with new or polymorph (mutating) viruses that obscure their presence by modifying parts of the payload (the damage the virus delivers).

  • Heuristics and approximation

    As noted above, as threats mutate, traditional detection is less effective because it cannot detect that the original code has been altered. One way to address this deficiency is heuristics detection, which assesses the likelihood of slightly modified code being a copycat version of an original sample. This is a complex and demanding process, but is incorporated by most of the more technologically advanced anti-virus products. Due to its immaturity, heuristics still needs to be complemented by other types of detection; it is also somewhat error-prone, in that it can yield a high number of false positives (legitimate objects incorrectly identified as malicious).

  • Virtualized simulation

    This is a promising new approach that has potential to aid detection of new and unknown viruses. Instead of running a traditional signature scanner on a suspect file, virtualization creates a safe temporary environment in which to execute the file and examine it more closely. Because the environment is isolated from the rest of the PC, a possibly infected file can be run without endangering the security of the host PC – the virtualized operation cannot affect real user data. After the file has been started in this virtualized state and its payload activated, the techniques it uses to hide itself (we’ll briefly describe these later in the document) will no longer apply, because the code runs “in the clear” in memory. This means that the file’s internal workings are visible to the anti-virus software and can be scanned using traditional signature analysis. Due to its relative newness and complexity, virtualization is still in its infancy as a virus scanning technique, and is not widely available yet in anti-virus software designed for personal use. Virtualization works hand-in-hand with complementary technologies such as behavior blocking and sandboxing technologies, which we’ll discuss in detail in Part 3 of this series.

What happens once a virus has been detected?

After a malicious sample has been identified, it needs to be treated accordingly. If a normal, legitimate file has been infected by a virus that modified its contents, the malicious section of that file needs to be mapped and wiped out and the original content reinstated so that the file can be safely used again. Examples of this process might include an executable (*.exe) file or a software driver component (*.sys) file that has been damaged as a result of an attack being restored to its original state. This restoration process is quite complex, and is only handled effectively by a few commercial anti-virus products. Besides, each type of virus infection requires a different treatment approach: a file infected by a virus A can only be repaired by an anti-virus product that knows exactly what virus A does and how it operates, in order to undo the damage it causes. Providing this level of protection requires a skilled team of virus analysts to reverse-engineer each virus, understand what it does, and then carefully constructing the repair process. Even if you have a proactive security solution that blocks unknown files from entering your PC, it’s still a good idea to ensure that you back up all your valuable programs and data on a regular basis in case you encounter new virus for which no repair process yet exists.

Fortunately, viruses that insert infections into existing files happen very infrequently these days. Most often, infective malware comes in the form of a standalone program; in these cases, the program can simply be removed from the system in its entirety. These standalone malware programs serve no other purpose than to infect, steal, destroy or hijack – quite different from the infected legitimate files described earlier.

As soon as a malicious program is found, it is either automatically deleted or moved to a special quarantine folder to ensure it can no longer activate as originally intended. Users can view a list of quarantined objects at any time and choose whether to delete them permanently or restore any of the files to their original location if there is a certainty that the file is in fact not malicious. False positives do occur, and sometimes it’s advisable to temporarily store suspect files in a special secure location (quarantine) while more detailed analysis can be undertaken. A recent example of this was when an antivirus vendor mistakenly deleted a valid Windows file from users’ hard drives and then had to restore the file when the mistake was discovered.

Dealing with the consequences of a virus infection is another challenge for anti-virus programs. After a malicious program has been successfully removed from a computer, it might have left traces behind it. These “scars” may cause system-wide inconsistencies or filesystem errors (modified registry entries, networking stack changes, or altered browser settings) which can affect performance or render some Windows functions inoperable. In this case, it is really essential to have a ‘Plan B’ approach to protecting sensitive data, using proactive security and/or frequent backups.

Complicating factors

There are a number of techniques that viruses employ to make the task of anti-virus software much harder; most use a variety of approaches to hide their presence and thus evade detection:

  1. Packers – a way to compress executable code using a special algorithm not known to the antivirus, so that the anti-virus software cannot uncompress the file and analyze the malware code in its raw form.
  2. Polymorph cryptors – similar to the above, the original executable is encrypted with variable keys so that the signature of the source code is new every time. This technique defeats any pure signature-based approach.
  3. Rootkits – a seemingly-innocent masking device to hide the presence of malware on a system.

Where anti-virus looks

To be optimally reliable, an anti-virus solution must examine all of the following locations/processes on a PC:

  • Email. Almost all anti-virus solutions can scan incoming and outgoing email for malicious content and automatically remove it.
  • Web traffic. Every item of data that you send and receive over the Internet should be scanned and verified for legitimacy. Web exploits – malicious code automatically loaded onto the system if you access an infected site using an unpatched browser – may also be analyzed and blocked by the more advanced anti-virus products.
  • System configuration. This includes registry, start-up entries, drivers and services, network infrastructure data, browser add-ons, and other internal locations.
  • Active processes. This includes all currently-active programs and other executable modules – everything that resides in the computer’s memory.
  • Local file system. This refers to your PC’s files, folders and hard drives, including data that may be stored in alternate streams of the NTFS file system.
  • Removable storage. This covers optical drives, flash thumb drives, and other digital gadgets with memory modules that can be plugged into a USB port, such as smart phones and iPods.
  • Remote storage. This includes shared LAN folders, backup facilities, and web-based backup locations.

When anti-virus activates

The primary task of any anti-virus solution is to detect malware and prevent it from spreading infection by removing it before it can attack legitimate files. Anti-virus solutions generally offer three approaches to virus detection and removal:

  1. Real-time monitoring. This means that the anti-virus software watches the PC’s current activity and automatically blocks known malicious operations.
  2. On-demand scanning. This means that the anti-virus software scans the PC’s contents for malicious files when you tell it to do so.
  3. On-schedule scanning. You can set up a schedule for future scans to occur at a specified time and date, or in the event of some particular situation, such as the computer being left idle for a prolonged period of time.

Summary

What anti-virus can do:

  • Check your PC’s contents for known or identifiable threats and remove or disable them
  • Check individual files, such as those recently downloaded from the Internet, to see if they are clean
  • Repair an already-infected legitimate file
  • Prevent identifiable viruses from spreading

What anti-virus cannot do:

  • Detect or remove threats that cannot be identified either by signature or heuristics
  • Block network intrusions and the theft of personal data as a result of an attack by unknown malware

Potential drawbacks of anti-virus:

  • Unknown threats cannot be stopped
  • Reactive approach means delayed response to countering a virus
  • Interoperability or stability issues can arise if more than one anti-virus program is running on a single machine.

Conclusion

While this has been a brief overview/refresher on what anti-virus software can and cannot do, it’s clear that anti-virus is a must-have element in any computer security product portfolio. Our next article will address the strengths and weaknesses of complementary technologies like sandboxing and behavior blocking, but if you have any questions in the meantime, please don’t hesitate to ask them now in the Security Teacher comments space.

Posted in Security Insight

13 Responses

  1. T. Dec

    Thanks for the info, it’s getting difficult to use the internet to do business safely with all the desperado’s trying to make things difficult, I often wonder why they want to become such dickheads when it’s so easy to stay cool. :)

  2. amauripatagonia

    it´s interesting news. Can you send part 1. thanks you. you are a good people. i´m wait for parte 3. best regards.

    Argentina.

  3. Tito Martin

    Good article and filled in many of the dark areas. I use the computer a lot but not the internet as it usually causes me problems – either the antivirus slows my computer down or I get lost and forget what I originally logged on for. The internet is not as much fun anymore.

  4. gopichandlalwani

    thanks for your help

  5. John Hoerner

    One way to support good development is to make your program compatible with good other programs. I like outpost but it causes me lots of problems. Am using Kaspersky anti-virus and AVG anti-spyware – seems to be lots of conflicts.

    John

  6. Pavel Goryakin

    Thanks to everyone for the comments!

    To amauripatagonia: the Part 1 (Firewall software) is in Security Teacher as well: http://www.securityteacher.com/2008/01/16/security-choices-part-1-the-software-firewall/

    To John: We’ve worked a lot on compatibility issues. As for AVG antispyware: you turned off Outpost’s antispyware / antimalware plugin, didn’t you?

  7. Paul J. Hopkins

    Hi!
    I have used Agnitum Firewall for God know how many years and found it to be excellent, but when it come to anti-virus software I used to use Norton but found it slowed my PC dwon considerably on bootup and on using the Internet, so I did away with it and got the Free version of AVG.
    However today, I bought the full Agnitum Outpost Security Suite Pro and I was wondering if I can get rid of the AVG now. (I.e. – does the security Suite Pro act as anti-virus software?)
    Answers in an email please!

  8. Aron

    Thanks for the info, but i liked to have more info on keyloggers. i am 16 years old using Outpost Security Suit Pro version 6.0. well…. thats my comment…

  9. Pavel Goryakin

    Aron, we’ve already had an article on keyloggers. Please find it here:
    http://www.agnitum.com/news/securityinsight/issues/march2007

  10. Antonio Santerini

    I besides the antivirus use Prevx 2.0 that it notices a lot of malware before serves them scansionare as the antivirus, I hold him/it a software to recommend to all together with the antivirus and naturally to Outpost Firewall Pro

  11. Jonathan Harris

    I found this and the preceding article very helpful, but I’m still not sure whether the optimum security arrangement is firewall plus anti-virus. I assume that the Agnitum Security Suite provides this overall protection, whereas Outpost itself needs additional anti-virus? (the Agnitum site isn’t as clear as it could be on the differences between the packages, and who should use which one). And presumably using an integrated solution like Security Suite should elminate all conflicts and go-slows? – if so this is a major advantage.

  12. vacis

    i used a lot of antivirus programs and firewalls before but i often had a lot of security problems. now i started to use agnitum security suite and my computer became stable like it never was before.
    thanks to agnitum

  13. Pavel Goryakin

    Many thanks to everyone for the comments! First of all, just to make things clear: Security Teacher is not equal to Agnitum blog, so we wouldn’t like to give any recommendations concerning our products here. However, we’ve always expressed the idea that all-in-one security solutions are much more convenient and, from our point of view, optimal for the majority of users.

    To Jonathan and Vacis: yes, we agree completely. Using a security suite rather than a bundle of products from manifold vendors means more stability, no incompatibility issues and requires less user involvement.