Security

Antivirus: What it does and doesn't do

Patrick Lambert looks at the shortcomings of antivirus solutions and takes a practical look at what you can expect to get out of them.

If your company or business is anything like most, each computer is likely to run an enterprise antivirus solution, something that costs significant amounts of money each year. But do you know if that antivirus is worth it? How can you test something like that, and would these tests have any meaning in a real world situation? Finally, how easy is it to make a worm or trojan that would bypass all that expensive security software? The sad truth is that those are very hard questions to answer, and a lot of what we're told when we shop around for security solutions are rumors and statistics. Because worms and viruses evolve on a daily basis, and new types of malware get introduced constantly, it's extremely hard to properly test an antivirus solution, and anything you throw at your own system in order to see whether your security works is already last year's threat model.

How antivirus has evolved

It used to be that antivirus software was a very basic solution, a simple program that would run in the background and scan every file on the system on a scheduled basis. Right away, malware authors found a large number of ways to bypass this type of security, and it took years for antivirus to really become anything close to robust. It was trivial to get on a system because back then, there was no real-time protection. The ability to scan emails and downloads was thus added by all the security software vendors. Also, there were many ways to simply disable or remove anti virus software, and malware authors exploited those for a long time. Now, any modern security software has multiple methods that it employs to make sure this doesn't happen. Finally, the hardest problem to overcome was the fact that in order to find a virus, the antivirus needed to have a signature for that specific threat. Since there's new malware being written all the time, that was a huge problem.

Thankfully, one of the biggest advances in antivirus technology was the introduction of heuristic scans. This is something most modern security vendor offers, and is a way that your antivirus can detect new threats even if it never knew about them before. Heuristics simply means that the software looks at behavior and other factors to find out whether something is malware or not. Unfortunately, it's not perfect. You may have heard about some recent cases where some security software would flag itself, or even important Windows files, as malware. This is where heuristics go wrong. But for the most part, it's a good technology that does more good than bad.

Don't expect miracles

There's little doubt that security software can and does block a lot of the bad stuff that comes in from the Internet, but the big question is, how much of it will it catch? The truth that many vendors don't want to admit is that it's a race. It's always been a race, between the security vendors and the malware authors, but while many would try to claim it's almost won, the fact is the opposite. The reason why antivirus software is often on the losing end of this race is that malware is no longer the domain of sophisticated hackers. Now, there are kits available for anyone to download, and those things are constantly updated to evade security solutions. In fact, a security researcher at the InfoSec Institute wanted to know just how simple it was to avoid modern day security, and he found out that it's trivial. Researcher Soufiane Tahiri wrote a simple piece of assembly code, using knowledge he already knew from working in the computer security field, and managed to make a piece of malware that avoided the five most well known antivirus vendors. So when we heard earlier this year how security software completely missed the high profile Flame worm, because it used clever techniques, it really wasn't much of a surprise. If a single researcher can do it in his spare time, then obviously your antivirus has no chance against any type of serious spear phishing, much less against enemies with deep pockets.

So the takeaway to this is that all the antivirus tests that are performed on a regular basis are meaningless. The point of any of these solutions is to block the lowest common denominator.--the malware that's old and lingering on the Internet, trying to get in. And for that, it's doing a good job, so you don't have to compare each solution with a fine-tooth comb. But don't expect miracles. In fact, if you administer a large, high profile network, this may not be news to you. Any kind of direct attack is unlikely to be detected. And this is why security is never about using a single product. Computer and network security is something that's done in layers, using firewalls, intrusion detection and prevention systems, trained IT administrators, and good policies. Your antivirus is just one piece of a larger puzzle. So in the end, is it worth spending a large amount of money for an enterprise solution? Some people spend thousands of dollars on this, while others simply use the free Microsoft security software. Is there any real world way to tell whether the price difference is worth anything at all? Probably not.

What is your antivirus strategy these days at your organization?

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

6 comments
Slayer_
Slayer_

As I said in a previous discussion, they all suck, but my story is with Symantic, which seems to be the corporate standard around here. So a coworker and me stayed late to "break in" the new projector with a few games of worms armageddon. We played for about an hour then the game appeared to crash and Symantic said it detected that "D:\data\wa.exe" was a virus and had been blocked. So first off, it was so far off base that it thought a 15 year old video game on a CD was a virus. Second, if it was a virus, Symantic let it run freely for a full hour before it did anything about it. Pathetic...

gileado
gileado

this is so right. Lately I've been plagued by one ramnit virus despite the presence of an antivirus. I'd rather settle for a free antivirus solution ensuring that I always have a backup of my data

tvshub
tvshub

We see a lot of extortion-ware at my shop. The individuals around the country that don't know better pay hackers millions of $$ believing whatever pops up on their screens. Follow the money, find the crooks. But I don't hear of a lot of arrests on this front. I owe much of my income to the market dominance & vulnerability of Windows and to the lack of computer wisdom by my customers. As a nation so dependent on this platform, we are not in the best of positions.

Chashew
Chashew

...there are very few protection suites that can boast 90% efficiency. I've dabbled in computer repair for 30 yrs and have seen a few AVs going down without owner knowledge until it's to late. That said I am beginning to feel that it's time to allow designers to build compatibility platforms so several AVs can be run on one machine without a hitch. I think that may help real time protections that are built in different forms to catch the problems before they hatch. Call it a group venture and co-operative effort by developers...hey why not ? Crackers ,Hackers and virus builders are doing it.

JCitizen
JCitizen

that at least hints at the blended in-depth defense. That is what I call it. One of the biggest failures in my tests, are bloated suites. I've never had any luck with any of them except perhaps NIS 2010~*, My clients that need hand holding seem to do okay on it, as long as they don't get that mistaken feeling of invulnerability. For everyone else it is free standalone products. I'm not talking Enterprise here, just Joe & Jill sixpack. Even my clients who run with limited rights get pwned because they refuse to do the least maintenance. Secunia PSI is one of the rivets in the armor of blended defense; at least the new version will either auto update the application or bug the clueless incessantly to manually update it. File Hippo Update Checker would usually come out with application update alerts at least a week before anyone else, but the alerts stopped working on limited accounts, so getting closer to zero day protection, just got more difficult - one could always use CNET's email alerts, but they are usually three days later. Sadly one of the best real time products made by Lavasoft has been abandoned by me, and my clients have suffered greatly - it had full real time malware protection even on the limited account, which almost none of the competitors truly had; but since it was bought out by shady concerns in January - I've just lost confidence in their reputation.(I never enabled their anti-virus module) There are many good anti-file manipulation anti-malware out there that are free also, but they haven't quite made up for AdAware yet. I keep hoping the field will continue to improve. If my clients could afford it, I would be putting ESET's suite products on the machine; and they build them more modular so they act like separate standalone. I think that has been their success, and avoidance of the typical bloated AV/AM solution. That's all I had to say - I just like it when security awareness is enhance for the public in any way shape or form - Thank you Patrick!!

JCitizen
JCitizen

running Avast and Prevx concurrently - with no conflicts detected by the event viewer in Windows. Prevx is cloud based so apparently is less intrusive - however I never used it to remove the malware, as I ran on limited accounts, simply running CCleaner alway got rid of the file. I suspect that is where people go wrong, and this could possibly hose the system - I used it for the infection alerts - and ran other scanners to actually remove it, if CCleaner couldn't do it.