Security

How antivirus software works: Is it worth it?

Michael Kassner is frequently asked whether antivirus programs are worth the bother of employing. His typical response has been yes, but recently, he started to question that.

I frequently get asked whether antivirus programs are worth it. My typical response has been yes. Recently, I started wondering why?

---------------------------------------------------------------------------------------------------------------------------------

We are told, in order to survive on the Internet, our computers need protection afforded by antivirus applications. If that's true:

  • Why do computers still get infected?
  • Would it be a lot worse if we didn't use antivirus programs?

Pondering those questions, I realized I may not have all the facts. So I began researching antivirus methodology. Here's what I found out.

What we are up against

Take note, the bad guys are motivated. Leveraging malware-infected computers to make money is easier and safer than any other illegal endeavor. That said, I'd like to think we (victims) are motivated as well, especially since it's our money they're after. So why do cybercriminals have the upper hand? For starters, they benefit from:

  • Vulnerable software: It's a given; software, especially complex code, will have exploitable bugs.
  • Element of surprise: Normal users do not look for vulnerabilities in software. The bad guys do, affording themselves opportunities to exploit weaknesses long before the rest of us know about them.
  • Playing catch up: It's difficult to determine what malware will look like, forcing antivirus developers into a reactionary mode.
Example

I couldn't ask for a better example than what recently happened to Google. Attackers leveraged unknown (zero-day) vulnerabilities in Internet Explorer to gain a foothold in Google's supposedly-secure network. Check how close the exploit follows the three steps I outlined above:

  • Vulnerable software: Internet Explorer has an exploitable vulnerability.
  • Element of surprise: Only the attackers knew about it.
  • Playing catch up: AV companies are trying to develop a detection method and Microsoft is scrambling to create a fix for Internet Explorer.

Still not understanding why antivirus applications are failing to protect our computers, I pursued the matter with an experienced software engineer. He pointed out that it's hard to remove something you can't find. Talk about an understatement. I get it though; detecting malware is not as easy as we're lead to believe. My next step, find out why.

Malware detection

Malware detection can be divided into two methods; signature-based malware detection and behavior-based malware detection. Antivirus applications can employ one or both of the methods; depending on the sophistication of the program. Signature-based malware detection has been around for many years, so let's look at that first.

Signature-based malware detection

Signature-based malware detection depends on pattern recognition. Here's how it works. The AV application scans the file in question, comparing specific bytes of code against information in its malware-signature database. If the scanned file has a pattern duplicating one in the database, the file is considered malware. The antivirus application will then either quarantine or delete the file, depending upon the program configuration.

Shortcomings

Presently, signature-based malware detection is included in almost every antivirus program. That said, AV companies are trying to move away from signature-based malware detection due to the following:

  • Signature-based malware detection is not effective against new or unknown malware.
  • New malware is being created daily, requiring the signature database to be updated ever more frequently.

These are valid concerns and why AV companies are investing a great deal of time and effort translating to behavior-based malware detection.

Behavior-based malware detection

Behavior-based malware detection makes sense because it monitors how programs act, not the software build. To explain, if abnormal behavior is detected, the program is flagged, regardless if the software seems correct. Behavior-based malware detection is broken up into two types; anomaly-based and specification-based malware detection.

Anomaly-based malware detection

The key ingredient to anomaly-based malware detection is determining what is considered normal behavior. Thus, any variation from the normal profile would be considered suspicious (anomalous). For example, normally a program, when executed, does not create any files. Then, all of a sudden, the program moves a file into one of the operating system's folders. That action would immediately be flagged by this type of antivirus software.

Anomaly-based malware detection can be further divided into:

  • Passive detection: Uses scanning to detect derivations from the program's normal profile.
  • Active detection: Involves executing a questionable program within a controlled environment such as a sandbox or virtual machine. Then observing the behavior of the program. If the program meets certain negative criteria, it will be flagged as suspicious.

As good as this sounds, anomaly-based malware detection has shortcomings. False positives are more common with this type of detection, simply because of the complexity of modern-day programs. Second, if an attacker makes sure his malcode behaves like a good program, it will not be detected. Threatfire Zero-Day Malware Protection is an example of anomaly-based malware detection software.

Specification-based malware detection

Right now, specification-based malware detection (Point IV-B) is our best hope for reducing malware problems. That's because, all actions taken by any programs (operating system and applications alike) are mediated by a predetermined policy. For example, if so configured, the policy would disallow execution of files downloaded from a Web site specified by the person in charge of the computer.

The advantage of specification-based malware detection is its flexibility and minimal false positives when compared to anomaly-based malware detection. One example of specification-based malware detection is NovaShield AntiMalware.

My findings

I seldom find quarantined malware on computers. I've noticed something else. Most infected computers protected with typical antivirus programs require specialized scanners to remove any offending malware. After writing this article, I know why that is.

Final thoughts

Being one of those "rather be safe than sorry" types, I will continue to suggest using an antivirus program. What I will change, is the type of antivirus program I recommend. They definitely will include anomaly and specification-based malware detection methods.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

122 comments
cgecko99
cgecko99

As long as you have a genuine copy of windows, simply download their free antivirus called Microsoft Security Essentials. I have been using it for a few years now and have had no issues. That way I don't have to pay $80.00 a year for what seems like nothing. It updates to the latest definitions periodically. I also recommend a good free malware remover such as malwarebytes free edition. It catches things that an antivirus will not. Some adware etc can disguise itself as a normal program and malwarebytes catches these when even big name antiviruses (that I will not mention) do not, because it is built to find them.

msdivine
msdivine

Sorry, I don't buy it! You mean to say that the windows software is so complex that the crims keep finding holes in it, despite the fact that A: Microsoft must be the most highly resourced company in the world and B: Software engineers have had plenty of time to anticipate potential threats. I just think that there is a whole IT industry being fuelled by virus threats and protection from virus threats, a bit like the year 2000 bug but ongoing.

nagagamoga
nagagamoga

So what is the best anti-virus software and why?

jkameleon
jkameleon

The basic approach ("enumeration of evil") is flawed. It's impossible to predict all the bad things the bad guys could do. They always come up with something new. Alas, it's the only thing we have. Desktop OS-es are simply too complex to be properly secured, there will always be holes. There is possible to make secure OS, but not very profitable, unfortunately. Besides, using secure OS is like defending against housebreaking by building the house bunker-like, and erecting 10ft concrete wall with razor wire at the top around it. Nearly 100% effective, but unsuitable for general use. We'll simply have to reconcile ourselves to the fact, that our PC is not safe and never will be. It can always be broken into, just like the house. The only solution to the problem is to keep our critical data and personal information in specialized device, an equivalent of home safebox.

fish7170
fish7170

Why is Windows the only computing platform with viruses? That is a question I'd like to hear answered. And if there are viruses for other platforms I'd like to hear about them and specifically their virus names, if they are known. Also, it might be worth investigating which computing platforms are least susceptible to viruses and which are more. I've read, for instance, OpenBSD is the most secure, least susceptible, but I also wonder why and then further why Windows wouldn't just do it like OpenBSD does? Thanks for yourinformative article.

hydrodane
hydrodane

IS IT WORTH IT? There is actually more to the problem than the author has detailed. we can talk all day about detection/prevention..but IN THE END...can the AV program clean and restore your infected computer to a useable clean state? THAT IS THE CONCERN...as a low level tech support hack..I can tell you this.. it is FAR MORE EASY TO SIMPLY nuke and boot a machine and on the clean slick "new" hdd, reinstall the o/s, run the updates and put the data back on for the customer. WHY you ask? has anyone run a full boot level scan on a typical machine lately... 6-8 HOURS!! and even then..you HAVE NO CLUE IF THE SCAN WILL IN FACT REVEAL THE INFECTION OR EVEN CLEAN IT.. people aren't concerned about ...oh look, how cute is that virus...let me touch it.. no, people want their computer up and running...and in the least amount of time. av programs need to mature to be real professional grade SYSTEMS.. methods to backup...methods to restore...methods to recovery... these are the things that av programs are misssing...and it is left up to the imagination and resourcefulness of the local geek to perform them. even pc manufacturers are doing more than the av people..at least they have created for the most part a fairly decent scheme with partitioned recovery image...question is: how long before the nasty bug makers find a way to access and damage even those "protected" files? in order to run a complete full scan of a typical computer must be done with the volume unmounted...meaning to boot from a "rescue disk"...The amount of time it takes to perform this is massive...and until it completes...and until you get the results..that time may wind up fruitless for your efforts to contain and clean the alleged virus. most of my buddies, do a quick scan...sometimes in safe mode..but never from a boot mode...takes to long...we just grab all the files and data, slick the hdd quick like..and reinstall.. it is the best known way...the most practical way to do the best job... there is also a huge benefit from doing so... the customer gets to experience a "fresh" machine, with speed and wonders they probably have forgotten is what the computer experience once was..and should always be. av programs need to mature is what I am saying.. In the big picture a reinstalled os, is the most efficient and practical means to accomplish the job of ridding ghosts from the machine...and all of the surprisingly latent benefits that come with it. Aloha tm

Shrike49
Shrike49

I have Been asking exactly the same question!!! Especially after the very recent attack. I had to employ 3 - 4 different AV systems to get my system cleaned up and then fix the BSOD when trying to Boot Safe Mode. On top of it I have spent hours fixing up probs including contacting my AV provider because their Software got clobbered. They say it was a conflick - yeah with a Virus. I have now come to the conclussion that they (AV) are only playing catchup and for me Will not be paying for a AV System again! I'll just use Freebie's. I have also decided that the only way to keep my system safe is to have a Front End Computer exclusively for the Internet!!! The time and money I have spent on Anti-Virus (AV) and Malware etc etc - I have come to the conclusion that they are NOT worth it!!!!!!

aduffy
aduffy

Is Mike compensated for the NovaShield plug? Andy/Herndon-VA

jevans4949
jevans4949

I have very rarely had viruses on my family's computers. Maybe it's my pattern of usage. But I use a "retail" ISP - European AOL. Often those with problems appear to be small/medium businesses running their own networks. Has anybody looked into differences in this area?

bus66vw
bus66vw

happens when we all move to cloud computing.

brickviking
brickviking

Another idea for an article (if that hasn't already been done) is to compare paid-subscription antivirus programs against free equivalents. Especially true for Windows, but could also be true for Mac OS X, and somewhat less true for Linux machines but still relevant.

ej2moloney
ej2moloney

Looking at the recent news, I believe sandboxing the browser is the only way. Then flushing everything out at shut down.

YankDownUnder
YankDownUnder

This applies to those of us that run a Microsoft-based operating system, and it should be noted that in writing articles of informative nature, this needs to be clarified from the beginning. From the article, "We are told, in order to survive on the Internet, our computers need protection afforded by antivirus applications..." - this type of statement can be, and generally IS misconstrued by the general public as meaning that each and every computer is infected or can be infected - and this just is not a statement of fact. It is our job, as IT professionals, to be truthful and honourable to our clientele - and to provide for "those that do not know" FACTS - sometimes utilising the semantics of language to make sure a particular difference is known to the end user - as well as other people in the IT field. In the course of the past 25 years, one thing has consistently endangered IT - and that is ignorance, improper use of semantics in description, and apathy. It should be our job - as either workers in IT or writers pertaining to IT to be extremely careful about how we speak/write/discuss information so as to present a proper and complete picture to the end-user or the public.

bernalillo
bernalillo

Just as in your analogy locks are there because they work. Likewise buildings and home owners where security is a bigger issue use more security features, up to dept of defense installations. Home owner have learned who to open the door to and when to leave the door unlocked. Sadly computer users have not generally learned safe computing practices which obsures the efficacy of state of the art AV software

dave
dave

I've worked on too many computers that had either Symantec, McAfee, or some other AV package and the scanners were completely oblivious that there was an infection even though you could see the offending process running in Task Manager or Sysinternals Process Explorer, which I use a lot. I have seen disabled AV, or AV that detected an infection, but then is helpless to remove it. From some of the comments in this post, I am going to look into Sandboxie.

Neon Samurai
Neon Samurai

It's simply the least successful at defending against malware. There is a rather long and involved discussion that goes along with that though. In short, development goals, development methodology, external forces like marketing calendars and response to discovered bugs. For one example; one of OpenBSD's primary design goals is a security default configuration. Where Windows would leave an insecure service enabled in the default install, OpenBSD would disable it unless absolutely required to boot the machine. Windows keeps 16bit support enabled by default on the off chance you have some 16bit app you have to run. OpenBSD would require you to first tell the machine that you intend to run 16bit code and it should enable that support explicitly.

bernalillo
bernalillo

A very good synopsis and rational but there are other sides to it too. From the users perspective av keeps them from getting infected in the 1st place which limits the need to have people like you and me on speed dial. I frequently take way to long to clean up a machine the hard way since it is almost impossible to reload the machine to all it's previous softwares and preferences. Many people (especially the techologically challenged) really value this. People get used to the configurations they creat and forget thatthey set it up like that themselves. The PC tech gets to be the scapegoat when ever the PC has to be reloaded so there are drawbacks to the loading practice (I use imaging when I do it to graetly reduce the time it takes and to make sure I have implemented all my best practices uniformly) On the other hand I do not have to charge to cover my time so my clients can afford my taking the long way. AV does work a percentage of the time which may be as good as it gets until the motivation to hack peoples machines is reduced (the ultimate causation) I have about 150 users that I support flat rate. I had been installing AVG free on all thier machines but I still spent a huge amount of time on a few poeple that just could not or would not learn simple cautionary rules. The free version of AVG just would not stop them if they insisted on runing an .exe the downloaded on bearshare or took the advise of a popup warning them of porn on their PC. I finally opted for an enterprise version of trend micro which addresses spam as well as malware. My time spent cleaning these machines has dropped dramitically. My users experience has improved dramatically too. Even if I was to wiped and reimaged every machine that came in I would still use a good AV package to keep my clients machies working well and out of my office as long as possible.

Michael Kassner
Michael Kassner

My intent was to focus on the detection process. If that's not working nothing else will.

Ocie3
Ocie3

Certainly, both file backups and anti-malware detection (and removal) are inter-related, regardless of whether a completely "fresh" re-installation of the OS, applications and data files from original sources and/or backups is made. However, I do not believe that file backup and restoration should necessarily be a feature of anti-malware software [i]per se[/i]. For a start, software backups are not made only to restore files after malware has been found. There are plenty of other threats to systems and the data that they create and maintain, to justify backing-up the files (fires, floods, storms, thieves, embezzlers, malfunctioning equipment, ...). Given the respective complexities of each role, it is probably best for the end-users if the two functions are not intertwined into one grand "system", at least not with our present technology. Almost all of the anti-malware programs that I have used (over 20 during the past 2 years, even more before) are able to remove all or almost all of the malware that they can detect. Still, one might need advice and assistance from the publisher's tech support staff to be sure that the malware is completely removed. Nonetheless, probably a sizable majority of security experts and IT veterans will assert that, after a computer system is compromised it cannot be trusted again, until and unless all possible traces of the malware have been eradicated and the operating system, at least, is completely "renewed". That said, I do not know of any methodology for "rapid recovery" that does not have a significant risk of inadvertently re-installing either the malware that was identified as present in a system, or malware that has not yet been discovered to be present, or perhaps both. First, there may be other, perhaps faster -- if not better -- utilities, but using Darik's Boot & Nuke (DBAN) to write a randomly-generated series of bytes on every byte of a HDD just [i]once[/i] is not enough (there are other methods implemented in DBAN, too). Darik Horn recommends 7 passes, which require about 5 hours for the old, slow 60 GB IBM/Hitachi HDD presently used by my computer. I usually have DBAN write the series with 10 to 12 passes (about 7 hours) just to be sure that it nukes every byte that has ever been recorded on the drive. "Quick" is risking having to do it all over again, and then it isn't DBAN's fault if you must. Second, probably the fastest way to restore an operating system is with an ISO image that was made of the HDD before it was infected by malware and subsequently "nuked". That image could, for example, be made after the computer is purchased with the HDD already "set up" as the bootable primary drive, probably with mainboard and hardware drivers installed, whether also some applications and utility software installed -- provided that the ISO image is created [i]before the computer is first connected to the Internet[/i]. Or the ISO image of a bootable primary drive can be made after a "fresh install" of the OS from its original release media. The OS install may be followed by Service Pack updates, and the installation of mainboard and of other device drivers, all from their release media (usually CD-ROM). Then it is possible to make an ISO image by launching the image-making software from another drive of the computer in which the HDD is installed, and writing the image to the storage media on that same drive or on another drive. Ordinarily, an ISO image is restored by using another computer to read the image from the media on which it is stored, and to write it on the nuked HDD. This is usually done by removing the nuked HDD from the machine in which it was infected, then installing it as a secondary or exterior drive for the one that will write the ISO image to it. After the ISO image is recorded the formerly-nuked HDD is removed and restored to the machine from which it was taken. Another method for adopting an ISO image requires using two HDDs (if the computer cannot be booted from an exterior drive). One serves as the principal HDD that is used in day-to-day operation of the computer, the other HDD will serve, when needed, as the "image restoration" drive, [i]i.e.[/i], instead of using the primary drive of "another computer" as described in the above remarks. To create the "image restoration" drive, either a new or a "nuked" HDD is installed in the computer as the primary drive, then the OS is installed on it from its original release media, with the HDD made bootable. It is usually necessary to also install mainboard and other hardware drivers from their original release media (hopefully, any updates of them that might be required have not also been download [i]via[/i] the Internet). When the HDD is usable, the software that will read an ISO image from a source (such as an external USB drive) and write it to a secondary HDD is also installed. Then the "image restoration" HDD is removed and kept in a safe place, and it is never used for any other purpose or exposed to any possibility of infection with malware. Then another HDD is installed in the computer to serve as the [i]principal[/i] drive in the ordinary day-to-day use of the machine. This primary drive may be a new or a "nuked" HDD on which the OS is installed with the HDD made bootable, and then prepared for use as it would ordinarily be. The principal drive can, of course, be the HDD that was present, when the computer system was purchased, already "set up" as the boot drive. If so, it is removed and either a new or "nuked" HDD temporarily takes its place, to be prepared as an "image restoration" drive as described above. After that HDD is prepared and removed from the computer, the original HDD is reinstalled and resumes service as the primary drive for the system. If the principal drive (or another drive peripheral to the computer) becomes infected or affected by malware and needs to be restored from an ISO image, then the bootable "image restoration" HDD is installed as the primary drive, and the drive to which the image is to be written is installed as the secondary drive. After the image is restored, the "image restoration" drive is removed to safe storage, and replaced by the principal drive. That said, it should be recognized that malware, especially a rootkit, does not always disclose its presence immediately. After it has a toehold, it might wait a while to "call home" and download the full package to install. Even then it might not do anything else for a while longer. Of course, with such delays the attacker gambles that the malware will not be found and identified by an anti-malware utility, and/or by other methods, before the malware begins to function. On the face of it, given traditional anti-malware technology, it has not been unreasonable to take such a gamble. Some malware, such as the ZeuS banking trojan and the similar URL Zone theft malware, [b]must[/b] wait until the user of the computer on which it has been installed accesses a bank account(s), and/or other financial accounts where the malware can be used to steal cash, [i]via[/i] the Internet. While malware is [i]present but undetected[/i], a potential consequence is that the malware can become included in an ISO image of the HDD that is made as a backup, or as a restore point, for restoring the HDD after it has been "nuked". Thus the malware will be re-installed if and when the image is ever used. The same risk applies to other backups, such as real-time "synchronized" backups to web sites and other remote locations, especially when a backup is for applications and utilities (if not also the OS). Even data-only backups [i]might[/i] be compromised if an undetected malware process is able to store a copy of itself on the drive to which the data is backed-up. Note that just because the computer system is organized and used so that only data is stored on a given HDD partition does not necessarily prevent malware from storing a copy of itself there. If a HDD ISO image is not available, then the process of creating a "completely fresh" installation and update of the OS, drivers, applications and utilities, and, ultimately, the data, can require a quite considerable amount of time and effort. It is more likely to be measured in days than just a few hours, let alone minutes. The most time-consuming task is usually not restoring and updating the OS, but restoring and updating applications and utilities -- with regard to configuring them in particular. In the past, Windows applications created configuration files in the directory where they were stored, or in a subdirectory of it. Now, much of their configuration is stored in the Registry instead, but after a HDD is "nuked" the Registry is re-installed "fresh" along with the rest of the OS. FWIW, I can remember when I could completely restore the OS (PC-DOS), then the applications and utilities and data from backups in less than an hour or maybe two. Now it takes at least a couple of days for a completely "fresh" renovation.

HAL 9000
HAL 9000

Is see how long you last without it. To me personally I know that the system will get infected with Old Known Infections very quickly when End Users Browse the Net so to me AV products are good for that reason alone. It's far better to prevent the bulk of the messes rather than be constantly running around after the event cleaning up. I seem to remember a estimation of 10 Seconds of Browsing to get a Infection on a Unprotected System. Seems to me that you would spend more time cleaning up the old infections than what it was worth but at least you would be very unlikely to get hit with one of the new ones as your system would be down off line. AV Technology playing Catch Up isn't anything new Look at Medicine and vaccinations they can only produce a vaccine after a Infection is Isolated, Know and then it doesn't come out quickly if you consider 3 months to isolate a new strain of something another 2 -3 months to develop a Vaccine and at least 6 months to get approval for Human Trials. It's the best part of a year before any new Vaccine gets into wide spread use. But that doesn't mean that you stop being vaccinated just because the infections that the vaccines protect against are old does it? Col

Michael Kassner
Michael Kassner

It was the only application I found that advertised specification-based detection. I tested it and felt it was worth mentioning. That way, the members could test it and see how that type of AV application works.

Michael Kassner
Michael Kassner

The bad guys are using drive-by dropper programs and e-mail scams to a large extent. It's working quite well for them. In both cases, the ISP is not really in the loop.

ultimitloozer
ultimitloozer

This is not something that should be done only by users of MS products, but everyone who connects to a network of any kind to share online services or files and even those who share files via "sneakernet." You are the one holding a great misconception because ANY computer CAN be infected. Creeper infected DEC PDP-10 systems running TENEX. The Morris worm, the first big one, hit DEC VAX and Sun systems running BSD Unix. Sadmind hit not only MS IIS systems, but Sun Solaris systems as well. Santy hit ANY system running phpBB. And there are also pieces of malware out there that target Mac OS X despite the claims of many Mac fans out there. And just because a specific OS may not be targeted by malware does not mean that it cannot pass it on to other systems which are affected by it (especially via email).

Michael Kassner
Michael Kassner

What OS or application are you referring to that is not susceptible or vulnerable to exploit? Also, it's not really my statement. I suspect you have been told as often as I have that AV is a required program for Internet connected computers.

Neon Samurai
Neon Samurai

How scanning software works doesn't really change depending on the platform. AV on Linux based distributions is doing the same signature scan and behavioral analysis. It's a nice simplified overview for anyone really.

Excelmann
Excelmann

Has anyone performed any empirical work to determine whether there is any correlation between how fast or slow AV boots and how well it works? My experience with TrendMicro & Zone Alarm was 3-5 minutes to complete the boot process. My Comcast-provided McAfee literally has no impact on the boot process. Am I sacrificing time for protection?

santeewelding
santeewelding

Would have sufficed. The rest was untoward display.

aznemesis
aznemesis

Windows is, generally speaking, meant for the masses. It's meant to be fairly easy to understand, as far as everyday usage. (Definitely not the behind-the-scenes stuff like the Registry, but that's another story.) OpenBSD is meant for people who have a good understanding of what goes on behind the scenes and how to change that. Linux has become more user-friendly, but it still involves a fair amount of comfort with the underlying processes behind the operating system, even if you're using Ubuntu. A general comfort with the command line is necessary if you're using a *NIX OS, while it isn't if you're using Windows. Mac OSX basically takes Linux and turns it into an overpriced proprietary operating system installed on tightly-controlled hardware. It is considered more "user-friendly" by some, but my experience supporting that OS has convinced me otherwise. Anyway, the reason Windows gets more viruses is that more viruses are written for Windows (marketshare and all). The reason viruses do more damage in Windows is a combination of the code and how the OS is used (eg, most people using admin accounts to do daily websurfing).

dogknees
dogknees

Without running any AV program. The only thing I run is Chromes built-in popup blocker. Yes, it is possible. No, it's not for most. I have very "clean" habits when online. No, not what I look at, but how I look! I would never recommend this to the average user or on any kind of commercial/business network. I've done it, in the knowledge that I may get hit, as something of a test. So far, so good. Regards

Michael Kassner
Michael Kassner

But, how do you explain that I don't see anything quarantined on many of my clients workstations. Are you seeing many?

SmartAceW0LF
SmartAceW0LF

That McAfee has no impact on the boot process? Yours is the first I have ever heard such regarding this (one of the most intrusive of the breed) application. But then, we are all so used to waiting x minutes for our Windows systems when it should be x seconds.

Ocie3
Ocie3

that McAfee's software is actually installed and running?? Does it include their firewall as well as the Viruscan AV? When I ran McAfee's "Internet Security Suite" (the name might be wrong) for a month in July 2008, it was not any faster or memorably slower than any of the twenty-plus "anti-malware" programs that followed. Then again, just about everything boots slowly on my computer because the HDD is an IBM design manufactured by Hitachi about 7 years ago.

Michael Kassner
Michael Kassner

I have wondered about that myself. Made a note to check this out. Thanks for bringing it up.

bernalillo
bernalillo

If that was the thrust of the article I, missed it. What percentage of products actually work as advertised? AV is the worst of all malware solutions, except for all the others. (my appologies to Mr Churchill).

seanferd
seanferd

I've seen an AV fail to detect a bit of malware until running another malware scanning engine. Once a malware file is opened by the malware scanner, the AV pops in saying, "Yo la tengo". Like a very determined bride's maid at bouquet-tossing time.

seanferd
seanferd

I read it. Thanks for the backup. (Puns do not necessarily reflect the intent of the poster, but may be merely serendipitous.)

Ocie3
Ocie3

I have been thinking about making an ISO image of the HDD after I nuke it and proceed to re-install everything "fresh". I really need to get rid of the undetectable rootkit that has become only too evident before the computer becomes completely unusable. When I do, I will have to contact Microsoft for another Windows XP license key, because they limit the number of times it can be installed, to discourage software piracy, I suppose. If I can make an ISO image, then I can restore the system without having to make that call, among other things. I don't plan to upgrade to Windows 7 until I buy a new computer (probably 12 - 18 months from now).

Ocie3
Ocie3

I seems to me that it does depend upon the specific malware that has been found, and how much it has corrupted the OS, applications and utilities that are presently installed. That can be difficult to assess. If a researcher for the AV developer has studied the behavior of the malware thoroughly, then perhaps they can advise tech support personnel whether it is reasonable to continue using the system after the malware has been removed. Of course, if an OS or software vulnerability has been exploited, then that must be rectified, regardless. If you're apparently dealing with a rootkit that installs a kernel-mode driver, then completely rebuilding the system is the only recourse. There is no way for an AV to discover either its process(es) or its files, so it cannot remove them. Even discovering it by changes which it introduces is not always easy, and discovering one like that may be accidental, [i]i.e.[/i], in the course of doing something else. Aside from that, the usual issue is the same as with a failed or failing HDD, namely, the customer has not done any backups. So they do want, at least, to retrieve their data. Whether it is "safe" to do that will depend upon the specific malware, [i]e.g.[/i], whether it entered the system [i]via[/i] an infected .PDF, and whether infected file(s) can be identified and destroyed.

Michael Kassner
Michael Kassner

There are few, actually only one way to be sure and that is to rebuild. Then all you have to worry about are the data.

Ocie3
Ocie3

the "final edit", which I posted before I reloaded this web page and saw the message to which this is in reply. Of course, you may be the only person to read it .... if you do.

Ocie3
Ocie3

tell you of many instances in which the malware that their programs have detected is certainly all too real. As I point out in my response to a message in another thread that follows (below), subject [b]"Your critique is interesting."[/b], if malware is present and undetected, then it is likely to be included in an ISO image that is made of the HDD on which the malware is installed. Malware can also be included in file backups, especially of applications and utilities (if not also the OS), and when some methods such as real-time "synchronized" backups to web sites are used. So the role of an AV in that context is to safeguard the integrity not only of the computer system as it is in use, but also of any ISO images and of file backups. Even if the AV discovery is "reactive", that can help to assess the risk of restoring the system from a recently-made ISO image or from a particular backup. FWIW, I have had one nitwit Tier-1 tech support person for my ISP tell me that a router was not necessary or desirable, "just plug your computer directly into our DSL modem". How about using a firewall? "You don't need that either." When I related that advice to another DSL tech support fellow, he could hardly believe me.

Ocie3
Ocie3

intrusions occur when someone does something on the Internet that is "risky". However, it is becoming increasingly difficult to discern risky behavior and web sites from safer practices and secure web sites. There are hundreds, perhaps thousands, of game web sites that are low-risk (usually the risk is an infection from a visitor's computer system that invades the web site). But there are, it seems, an increasing number which are operated by people of unclear motives and cloudy reputation. Oddly, those people offer some of the best games (but not World of Warcraft or Second Life :-)). Sometimes I think that game web sites are the next target for the criminals who have registered domains for as many as 40% of all porn sites. Another threat is an increasing corruption of legitimate, ordinary merchant and financial web sites, often indirectly [i]via[/i] advertising. From that perspective, the local Walmart store is safer to visit than their web site might be, and you get the same poor service and subpar merchandise in both places. We don't need AV that tells us that an intruder is present on our computer systems. We need software that proactively examines every packet that enters the system, and denies the packet entry when it identifies a threat. But, then I have never met a perfect border guard, human or otherwise. Be that as it may, IMHO, the days of HTML and JavaScript as the basis for "web sites" are numbered. They are simply inherently risky and there is not much that we can do to make them "safe" to use, which we cannot abide indefinitely.

Michael Kassner
Michael Kassner

I worry about just that situation. You have lived through it. I doubt that those people could have had a better person working on their problem. I am sure it will bite me some day.

HAL 9000
HAL 9000

Of cleaning out Networks admittedly small ones only about 25 Systems where someone turns off the AV Product to do something [i]read that as Load a Game[/i] and infects the entire network with a Mass Mailing Worm. You need to first disconnect one machine clean it up then follow the remainder of the network without reconnecting any computers till the entire thing is cleaned. Of course if someone comes along after you clean one system and plugs it back in tot he LAN it's infected again before you can apply any AV Product to prevent it happening. No fun at all when you have people wanting to do some work and they have to sit around twiddling their thumbs. ;) Col

Michael Kassner
Michael Kassner

That's why I get a bit confused about the need for AV. If there are so few quarantines,is it all FUD?

HAL 9000
HAL 9000

But with the recent changes to the AV Programs, other than some Suspicious .EXE that are actually Application Setups the AV programs that I use are not seeing anything on the systems now days. As they report clean to both AV and Malware Scans I'm inclined to believe that they are clear and that the different AV Package being used have just improved substantially. Only got one system that I look after that has ever got an infection and even that is all down to the user the Owner of a Business who just has to click on anything that pops up. He also has the most expensive I Pod on the face of the planet as he's constantly paying me to sort out his Play List's and so on. Not even the average [i]home[/i] User. Funny thing is that no one else at that place gets any of the problems that he gets and with him it's defiantly faster to Wipe and Recover from an Image that I have made specially for his system. He's not overly concerned with Porn Sites though I do remember one of his Comments about Work Pop Up's getting in the way of his Porn Sites but that was after one of his kids used the thing over the weekend but his weakness is Music Download Sites particularly the free ones. Col

Editor's Picks