Why Popular Anti-Virus Apps 'Don't Work'

Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.

Re:Kaspersky?

[WombatDeath]

The article suggests not that it's doing anything better, but that since it has only 0.8% of the market the malware authors don't bother to work around it.

Mac AV Software

[Anonymous Coward]

If anti-virus software on WIndows is bad, anti-virus software on the Mac is doubly so. And you don't even need it (on the Mac), except that some of us work in IT and the end-users refuse to believe the tech support staff and instead choose to believe the hyped-up newspaper reports about viruses being a problem on the Mac (sorry, no, they aren't). So, we have to have a "solution" present on their computers to make them feel "safe". Except the major A/V makers' products on the Mac side don't even do the job of appearing to work. A prime example is McAfee Virex and its virus definition update functionality. It gives an error message even when it works correctly (but of course an end-user is going to be put off by the error message and call tech support). Do you feel safe when your anti-virus software can't even report the status of virus definitions updates correctly?

What I do

[shawn443]

Require all users to run as a limited user as per Principle of Least Privilege [microsoft.com]. This is the key. I once had a computer lab for inner city youth with no AV software at all, just limited user accounts and a simple router. Once we could afford Symantec AV Corporate (I work for a non profit) and ran the scans, no viruses. If anyplace was bound to get one, that would have been it.

Re:No S**t

[nmb3000]

Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.

At least people are starting to realize this.

As for myself, I used to use Symantec's antivirus software both at home and at work, but a year ago decided it just wasn't worth it. The program was the most obscene resource hogs I've ever had the displeasure to use, and in the 7+ years of using the program it never once protected me from getting a virus. The same can be said for a lot of other AV offerings, and yet you still see some idiots suggesting you run 2-4 different AV applications just to "be sure you're safe".

Once people realize that the single best and most effective method of protecting themselves is common sense, they will be a lot better off. If you don't download from untrusted sources, don't click banners, don't install just any (activeX|extensions), and keep your machine patched, you'll be fine (YMMV of course).

The problem is that while people can buy Symantec's latest breakthrough in keeping your processor occupied, they cannot buy common sense.

Re:Signature-based recognition was doomed

[narfbot]

The whole concept of recognizing known viruses was fundamentally flawed. It had a good run,

More than ten years ago, before windows 95, and most people were using DOS and DOS virus scanners, I had someone (comparable to a modern day script-kiddie) from my high school ask me to scan a disk to see if the viruses he had on there were detected. Even then he knew if the popular virus scanners of the day couldn't detect them, that he could potentially use them. It was then I realized that virus scanners were a joke and never have used those crappy bloated active scanners since. I don't think any virus scanners ever had a good run because the average kid back in the day knew they could be fooled.

Re:Anti-virus Programs Aren't Up to Snuff

[Apraxhren]

XP is a huge pain to use without admin rights due to braindead apps

I'm not sure if that is all that true anymore at least. Granted I don't run a vast amount of software but in my experience it seems more recent software tends to be non brain dead at least in the gaming industry. What was once one of the worst offenders, nearly everything used to write to the program files dir but now all the ones I have had experience with write to the user space. Every other program I run allows a choice of where to save data so they work perfectly as well. However, like I said I don't have every software title at my disposal and really it could just be luck in the programs I run. Aaron Margosis does an excellent job of providing all the information needed to run as non-admin on his blog: http://blogs.msdn.com/aaron_margosis/archive/2005/ 04/18/TableOfContents.aspx [msdn.com]

In my experience, Symantec software is worse...

[Futurepower(R)]

Symantec software is even worse than you said, in my experience.

You didn't mention the bugginess.

Safer link to Systrace

[Futurepower(R)]

Safer link to Systrace [umich.edu]

Re:And they are both wrong.

[stevey]

A proactive system would patch the holes that are being exploited.

The problem here is that virus don't typically exploit any hole. They are simply programs that run with the privileges of the user who executes them.

A typical (old school) virus would do three things:

• When executed find files that can be written to - pick one at random.
• Update that program to append itself to the end of it. Patch the header so that execution starts at the newly appended code.
• Work out where the currently infected program should have started execution from - jump to it.

There are only two things you can do to protect against this, in general:

• Don't run infected programs.
• Don't allow the current user to modify binary files.

In Windows it is the second issue which allows viruses to spread - typically the local user would have write access to the system binaries, so eventually Notepad.exe would get infected, etc. Under Linux/Unix root generally is the only person who can write to system binaries, so a typical user can't infect them.

However Linux viruses do exist, and are trivial to write. The reason they don't spread is partly because users are used to getting their binaries from trusted sources, partly because they download things from source, and partly because most users don't run with the ability to modify system files. (Sure you might be able to infect ~/bin - but there isn't a big gain)

Windows is getting better at allowing non-Administrators to work properly, so sooner or later the ability of joe-random-desktop user to modify system binaries will disapear and at that point viruss will stop. Still there will be worms, trojans, and all the other nasties left!

I've gone on a bit much, but I wanted to drive the point home : Viruses do not exploit security holes. (In general)

I Tell My Clients the Following

[Master of Transhuman]

For home users, I tell them the following:

1) You're not a company that gets thousands of virus-laden emails a day. You don't need to pay for Norton or McAfee. A 98-99% detection rate is perfectly adequate for a home user.

2) Install AVG or Avast AV. They're free, they update automatically, they're light on resources and they work.

3) Install Spybot Search and Destroy, SpywareBlaster, Ad-Aware and Windows Defender.

4) Install a software firewall like Kerio or just use Windows XP's firewall. If you install Kerio, use V2.1.5 because it's non-intrusive. The later versions are too picky and get in your face.

5) Stop using IE and use Firefox.

6) Lately, since trojans are on the upswing, I say install A-Squared anti-trojan which is free with manual updates.

7) Don't click on popups. Don't even click on the "No" button - click the window close button.

8) Don't install anything offered you by a Web site unless the site is a general freeware or shareware site that explicitly states it checks for spyware and adware.

9) Keep up with Windows updates and updates for the malware detector software.

10) Run a scan once a week or if you see any popups at all.

I've used these rules on Windows 98, 2000 and XP for four years with virtually NO spyware getting through - and that's with porn site visits and whatever else the Web can throw at me.

The single most important rule is number 5 - use Firefox. With no ActiveX, the stuff can't get in unless you have an OS vulnerability or you deliberate install it in response to a prompt you don't understand.

Finally, if they really want to be secure, switch to Mac or Linux.

Re:Just follow a few basic steps...

[Gnavpot]

1. Firefox with popup blocker

2. Firewall software

3. Sit behind router

4. Use AV software

5. Don't click on anything that pops up without read it!

You ignore the three most important:

Remove administrative priviledges from your everyday account.

Keep your software and OS updated.

Do not run software with a bad security record.

MOD PARENT DOWN. Bad Link.

[Futurepower(R)]

MOD PARENT DOWN. Bad Link.

Official Clam Anti-Virus for Windows link: ClamWin [clamwin.com]. ClamWin is free and excellent, but slower at scanning than commercial products, in my experience.

Re:But...

[TubeSteak]

Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile

All true, but your conclusion was false.

The codebase between variants can easily be changed to the point where heuristics & previous def files will not recognize it.

It's worse with a (encrypted) polymorphic virus, because those are hard enough for the anti-virus guys to decode the morphing bits without various blackhats tweaking the virus/morph/encryption code and re-releasing the virus.

Re:Just follow a few basic steps...

[Black-Six]

To add to this guy's list, here's what I do. Most apps are found on download.com.

1. Use the Portable Version of Firefox. It dosen't cache off to disk and cleans up user history when you close the app.

2. Use a reputable firewall. I have the latest version off ZoneAlarm and the default controls allow the user to specify what gets in or out.

3. Use a reputable AV. I have the latest version of AVG and its pretty good at staying upto date and scans quite often.

4. Use a reputable Anti-Spyware program. I have the latest version of Ad-Aware SE and it picks up stuff that ZA and AVG miss as well as spyware.

5. Get iolo's System Mechanic. It can prevent hackers from hacking and finding stuff on your drive by encrypting the free space, deleted file name, and data by overwriting those area's per U.S. DOD encrypting standards. It also cleans out your digital history of where you've been and what you've opened.

6. Use common sense. If you close pop-ups by closeing them on the toolbar at the bottom of the screen instead of clicking close on the window you'll save yourself headaches (quite a few pop-ups use PINP format so that it opens when you try click the X to close it).

Linux is not a silver bullet.

[MarkByers]

Linux isn't a silver bullet. A virus can still install itself in user space, and from there it can:

  * Delete files
  * Read confidential files from that one user (a typical computer might only have 1 or 2 users)
  * Send out spam
  * Install a keylogger
  * Read the users contact list and forward itself to all users on that list.
  * Install itself to start up with user priveleges when the computer boots (by modifying the users configuration files)
  * Pretty much anything...

However having separate users does limit the damage and it makes it a lot easier to clean up since no executable files are affected, root should be safe, and the system should still be stable and consistent once the virus is removed. (This is not true if the virus has gained root priveleges, and really you should assume that it has, if you really want to be safe).

Much of the security of Linux comes from:

  * The peer review process.
  * The speed that the most serious holes are patched and the ease of applying these patches on most distribution.
  * Vulnerable services are not usually open to attack after a default install.
  * 'Biodiversity' - an attack against a specific application will not affect all users.
  * New install media with latest bug fixes issued regularly and easy to obtain.
  * Large amounts of software is available from the distribution repository so you don't need to download and run installers from third-party web pages.
  * Smaller market share gives attackers less incentive to attack.

I'm not saying that ALL software for Linux is secure, and that ALL distributions respond promptly to security vulnerabilities, but it is possible to be reasonably secure if you choose the right vendor and don't be stupid by installing random screensavers from dodgy websites.

Re:Did I miss something?

[ConceptJunkie]

They are standard Web articles: Two paragraph summaries.

At the rate things are going, article writers won't even bother with the body of the story any more, it will just be a title and ads.

Re:Linux is not a silver bullet.

[Kremmy]

I'd go one step further and say that you really meant:
* Install itself to start up with user privileges when the user logs in after a reboot (by modifying the users configuration files)
Also, cron jobs would make it so the user doesn't have to log in.

Re:What is Anti Virus?

[chawly]

Having a firewall probably helps. Being very lucky also.

Re:The AV app would tell him

[cswiger2005]

The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?

This is an excellent question. Mostly, you notice a well-hidden rootkit by using tcpdump on some other machine to sniff all of the traffic from the suspect machine [1], and then concentrate on stuff that's not local to your subnet.

If you don't have a user on the machine running a chat program, seeing traffic to or from the IRC port, 6667, tends to be a very common sign that the machine is giving or receiving orders as part of a botnet. Forcing the machine to do all web access via a proxy and then checking the proxy logs after a day or two also tends to be revealing.

[1]: This should be done where both machines are connected on the same hub, or perhaps using the "monitor" or "span" port that newer intelligent switches have for diagnostic testing.