Sunday, May 10, 2009

Antivirus Program Effectiveness

I was reading the report from www.av-comparatives.org detailing the results of their tests on 17 different antivirus products with names like AVG, Norton, and McAfee among them. Av-comparatives is an independant body that delivers objective tests on these programs and rates them on both effectiveness in detecting malware from a set of known baddie programs and how many "false positives" are triggered.

I can't help but shake my head at these things. Antivirus software, that is. I hate them.

The average home user doesn't understand much other than "viruses are bad. Antiviruses protect me." So they slap a program on their system (or worse, they have one that came with the system that they eventually let lapse on the subscription) and consider themselves safe.

Here's a simple explanation of how these work. Antivirus software works on the theory that as bad software (malware) is detected, the parent company releases what are called signatures, or key characteristics of bad software for their product to use.

When your computer accesses a file, the antivirus program running in memory intercepts your computer's attempt to read it. The program compares that program's memory footprint with a database of signatures; if the file matches that signature, it's flagged as a virus.

Some antivirus programs use what are called heuristics. Basically this means that the antivirus program knows about a set of behaviors that are somewhat common to things that malware does, and if any of the programs you open share those behaviors it will flag them as potential malware.

Many many many home users assume that having the software on their computer keeps them safe; that's like assuming that just because you bought your car that it'll keep running without little things like changing the oil. Doesn't work that way. Antivirus programs rely on having up-to-date signatures. That means they need to connect to the vendor periodically; once a day, every other day, once a week, and download the latest updates.

Some programs require a subscription to keep up to day. If you don't pay for the access, eventually they stop updating, and then you're vulnerable to new malware.

Other times the program, like Windows itself, requires updates. Antivirus software requires system-level access to programs and files, meaning your antivirus program probably runs with elevated privileges. Oooh...what does that mean? It means that if certain bugs are discovered in your AV software, since your AV software has full reign over the computer (that's the elevated privileges part), attacking software taking advantage of the bug can basically do whatever it wants to do on your computer, like install other software or control what does and doesn't run anymore.

Basically the antivirus software isn't hands-off. You need to make sure it keeps up to date both with fixes and new signature files. And your subscription, if your particular brand has this payment model, is up to date.

Let's suppose you do what you're supposed to do and keep everything up to date. You're safe, right?

Not necessarily.

Simple scenario. A "black hat hacker" creates new malware (or takes existing malware and modifies it just enough that the signature no longer registers it as known malware. The program is unleashed on the Internet.

Your signature database doesn't know about it. It's too new.

So someone has to get infected. Depending on the payload of this particular piece of malware it may get caught by the vendor with one of their honeypot networks or it may be discovered through heuristic checking or some researcher finds it. Regardless, someone has to discover it first.

Next that sample is sent to the vendor.

Then the vendor analyzes the sample and from that derives a signature.

The signature is added to the vendor's database.

Next your software needs to check in with the company and see, hey! There's an update waiting! Then the antivirus must download and restart itself so it is running with the new database.

This means there's a window of anywhere from hours to days before your computer has the signature to stop this new bit of malware. Believe it or not if the malware is self-propagating on the Internet it can take as little as four minutes by some estimates (this one from the Internet Storm Center) to be hit by an infection attempt. There are some arguments about this being exaggerated, and there are other estimates for how long an unpatched Windows installation would last before being infected with something. But if you need to download a couple hundred megabytes in service packs and updates, it takes a lot longer than half an hour to get the computer hardened up; plenty of time to get scanned by infected systems on the Internet.

The underlying assumption is that the antivirus works up to par as well. A number of the programs tested by av-comparatives missed malware from their tests, or worse, had false positives. False positives are situations where your antivirus program labels legitimate programs as viruses and panic the user, making them think they have some terrible problem when really it's a poor signature in the database that after another update or two may be altered to fix the error.

The conclusion for this is that just because you have an antivirus program you can't sit back and assume you're safe. Your antivirus is flawed. The very model of having to download signatures from a vendor to be innoculated against malware means that you're playing a perpetual game of catch-up and you're always at the bleeding edge, waiting for whatever exploits are freshly released into the wild to possibly hit your computer before you get the latest updated signature file. And the whole time your computer is paying an incompetance tax because you have your antivirus program taking up memory and processor time scanning every file your computer accesses, slowing down your computer and adding more overhead and possibly more bugs and glitches to the operation of your system. Antivirus software is the toothpaste put into small holes in the sheetrock walls of college dorms; a band-aide solution to what is really a flaw in the design of Windows.

Stop relying on blind buzzwords to keep you safe. Learn how such things work to a degree that allows you to take responsibility for the safety and integrity of your information on your computer. Otherwise you're a target waiting to be hit.

No comments:

Post a Comment