Why Antivirus Technology fails

Why Antivirus Technology fails

Each piece of data that travels over the Internet is constantly scanned. A simple e-Mailtje is usually scanned to the PC of the sender, then the mail server of the sender, the mail server of the recipient and once again on the PC of the recipient. But despite these seemingly aggressive approach viruses continue to infect computers and cause damage. What can be wrong?

To answer this we must look in greater depth and also the history that lies behind it.

The problem
Sometime early 90s I began to use a computer, my first system was protected by McAfee AV. In those days a typical virus infection through infected floppy disks to use (you took your drive home from school and 'bingo'). Important point is that infection will spread very slowly and days, weeks or months needed for a good number of systems to infect.

Infrequently you update your AV signatures to stop the latest viruses. The main point is that infection had been exceptional and a physical path to another system needed (the infected floppy). CD-ROMS were the first new medium and were often exchanged, but the principle remained unchanged.

But on a chilly winter day came the internet infections that we know today. Where the floppy viruses weeks or months needed to put the Internet to spread the 'Zero-day attacks with it, where infections in a few hours hundreds of thousands to millions of systems could take over.

The reason for that lightning fast infection may lie in something that the vulnerability window (or window of vulnerability) is genoememd. This window is the time between the start of an infection to the time that AV signatures are available and installed.

Today, this period typically one days to several days and in the meantime you are completely vulnerable to the update can be installed. However, your infected before the release of the update then make sure you attack some AV software is disabled or circumvented through which the infection even after the update can not fix or disable.

To make things worse, many viruses from the new millennium is often called a multi-vector attack pattern. This means that instead of 1 single path to your computer (such as an infected e-mail) also through a number of other ways to try to get on your computer. Viruses such as the now legendary Nimda virus infect computers through e-mails, open network shares, monitor Internet Explorer, IIS and even behind doors that were opened by other viruses put. If only 1 of these paths on your computer is not protected than your PC taken over. Nimda had only 22 minutes needed for a mass infection on the Internet to cause even on PCs that were protected by AV software.

Internet worms are perhaps the norm today, but computers are still infected by the traditional channels. This proved once again by the massive infection that Sony's malware (some of their audio CDs to copy counter) has verooraakt. I have written extensively about * here. The distribution pattern of this was again very slow (more than one years). The Sony-virus however was interesting for another reason, namely to put another big problem with AV software exposed for what now appeared AV manufacturers were slow and even reluctant to comment because it was a virus geinstallerd copy. This raises questions on the agenda of such companies. Is this to protect your PC or is it just for money, even before you sacrifice the safety of your customers by showing some infections (from other companies, governments, ...)?

The underlying problem
Most viruses and worms today use errors and gaps in the underlying system (especially MS Windows) to a computer or take them to convince users to conduct their own (e-mail viruses) by itself as something else to do. They can do this only with this degree of success as do the underlying architecture is not safely designed.

This is true for viruses that man behind the attacks from your machine to take up an infected attachment to be opened because the underlying system should not allow that, once implemented, this level of control over the acquisition system.

To make matters worse, most programs fail and open rather than closed systems. That is a mistake you do not always lose some functionality but the above protection.

Anti-Virus software operates over a system and tries to intercept viruses before they take control over that system. But to do it yourself has a lot of privileges to operate (such as signature download from the Internet, but also access to hard disks, CD-ROMs and the like. This makes this type of software yourself a target of a attack can be, with a yield total control over the system.

A real solution
To the anti-virus problem effectively we need to address 1 step to get on the bad guys. This means, first, that systems should be designed with security as an integral part and safety must be closed instead of open failure (think of an electronic lock).

In addition, the lowest levels of protection in our embedded systems and should continue to work if problems are found that low levels. Security should enforce the principle of least privilege. Some of these views contains today back in newer Linux distributions but they are often not far enough.

Interesting projects include: SELinux, AppArmor and PAX.

There is also a very interesting piece of research done on fault-tollerante Systems by Andrew S. Tanenbaumvan free univeristeit Amsterdam, the result is the Minix OS, a Unix-like OS with a true micro-kernel.

Perhaps it is you that I not mention MS Windows, especially at that level for little or no progress. At first sight Vista was a little better but the changes do not go far enough and most pass-poor implementation has been lost. There is also Vista's cumbersome size and complexity with a DRM layer beschremd others against you instead of vice versa have become an additional risk.

Practical tips you can use today

* The most important step you can take if you use MS Windows for this to stop and switch to alternatives such as GNU / Linux or FreeBSD.
* GNU / Linux distributions like Ubuntu are very secure and yet easy to use. I understand that not everyone can or wants to do now.
* GNU / Linux is generally safer than Windows for several reasons. It was designed as a multi-user network system for use where only those features later on Windows are built.
* Addition is GNU / Linux (Free Software and other systems) of a community instead of a single commercial entity and that community has a different agenda than commercial firmas.


If you can not or will cross to a safer alternative, there are still some things you can do to your Windows system a lot safer:

* Never use Outlook for E-Mail Keis but for Thunderbird or Eudora. Outlook has too many features that hide extensions or scripts without your permission.
* Never use Internet Explorer to surf but choose FireFoxof Opera. The same mistakes that Outlook unsafe were also repeated in Internet Explorer.
* Create separate user just for the management and use of your PC
* Install regular updates, not just for windows but for all the programs you use
* Purchase a hardware router / firewall (such as Linksys). Configure that correct or have someone do that for you.
* Do not open attachments from people you do not know, turn any programs you've downloaded from websites that you are not 200% familiar.
* Keep in mind always that the Internet is not a safe environment and that the From field data such as emails or buddy names in MSN / ICQ / Gtalk can be forged with little effort. Systems such as PGP can help you but this should at both sides of the communication used.
* Make the backup so you do not lose data if something happened.