Despite criticism anti-virus technologies work hard to keep up with threats

Opinion by Nick Barron

Malware has come a long way since the attack on my Amiga - but so too, despite the criticism have the anti-virus brigade.

Malware has come a long way since the attack on my Amiga - but so too, despite the criticism have the anti-virus brigade.

Recently, F-Secure's Mikko Hypponen produced a short film about the history of the Brain virus (http://campaigns.f-secure.com/brain). Twenty-five years ago, Brain was the first widespread PC virus. It was a simpler time – your average IT techie could easily identify viruses based on their symptoms, and leading anti-virus products such as Dr Solomon's came with a printed encyclopedia of them.

My first virus experience was on the Commodore Amiga. Late one night my screen suddenly displayed the infamous message “Something wonderful has happened”. Cue a mild panic followed by a lengthy night reverse-engineering the SCA virus. Removal was a simple case of overwriting the infected boot block, and holding down the left mouse button on reboot.

Brain and SCA were similar in design; both infected the boot block of disks and both were relatively benign, not doing any intentional damage (of course, there was the potential for accidental damage due to compatibility issues, a problem that would become more common). For Amiga and PC users alike, more destructive viruses would soon follow.

Fast-forward to the present day, and PC viruses number in the tens of thousands or millions, depending on how one classifies them, so no vendor is going to print a Dr Solomon's-style encyclopedia any more. Identifying a new infection is typically an exercise in web searching rather than memory, and it's becoming increasingly necessary for security staff to have some basic malware reverse-engineering skills.

Anti-virus software vendors have worked hard to keep pace with the threat. In the good old days, individual viruses could be detected by simple signatures (Brain, for example, included the authors' names and contact details in the boot code). Now it is necessary to use a combination of signatures,  virus-like behaviour detection and other heuristics. At the same time, it is essential to avoid classifying ‘good' software as malicious, as the cost to businesses of such a mistake can be huge. It is a tricky software engineering task for the vendors.

Meanwhile, anti-virus software is now expected to block exploits and other malicious (but not viral) code, bogus websites and a range of other security threats.

Recently, the anti-virus sector has run into a fair amount of criticism. I'll ignore for now the conspiracy theory that they write the viruses themselves (this dates back at least to the early 90s, when Dr Solomon himself joked: “Why would we pay our staff to write viruses when people are doing it for free?”).

A more valid criticism is that of effectiveness. Many security professionals, particularly those involved in penetration testing, complain that anti-virus systems are easy to avoid. This is a common requirement in penetration testing, where a hand-crafted exploit or phishing payload must get past the corporate anti-virus system. With a bit of work, you can tweak malicious code to avoid detection.

Sites such as VirusTotal, which scans submitted files with multiple anti-virus products, provide a quick way to test your system – such sites are an invaluable aid to removing malware, although they do suffer from the ‘dual use' problem.

It is also common to find performance rates floating at 80 to 90 per cent in comparative reviews against test sets of common viruses, although the various testing methods are debatable. But anti-virus is far from dead in the water. The fact that a barrier is ‘only' 80 per cent effective does not mean it is useless. Likewise, the fact that a skilled attacker can bypass a barrier does not reduce its effectiveness against the majority of attacks. My front door could be bypassed by a locksmith, but it is a reasonable barrier against most would-be burglars.

Anti-virus products do a cost-effective job of preventing malicious software. They are far from perfect but are an essential layer of defence for businesses. That said, it is sensible to be aware of their limitations and manage the residual risks sensibly and openly.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events