As Far as AV programs go, I haven’t had one installed for quite a long time.
The very reason I don’t use an AV solution myself is simply because of the “reverse pigeonhole principle” — they all do something different, and there is always something that will get through — for those “holes” the best defense is simply a knowledgeable user. The only way to be truly protected would be to have multiple Anti-Virus products installed, whereby one AV’s “Pigeonhole” is covered by another, and vice versa. This of course doesn’t work, since the AV products simply stomp on each other for everything else.
I might also point out that the very premise of AV comparing is somewhat flawed- all it tests is the AV vendors ability to update their virus database as well as the flexibility of that database to describe new viruses; the fact is, once a virus is detected by most major AV products, it’s no longer a “threat”. The reason any virus becomes prevalent is simply because the AV products don’t detect it.
an AV program works rather simply; wether it is “on-demand” (in the now prevalent sense of the word meaning the user is starting it, rather then the traditional sense where it is run when there is a demand for scanning (ie. opening a file), but I digress) or in the background, an AV scans a file in a rather simple manner.
First, of course, it opens the file. Now, this is where a problem can already arise. What if another process has it open? What about security restrictions? I’m sure we’ve all been encountered with the “the file is in use” dialogs when deleting or moving a file. Even with the most basic of settings, such as simply reading the file, a virus can easily mess about with the ACL of a file it creates to prevent anybody from reading the file at all, but still allowing the file to be executing, thereby nullifying the whole goal of the AV product.
Of course, now most AV’s have a kernel mode driver that forces a “dismount” of sorts on the file- that is, closing every open handle to the file. The problem here is of course two-fold, first, it doesn’t actually change the ACL of the file- if the ACL was set to Read and no execute, then the AV still will not be able to read it, and second, it can cause difficult to diagnose errors in other applications when their files handles are suddenly invalid.
Now, in order to combat the first issue, AV products often place their detection logic in kernel mode, where it has complete access to anything, including the ability to change file permissions (I think it can be done in user-mode, too, but I’m not sure), either way, a lot of AVs have their detection logic in kernel mode.
Now, this appears to solve the problem, but really, it introduces a far larger, and more malevolent one. Recall of course that a AV program scans files by essentially reading the file and comparing it using various heuristics to the signatures in it’s database. This is sensible. However, when running in kernel mode- any crash will give the user a blue-screen- and since the AV is dealing with potentially malevolent code in the form of data, a virus writer could use all sorts of tricks to force the AV to crash for any number of reasons.
On the other hand, what crashes one AV will probably not crash another- therefore the whole “reverse pigeonhole” concept rears it’s head once again. In fact, it is this very principle that makes AVs as effective as they are; a malware writer is not going to, for example, write pages of extra code just to circumvent detection on some rather unpopular virus program- it’s not worth the effort.
The main problem with the very concept of software based malware detection is just that- it’s software based. Software is of course designed to make well-defined tasks easier, but defining what is and is not malware is a very difficult thing to do. Consider for a moment what would happen if our standard court judges were replaced by software of some form, and you have an idea what I mean. Basically, it’s a problem set that is only partially incalcable. No AV product can filter out the “criminal” code from the not-guilty, for the same reasons a software based implementation of a judge or jury wouldn’t work- it’s a defined ruleset.
a Jury/Judge obviously runs through the same sort of logic when faced with deciding wether an alleged criminal is guilty, or innocent of a crime. however, it’s important to note that when dealing with the “big time” offenses, the decision is not made by a single person, but by a group of people- in a sense, a group of “criminal detectors” whose various life experiences and intelligence combine to, ideally, properly determine the guilt or non-guilt of an offender.
Perhaps an “ideal AV” would follow the same set of rules- rather then using a single set of rules and hueristics, run the possibly malicious code through a number of tests by various companies. Of course, this implementation has a number of huge problems which are why it hasn’t been implemented in the first place. The first issue is of course Company co-operation- why put in for a slice of pizza when you can go for the whole box? Another, and perhaps even more derisive issue with this method is simply the time it would take to do so- jurors, for example, are often coming to a verdict for days, and in some cases will even get hung, at which point it might become a ranking system for an AV system of the same form- which brings us right back to AV rankings and where we started to begin with. Additionally, with on-demand scanning, even with the additional speed of a computer a “judgement” will not be made in a reasonable amount of time.
Which brings us to the real reason AV programs are not as effective as could be- it’s simple- Performance. It has been noted on several occasions that the later versions of an Anti-Virus are often more “bloated” and “slower” then previous versions. UI changes aside, this is often the case for good reason. As the par for the course of Computer hardware moves up, the speed with which a AV has to work with does as well. most AV vendors take advantage of this extra speed- often unwittingly, as their application may simply not be tested on older hardware at all).
The fact is, a “perfect AV” is not something that can ever exist. And even the term “definitive best” is rather uncongenial; I mean, the very fact is a metric cannot be suitably established to determine with any amount of granularity when one AV is better then another- if one AV has a bigger database, for example, it’s rather meaningless for several reasons- for example, many AV databases include signatures for all sorts of ancient and long annihalated Viruses like “Stoned” and “Michelangelo” this analogous to innoculating children, not for diseases they can get, but rather things like Smallpox or Polio or the Black Death or Cholera; which, while not completely eradicated, can generally be easily treated if contracted (or in some cases, the antibodies are given to them by their mothers anyway). So, while the one AV A has a larger database then AV B, AV B having a “innoculation” for the latest “supervirus” is going to do a whole lot more for them then having “innoculations” for otherwise eliminated viruses.
Adding to the confusion is of course the concept of hueristic detection- since all AVs use a different algorithm, they can of course come up with widely varying “diagnoses” on any number of infected (or even benign or nonexistent) viruses. Add to this the fact that analyzing code paths and branches and trying to use this determine wether a file is “good” or “bad” on a boolean scale is rather optimistic; any number of applications, for example, access Software\Microsoft\Windows\CurrentVersion\Run and related keys, and yet there was a time where all applications accessing this key were labelled as keyloggers- the rule was apparently that any file containing that string was malware, and additionally a very specific form of malware that amounts to nothing more then a shot in the dark. (this was Mcaffee some number of years ago, btw). To make things worse the fix was simple- I simply reversed the string. if I can reverse a string and turn a evil keylogger into a harmless program according to an otherwise popular AV program then the malware writers who create the very thing the detection is supposed to find can do so as well, creating an essentially useless database entry that only serves to add to their little spikey bubble on the their product box/advertisements <
returning back to the main issue of AV detection- speed.
Now, from what I can tell- the rules of AV detection are pretty much this- you can either have speed or you can have accuracy. I’m sure with 24 hours to think about it an AV heuristic algorithm could determine with nearly 100% certainty wether a given file is a virus, even for those sneaky viruses that haven’t been discovered. but people want to use their computer, not watch the hourglass for hours after every file access, so AV vendors have to compromise.
In all honestly, I think many of them have done a bloody fine job of compromise; there is of course a performance hit on every file access, simply because there is extra code running, but the AV vendors have largely made it something that is short enough that it isn’t even noticable, which is rather amazing. Now, if course, it is because of this need for speed that any AV program has holes. It’s not because they
The very reason I don’t use an AV is simply because it gives you a false sense of total security; you think, well, there’s only this little tiny hole in my shield… but meh, nobody has a sword small enough to fit through. The problem is of course that you are eventually going to fit somebody using a foil and then you’re screwed. This “eventually” factor is also important. a user who uses their PC maybe an hour a day is far less likely to meet the virus with a foil then the user who doesn’t, in the same way a person who downloads a good number of files is far more likely to install a trojan by accident then somebody who only looks at recipes online.
Lastly- it doesn’t matter HOW effective an AV is if the user doesn’t care. a user, regardless of their AV, needs to be informed of some basic “rules of the internet” you cannot just slap on some so-called “definitive best AV” and assume they will be fine- they need to have some basic education. So- any “definitive best” AV will have as part of it the user- and since the user is part of the formula, the variable that results when you solve the “equation” may bring out a different AV as the “best” for different people.
Myself- when I want to judge a User interface blindly- I just imagine my mother using it. Now, some of you may be under the impression that my mother is probably some sort of Cobol goddess or something. The truth is, in fact, that she can’t even use a mouse… (actually, wait, that would fit the Cobol Goddess theme.. .dammit). Anyway- she fits the profile of a total newbie to computers and the internet in general. For example, Firefox is not firefox, but rather her “facepage” and of course she cannot and will not connect her camera to any computer, because the moment you connect it to a PC every single picture is put onto a web page (regardless of what I, somebody who knows what they are talking about for the most part, says).
Since the User is such a critical component of the equation, it’s important to factor in the User interface of the Anti-Virus solution that they are coupled with. In my experience, AV programs often make “alerts” regarding viruses scary and full of technical jargon, often with cute little pictures of viruses.
They do this when the program updates as well. when my Mother was using my brothers computer, the AV updated; and displayed it’s little “update” dialog. the dialog included the VERY SAME “scary” virus image (this was ages ago, with AVG) that is shown when a virus was detected. She was terrified that she somehow got a virus onto his computer or something. Not to mention the very hopelessness the image sent- she was even saying “I hope I didn’t infect it, we can’t afford to buy him another one” and other such talk. While one can simply say this is simply user newness to the entire computer scene, it’s important to realize that AV programs are not simply marketed to the technical elite, they are also marketed towards people who have never used computers before and therefore really have no idea what an Anti-virus program does or how it works- all they know is that they “need” one because everybody says they do.
This isn’t to say that they don’t, of course. Really, I’m pointing out that simply saying for them to use “X program” as their AV solution is more software evangelism then it is a proper recommendation, simply on the grounds that the AV and the user are both part of the package; they need to work together. if the user is scared of the user interface presented, they may simply click the “X” button (which, in the case of that version of AVG, was for some reason mapped to “ignore”) so even though AVG was detecting the viruses, nothing was being done to them simply because of the user.
To summarize- the user is part of the AV, in a sense that without a well-informed user, a AV simply may not be able to do it’s job of eliminating and preventing virus infections. It is pertinent to educate users about viruses, and malware in general as well as how an AV works in order for it to be fully effective.
And yes, there are a number of users who could care less about how a PC works, or whatever, and consider it a tool. Well I think they’re full of it.
First off, not all tools are intuitive. you don’t grab a belt sander and instantly know how to use it and the various types of sandpaper and their ideal uses- you learn those things. Even a simple hammer has a learning curve where you gradually reduce the frequency of a smashed thumb. The people who think that a “tool” shouldn’t require any sort of education are the same people who think they can dry off their cat’s in the microwave.
Have something to say about this post? Comment!