Anti-Virus Programs

July 8, 2012 - Programming

Important Note: In a system management setting, Or a corporation, this is NOT something I prescribe. managing and dealing with a PC that only you would use is one thing, handling them for others is, well, another thing entirely. In those cases a good AV is required and keeping it up to date as well. (With the possible exception of Linux/BSD, where you still need to be aware of any problems that crop up in the software being used)

Personally I do not use a “On-demand” or background scanner. I do have tools such as MBAM and the like installed which I will run when I notice odd processes in task manager, svchost hogging resources, or general “odd” behaviour from my system. I’ve never felt it was worth the processing overhead; The task of AV scanning takes time, and having it occur on nearly every file access is a rather hefty price. And of course, even the best AV application isn’t going to catch everything, so you need to be cautious anyway, means that, for me, I’m actually safer when I don’t have an AV installed.

When I did have one installed (after a nasty Virut infection on Windows XP to keep me from reinfecting the system using existing executables on my data drive) I actually found that a lot of activity I found suspicious and thought “oh no, I’m reinfected” could be traced to the AV. While their purposes are far more noble and good, I’m sort of felt that AV software is sort of like “fighting fire with fire”; rather than a Virus or malware building a huge root system in your machine, the AV software does. That’s why they all seem to need special software to fully remove. That, and a lot of the systems I’ve fixed for others that they blamed on “Viruses” were in fact caused by the Anti-virus software they were using, which if you ask me is utterly unacceptable. (I’ll say I’ve only seen those issues with one or two “Free” offerings, Mcaffee, and older versions of Norton, though.

Basically, my “protection” amounts to healthy cynicism. Almost all malware infections these days are trojans. So few infect a system by way of things like exploits and “drive-by” stuff that it’s hardly worth the effort to waste time thinking about. More importantly, the first line of defense even for those is the same. After all, in order to download a trojan you need to trust a website, and in order to visit a web page, you need to trust the link. Typically, when dealing with an unfamiliar executable, I’ll just run it. (unless it has a blatantly suspicious name). I might run process explorer and keep track of what the program does as well to make sure there is no funny business. I usually have that running in the background anyway. If the program requests administrator permission- it doesn’t get it. Not at first. This has prevented a good lot of “infections” if you ask me, since you can’t well infect a machine without administrator permissions. Naturally, software installers do need those permissions so depending on the software I will allow. Or, if I’m in a forgiving mood I might just say yes and deal with whatever happens later. When I am infected, I usually catch on rather quickly and am able to either kill the malware processes, or, if they are the type where they autorespawn each other, suspend all the suspicious processes and kill them all at once. Visit regedit and delete the offending entries (generally in the Run key), reboot, and typically everything is back to the way it was. In 7-8 years I was only infected once, and since moving to Vista/7, I’ve had hardly any problems.

An important Note: Typically, “manual” Virus removal is not something that just anybody does. It really requires a intimate knowledge of how Windows software works, the PE file format, and of course a willingness to “get your hands dirty”. At the same time, it really is only an extension of what you should do even when you have a AV installed- keeping a system clean requires constant vigilance and you need to constantly be assessing what possible security repurcussions your actions could have. “Does this application REALLY need admin permissions?” type stuff. More importantly, a single screw-up can cost you dearly. This is NOT something I recommend. Heck I don’t even recommend it to myself. I just don’t like the “cloud” surrounding Windows being inherently insecure to the extent of requiring an AV to function, so I don’t use one.

BC’s tips for AV-free operation

Sometimes your applications will crash; this is pretty much inevitable. Sometimes you’ll need to run Task Manager for various reasons. While there, glance over the processes. Again, this requires a familiarity with the type and number of processes you would typically see running on your machine, so it’s useless unless you are familiar both with your operating system of choice as well as your “normal” software configuration. Things like rundll32.exe showing up in there out of nowhere will make me reach for Process Explorer, where I can determine the “threat” posed by that process.

As I type this, my desktop machine does in fact have a rundll32.exe process running. Which piqued my curiousity. You can use the “Select columns” menu in the view menu of Windows Task Manager to enable columns such as “command line” which can give additional information on the process. you can also use various features of Process Explorer for that same task, or further investigation of a suspicious process, such as examining it’s in-memory layout, stack frames, loaded Libraries, etc. in the case of this particular rundll32.exe, it turns out to be used to launch a function called “GameUXShim” in C:\Windows\System32′ gameux.dll, which according to it’s description, is “Games Explorer”. the parameters, and function name, passed make it clear this is designed to “Shim” an older game to work in the newer Windows 7 environment. Again, familiarity with the Windows System helps here, the compatibility settings provided by the windows shell itself pale in comparison to what is actually provided “under the hood” which involves a massive network of shims, compatibility hooks, and databases on the sorts of the two needed for various games and older applications that were, for lack of a better word, written badly. In this case, it seems to be for “Halo.exe” the executable for the popular Halo game, which I bought and never played hardly until yesterday where I played for 5 minutes and got stuck. Knowing that I played the game, and was no longer, I can safely terminate this process and know it wasn’t malicious, and is required for proper gameplay. Same for a variety of other older games I have. {Edit: As I discovered previously, this gameUX.dll mess was actually caused by something else}

Obviously, this isn’t for people that just want to “do work” on their computer; it’s more useful for people who want to learn about how it works, and I don’t purport it as being safe, or even really that smart. An AV solution is only as good as it’s user, which is a nice way of telling people “you keep getting infected because your stupid, not because your AV sucks”. Usually I can get them to understand.

More critical that what AV a person uses is learning how to use that AV software effectively. You can’t just install an AV and forget about it; they each have their own nuances and settings that you should configure to your unique usage scenario. Learning what causes their various “popups” to appear warning you about things and how severe they are is important, particularly since the way a lot of AV suites present their messages is using skinned messages and gaudy pop-ups with stupid images that depict “virus infections” or other images that are wholly unimportant. Installing an AV and blindly following it’s advice and getting all worked up because it says it quarantined something merely feeds the ignorance, it doesn’t absolve it. It just adds confusing terms. “Quarantine” for example, is just a silly term in a software environment. All it amounts it is a backup folder where the files are moved to. Why? Because AV software has false positives, so it moves it there so that if it turns out that “woops that wasn’t infected” it can be moved back. It’s sort of like the equivalent of a society where, if anybody is identified as “sick”, they are euthanised. (a bit harsh but that’s essentially the analogy as far as software goes). For “cleaning” and disinfecting files, basically at this point the analogy would be that they can cure your cold, but they will have to rip off all your limbs and cut off your ears. (the resulting program very rarely still works as it used to and you need to reinstall anyway). In such a scenario, false positives could be disasterous. Instead of just having a call to your house telling you that your test results were wrong and you don’t actually have the flu, the doctor would have to interrupt your funeral to say “oh, yeah turns out he wasn’t sick”, which usually means he is no longer invited to the reception. As such AV software does what might be done in such a scenario: instead of outright deleting/killing the victims, it moves them to a special holding area, where they are forgotten about and usually deleted anyway, but at least that way if the doctors/AV software balls’d up they can just release them back into society. This only outlines that AV software is far from perfect. using medical terminology like “quarantine” and “virus” and “heal” and “infection” only serves to confuse the issue, since it actually makes people think that the entire area of malware removal is a “profession” like your standard medicine on which the analogies are based. It’s not, certainly no where near the level of the field they have taken the terms from. At this point, Anti-Virus software as a “medical” field is about the equivalent of when we would drill holes in peoples heads to release their inner demons. That isn’t to say it’s useless, just that a lot of what it does is a tad drastic.

Have something to say about this post? Comment!