What is anti-virus software?

2006-12-01

Robert Sandilands

Authentium, USA
Editor: Helen Martin

Abstract

'As security companies we must provide multiple layers of defence to protect our users properly.' Robert Sandilands, Authentium.


Towards the end of 2007 you will find that anti-virus is no longer software that 'just' detects viruses. As a result of the changes in computers and their purpose, anti-virus programs have evolved into complex pieces of software that have multiple functions and protect users through a variety of techniques.

In the past, most pieces of malware were badly written and full of bugs and their effects could easily be identified by the average user. But malware writers are increasingly becoming very professional, with viruses being written on demand for specific purposes – such as stealing your money, stealing your identity or using your machine as a spam-sending zombie.

Many of these pieces of custom-written malware seem to have gone through some form of quality control process and seem to be well managed. The malware also uses a variety of different techniques and components. The components are often self-updating and protect themselves from being detected and/or removed.

One of the basic principles of computer security is layered defence. One should never depend on a single layer of defence because once that layer is breached it leaves you defenceless. The average modern piece of malware will disable security software as one of its first actions, and once the computer's security has been bypassed you don't get any second chances.

As security companies we must provide multiple layers of defence to protect our users properly. Different layers of defence can include a number of technologies: known-virus scanners, heuristics, host intrusion detection, behavioural blocking or detection, policies (both machine and human-based), reputation-based systems and firewalls. None of these technologies can provide complete protection on its own, but used together they form a good, multi-layered package to maximize the user's security.

Known-virus scanners use a variety of techniques to identify known risks. However, malware authors can use several methods to obscure viruses from scanners, with varying levels of success. Heuristic detection uses a combination of the techniques used by the known-virus scanners with some other tricks to determine the likelihood that a specific executable is a threat.

This is where the additional layers of defence prove their worth. The extra levels of protection can mean the difference between making life easy for the criminals and having a secure machine.

Unfortunately, some of these other techniques can affect the user's privacy. The products can report data about the user's habits and the actions of the security software to a central database for use in isolating threats or providing statistics on the size of the threat. Some vendors go to significant lengths to protect the user's privacy, but unfortunately this cannot be generalized.

Other technologies are invasive in a different way. They need to be able to monitor and control the actions taken by the operating system and, effectively, the user. The security software needs to become the watcher that watches the watcher. This is very complex technology that takes security to a new level, as the security software needs to understand the intent of the operating system or user, as well as what he or she is doing. These technologies need very deep access to what your computer is doing and how it is working – indeed this has become one of the sources of debate around Microsoft's Patchguard kernel protection technology.

The anti-virus industry needs to and will continue innovating to keep users as safe as technology can make them. Sometimes the environment in which the anti-virus industry has to operate makes this task more complex than it perhaps needs to be. Despite that, the competition that exists in the anti-virus industry will ensure that customers receive innovative products that provide them with the level of security they demand.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.