NCSAM: Anti-Virus and other layers of protection (Part 1)by Steve Ragan - Oct 6 2008, 15:21
Anti-Virus Part 1.(IMG:J.Anderson)
Anti-Virus (AV) comes in all shapes and sizes. AV protection is one of the key layers of security you simply must have on your computer. Part one of this article, moving into the second week of National Cyber Security Awareness Month, will discuss Anti-Virus solutions, focusing on what they do and how.
What is Anti-Virus?
These days, Anti-Virus is a name given to a program that protects your computer from Internet related threats. The generic term for these threats is called Malware, or malicious software.
Malware can mean a Trojan; it can mean Spyware or Adware, it can mean a Root Kit, as well as a Worm. As the Internet grew, so did the volume of malicious applications and people online. Another generic term for Malware is Virus. While to some this is second nature and common information, marketing materials from various AV vendors and security related press coverage can and will confuse the public by mixing and matching terminology.
Crimeware is a marketing created buzzword that was quickly adopted by the press. It is often associated with software or code that is used in the commission of a crime online, or something that can be used to commit a crime in the future. In short, it is malicious software, or in other words, Malware.
Anti-Virus in the early days used to cover Worms, Trojans, and a select amount of Spyware only. Now it covers just about everything, as best as it can. Yet, there are still gaps in the protection that a single AV program can offer you. To defeat these gaps, you layer your security. Some of the newest AV programs come with layered defense included, which is a great start.
Layering the defense on a computer can include Malware protection, as well as software based firewalls. The problem with the all inclusive “Internet Security” packages you see for sale is that while they can offer several layers of protection, they often pack too much into a single package.
One of the largest complaints about security software is that it is bloated. It takes up too many system resources and it bogs down the system with too many alerts and pop-ups. This bloat is caused by the number of tools the software includes. Most of the 2009 AV products are working to add as much protection as they can in as little space as possible. This means the software packs in all the same tools, but takes less system resources and less space.
Another problem with all inclusive protection is that there is no such thing as all inclusive. Sure, you can try to cover all the types of Malware, Spam, and even add a firewall to the program for layered protection. However, someone somewhere will create Malware that slips past these detections. This is why you should only count Internet Security products as one single layer of security, not as the entire security solution.
How does an AV program know what files are good and what files are bad?
If an AV program is to work, it has to know what files are safe and what files can pose a risk to the system. However, as mentioned, someone somewhere will find a way to slip past the AV detection methods and infect a system. The shortcomings with AV detection are addressed in constant signature updates. In AV software, a signature is a little database or dictionary that contains the identifying characteristics of malicious code. If code is executed on your system that matches a signature, the AV program will prevent it from running, and in most cases remove it.
Some AV vendors are moving away from signature only methods of detection. This is logical progression, as without a signature to match Malware to, there is no way to know if the code that is running is harmful. So to compensate for this, some vendors are moving into the Cloud.
The Cloud is a fancy term to explain hosted services or refer to the Internet. Cloud Computing is used in AV protection by allowing the AV engine (what monitors and scans the computer for threats) to connect to a central server that offers nearly instant updates to a huge signature file.
Now, you just read that vendors are moving away from signature only protections and moving into the Cloud. If this is the case, why use the Cloud only to access another type of signature file? The answer is speed. Most of the vendors who offer Cloud based protections rely on a global monitoring network to detect threats or a community of users to detect them.
Global monitoring does a few things, and each AV vendor does this. Using monitoring stations across the globe, vendors can detect threats and other malicious code within hours. The stations can be actual humans examining code samples, or servers just sitting online. When new malicious code is found, a signature is written, this signature is then sent into the Cloud. If your AV program uses Cloud based protection, then the new signature is available to you instantly.
Community based monitoring is the same thing, with a slight twist. Instead of a series of stations, the vendor takes sample data and minor information from their customer base. So if Susan accidently discovered new Malware, the AV engine will pick this up, and silently update the rest of the community, allowing for instant protection.
For Cloud or community based monitoring to stay up to date, there must be an internet connection. If there is no Internet, there is no Cloud, and your signature database will not be updated to the most current threat information available. However, the database will always be present on your computer to allow for scanning in the event there is no connection, and when you download a new signature, it will act to protect you against the most current threats offline as well as online.
It is important to note that in some cases both Cloud Computing and community based methods of protection are used in the same product. For marketing reasons they can often be interchanged, which is not false marketing, just fogging up the level of information handed off to a consumer.
So now we move to detection in-depth.
How does an AV program detect Malware?
The fist thing to remember when learning how an AV program will detect malicious applications or code is that no two are alike. Symantec and McAfee, each offer AV protection, and each one scans for Malware completely differently. They both get the job done, but they do go about it differently. This is the same for any AV vendor, such as AVG, Sophos, Panda, Kaspersky, and BitDefender.
Did you know that the biggest complaint, other than bloated AV software, is the time it takes to scan a system? Why would this be an issue? Mostly because when the AV program scans, it kills productivity by slowing the system down. So how is this issue resolved?
AV vendors resolve the slow scanning issue a few ways. Some use active monitoring, which is a constant scan of the system. Active monitoring also includes scanning every file as it is executed or downloaded. Some of the recent versions of AV software will scan the system in the background, as long as the CPU is idle.
Slow scanning is also addressed by allowing a user to pick a time of day when the program will launch a scan automatically. These scheduled scans are often performed overnight, when no one is using the system.
However, the true power of every one of the AV programs on the market is centered on the ability to look at running processes on a computer and determine if they are malicious or not. Each AV vendor has something that does this, there are various technical and marketing related names for them, but the overall point is that they can scan for malicious activity and detect it in real time, without the use of a signature. Moreover, this technology often leads to the creation of new signatures.
Anti-Virus protection is one of the largest factors in a secure system. While only one layer of protection, the AV software is what protects you from the little bits of code used to control or ruin your computer.
Part 2 of this Anti-Virus article for the NCSAM series will focus on what to look for when purchasing Anti-Virus software as well as list some of the well-known vendors and what they offer.