To get straight to the point: I’ll start this post by saying that in the past I have found both paid for and free Anti-Virus (AV) software to be ineffective in identifying and containing malware infections. I’m sure this will meet a lot of resistance since using the popular Anti-Virus software is easy and gives the average user a feeling of being in control of their system.
I’ve had my share of chasing malware and trying to track down sources of infection. When it comes to tracking down malware I am still constantly learning, so I do not intend this article to be any kind of definitive answer to whether one should buy or use AntiVirus software. As you read this article, keep in mind that I am still learning the basics of malware detection, and would appreciate your feedback and experiences doing the same.
Also, I’m definitely not suggesting that anyone should go out and uninstall whatever Anti-Virus program that one is using; I’m just saying that one should never consider an AntiVirus scan to be an accurate summary of a PC being clean of viruses. I think there is some benefit to using Anti-Virus software, but I am definitely concerned how often people seem to be confident that their systems are safe or clean just because their Anti-Virus software didn’t detect anything.
Why is Current Anti-Virus Software Ineffective?
Current Anti-Virus software will either:
- Check the hash signature (either the MD5 or SHA-1 hash) of files against a database of malware (this is called signature-based detection)
- Open each file and try to figure out if it is intended to do something harmful to the PC. This is a newer technique for virus detection called behavioural detection.
Is Signature-Based Detection Useful?
Signature based virus detection is the most commonly available technique used by Anti-Virus software today and is the basis of almost all of the commercially available antivirus software.
The thing to realize about signature-based detection is that that viruses are built to defeat this system, and are written to adapt. Virus writers know that signature-based detection can easily be fooled by:
- Polymorphism (repackaging themselves)
- Obfustication of the signature
Virus polymorphism or signature obfustication mechanisms are now typically inbuilt with the logic of the virus and are an automated part of how it spreads. Modern viruses create an infinite variety of hash signatures that the Anti-Virus software would have to check for.
This is why Anti-Virus software is constantly updating its virus definition database, and you are constantly downloading new updates. I’m sure that you can see how this is a flawed system that is useless in actually identifying a virus.
Some Background on Behavioural Detection
Conversely, behavioural detection is still in its infancy and incredibly slow since the Anti-Virus scanner has to open and then interpret each file it is checking. It does so by creating a sandbox environment and then running each file. Needless to say, this sort of software is expensive, slow, and not available to the average PC user.
So what can one do?
In my opinion, the bottom line for anyone considering a serious defence against viruses and malware is recognizing that the Anti-Virus software being marketed as the best is in fact just a pipe-dream. Articles comparing detection rates of various Anti-Virus software are based on using staged infections with viruses with older hash signatures, which is not the case with a real-world virus infection.
The main point to realize is that viruses and malware are very likely to be connecting to external sources outside of the PC. The best way to identify and destroy a virus is to check its communications. This takes some time and effort on the part of the PC owner, but the software to do so is freely available both as part of a PC’s operating system, and as free downloads. I plan to cover some of these network monitoring options in a future article.
- How to find BOTs in a LAN Special Note on Sinkhole Malware Detections
- Effective and Efficient Malware Detection at the End Host
- Wikipedia: Zero-day virus