Why Anti-virus is not a (good) solution to fighting malware

It almost sounds like sacrilege to make this statement and most people today seem to accept anti-viral software as the first and only solution the the problem (I even see an increasing demand for AV sofware on Linux where almost no virusses exist).

Every bit that travels through the internet is scanned and scanned again. A mail is often scanned at the sending computer, then at the mailserver of the sender, again at the mailserver of the recipient and one last time at the receiving computer. Yet, despite this over-agressive approach, virusses continue to infect and damage computers worldwide.

So, what exactly is wrong with this picture?

To answer this, we need to look at several aspects of the problem and the history surrounding it.

The problem(s)

I started using a computer in the early 90's, my first system was protected with McAfee AV. In those days, a typical infection travelled through infected floppy disks (I used my floppy in an unprotected school computer, took it home and, bingo). Infections typically spread very, very slow jumping from system to system in days, weeks and even months.

Ever so often, I would put an update to my AV signatures on and that would catch all the latest malware. The basic thing is that infections those days where rare and required physical interaction with other computers through common media.  Using CD-ROMS added just a new medium to the same infection method, though viruses spread a little quicker.

But then came the internet-based infections we know today. Where the early floppy-based virusses spread in weeks to months, the mass use of the internet gave birth to the Zero-day attacks with malware spreading in hours to hundreds of thousands of computers.

The reason for this massive spread can be found in something called the window of vulnerability which is typically the start of the spread (or the discovery of the vulnerability) until patches or AV signatures are available and installed .

This window today typically is several hours to even a day or days. You are completely unprotected during the entire time until updates are installed, but if you get infected before this happens, the malware may be able to disable/cripple your defenses so that you remain vulnerable.

In addition to this, the new generation of malware that debuted shortly after the new millenium uses a multi-vector attack pattern. This means that one virus tries to get into your computer not only via one path (like E-mail), but via a lot of different ways. Virusses like the now legendary Nimda virus infected computers via E-mail, open network shares, internet explorer, IIS and even backdoors left by other virusses. If one of these vectors on your computer was not protected you would till be infected despite having defenses in place. It took Nimda only 22 minutes to reach a state of mass infection and most victims where infected despite having Anti virus software running.

Though internet worms are the norm today, computers still get infected via conventional means. This was shown very clearly by the mass infection of computers by malware created by Sony to protect their audio CD's from copying which I wrote about here. Again, the spread pattern was slow (spreading for more then a year). This specific case highlighted another big problem with anti virus software. It turned out that AV vendors where slow and even reluctant to react because the malware was installed as a copy protection measure. This shows that the agenda of those companies might not always be to keep the malware off your PC, but rather that they may allow certain infections to slip through because it benefits their bottom line (making money).

The underlying problem

Most virusses and worms today spread by exploiting errors in the underlying Operating System (mostly MS Windows) to gain control over a computer or they trick a user into executing them (E-mail virusses). They can only be this successfull at doing that because the underlying architecture is not secure by design and requires retro-fitting security systems to protect it.

This is even mostly the case for virusses that target the human factor by tricking a user into executing it as the underlying system should never allow them access to the resources they need to take control of the system.

Much of this problem is only made worse by the fact that most computer programs and systems today fail open instead of closed. This means that if something fails, instead of losing functionality to protect the system, you loose protection. You can best compare this to an electrical door lock. If the power fails, does the lock fall to an open or closed state?

Anti virus software sits on top of the system, trying to catch the virus before it gets control over the system. But that software itself requires a lot of privileges and services to run (it needs to access the net to download signatures, it needs access to all files to scan and disinfect them), therefor, it introduces another attack vector to an already vulnerable system.

A real solution

To effectively solve the anti-virus problem, we need to get ahead of the bad guys. This means first and foremost designing systems with security from the ground up and making them fail closed (safe) instead of open.

Secondly, we need to build our protections at the lowest level and make them work even if their are faults in the core system. The security controls need to follow the principle of least privilege. Some practical implementations of these ideas are already in development for Linux today though a lot of them do not go far enough.

Some projects to look at are SELinux, AppArmor and PaX.

There's also very interesting research into fault taulerant systems by Andrew S. Tanenbaum of the Vrije Universiteit Amsterdam who wrote the Minix OS, a Unix like operating system that uses a micro kernel.

You may notice that I have not mentioned the windows world here and that is mainly because there is little real progress on that side. While Vista contained some improvements at first glance, it does not go far enough and a lot of security is lost by bad implementations that make it easier for the end user at the cost of security. In addition, the size and complexity of Vista and the focus on DRM to protect others from you instead of the other way arround make it that much more of a target.

Practical recommendations you can use today

The biggest leap forward to take when you are using a windows based OS today is to switch to an alternative such as Linux or FreeBSD.

Distributions like Ubuntu are secure out of the box yet very user friendly.
I do understand that many people are not willing to take this step for several reasons now though.

Linux is generally more secure then Windows for several reasons. The first is that it was designed as a multi-user networked system from the start while those functions where later fitted onto windows.

Secondly, Linux (and other Free Software systems) come from a community that has a different agenda then a commercial entity such as Microsoft.

Thirdly, a Linux system does not have dozens of services listening to the outside as a standard XP install still does. There are many more arguments to support this, but that is outside the scope of this article. When you are unable to switch to a more secure system, there are still some things you can do to raise the bar a bit.

  1. Do not use Outlook for E-mail, opt for Thunderbird or Eudora instead. Outlook has too many features that hide extensions, render unsafe scripts or auto-execute code that make it too easy to target.
  2. Do not use Internet Explorer, opt for FireFox or Opera instead. The same reasons as for Outlook apply here.
  3. Use your computer with a normal account that has no administrator rights
  4. Install updates, specially for windows but for all programs you use
  5. Buy a hardware firewall (like the ones from Linksys). Configure it properly and turn off things like Upnp which are inscure.
  6. Do not open attachments from people you do not know, do not run code from websites you don't really, really trust.
  7. Realize that the Internet is not a secure place and things like the From field or the name of an MSN/ICQ/Gtalk contact are no guarantee the message actually came from that person. Programs like PGP can help a great deal here, though it requires adoption by both ends of the conversation.
  8. Make backups (to CD/DVD/Tape) so that you do not loose important data when something happens

Written by Guy Van Sanden Licensed under a creative commons Attribution-NonCommercial-ShareAlike license.