The Hindu Business Line : Maximise protection

Antivirus products have been around for quite sometime, yet there is always an element of confusion about which antivirus product to buy for one's organisation. Different products claim they have different technologies in them. The question is not how many features are implemented but how effectively they are implemented, without setting off a lot of false alarms to plague the user.

Let's take a look at the various technologies and how they seek to thwart virus threats.

Known virus detection

A basic technology is `virus detection with signature.' A known virus is analysed for a set of unique series of bytes in it, which is common in all infected samples. This is called signature. This signature is fed into the database of the antivirus for it to scan. Almost all antivirus products do signature-based scanning. The more signatures in a database, the more viruses the product can detect. The engine takes the signature searches to the critical areas of hard disk or storage for virus detection.For a product to be really effective, the signature should detect a lot of viruses and the engine should be robust so that it is fast to scan all the files.

If you are looking to buy anti-virus products, try to get a picture of the companies: how big they are, do they have support offices, R&D centres, etc, across the globe. If a company has offices around the globe, the chances of its products detecting a large number of viruses are definitely enhanced.

Some antivirus product companies might be operational in only two countries, with R&D and support offices in both. Here too, the computer user can consider buying such a product. The logic is that the product is effective in those two countries; and most antivirus companies get their samples from their customers.

One can also look up www.virusbtn.org. Here you will come across the Virus Bulletin 100 per cent award given every two months to participating products.

Here, the products detect viruses in the wild. In today's context, a worm could spread throughout the globe in just 12 hours, and companies' response to a new virus/worm threat should be seen before you can finalise a product.

Traffic

What kind of traffic do antivirus products scan? Earlier, it used to be only the files coming into the machines from the floppy, the hard disk. Now the main threat of virus is from the file, mail and the Web, when you are connected to the Internet.

Some of the modern worms affect a system using a particular vulnerability on a service while it is running on the computer, such as the worm that used the MS SQL vulnerability to spread.

File antivirus takes care of file-related operation, both on demand, and real-time scanning. Most antivirus products today can scan with the file content, and not using the file extension. This is very important as a malicious file can be renamed and sent. Some antivirus can clean viruses that are currently active in memory by disinfecting them. There are some antivirus that can neutralise a Trojan in memory and clean up the entire system, including the startup from Trojan on next reboot. Such products might be useful to corporate users/home users as they don't need to find a boot disk or boot in safe mood to treat an infection.

Mail antivirus should be able to detect forged mails, treat infections in attachments, and clean them. It is preferable if the antivirus can scan the system at port level before the virus comes into the e-mail client.

Some antivirus products scan for viruses after they have come into Outlook or Outlook Express, but this is not effective. A better way is for the product to scan port 25, 110 and other e-mail ports and detect the virus before it reaches the e-mail client.

When we are connected to the Internet or broadband, there are sets of worms that try to attack us from the background. This can happen the moment you get connected to the Internet and you are idle or you are browsing. The Web browser script should be able to protect the system from malicious scripts coming through the browser. Few antivirus products have the facility to detect a worm on the Internet that tries to invade your computer by scanning your open services and ports.

Integrity checks

Integrity checks some years ago on antivirus meant a lot of false positives. All applications on the computer critical header were retained by the integrity checker in a file.

Now, when the file is scanned, only the integrity of the application is checked. If there is a change, then the antivirus warns that the program has been changed (if the signature scan did not detect it).

Now integrity scans come with caching and streaming to make scanning faster. If you remove an application and install it, the system is intelligent enough to understand that. If an application changes and looks like an infection, immediately the system checks the application and warns the user. The user can even use the antivirus to take a sample and send it to the antivirus lab for analysis.

Threat instances

Let's look at a few types of dangerous activity that can be in the analyser.

Open browser with settings. This activity is characteristic of opening Microsoft Internet Explorer from some application with command prompt keys.

For example, this action is executed if you click a link to a certain URL in an advertisement e-mail. This launches the browser with certain settings. This sort of activity is widespread among malicious programs. However, such activity is not always a threat.

Imbedding in a process; adding code or another process to the process of a certain program. This activity is widely used by Trojans; however, it also accompanies installing entirely benign programs or updates on your computer.

Embedding window interceptors. This activity is used in attempts to read passwords and other confidential information which you have entered using your keyboard.

However, there are a number of programs that intercept information from the keyboard for legitimate reasons, such as programs that automatically toggle between keyboard layouts.

Intrusion into process. Most Trojans such as reverse connecting Trojan connect back to an attacker on port 80 or 443 by injecting into Internet Explorer memory or into Outlook Express memory.

This is done to bypass firewall. With such a technology, even an unknown firewall bypass Trojan can be detected.

Window hooks. Almost all key loggers use hooks to intercept keystrokes. Most antivirus will fail when an unknown key logger is used to intercept keystrokes. But when such a technology is used, known and unknown key loggers can be found, as the product will alert immediately if an unknown key logger is executing.

Protecting other critical areas such as Macros (in office), registry and Integrity of modules:

Most critical application integrity is stored in database. While these programs are executing, if there are any changes, alerts are generated, prompting action. To speed operations, some antivirus products add Microsoft applications (signed by Microsoft digital certificate) automatically as trusted products.

Some antivirus products have registry guard that scan for all macros, and give the user the `allow or block' option.. This rule can be automatically set.

Some antivirus products do not allow programs to modify startup registry keys and OS critical registry keys. Registry is used by malicious programs to start up every time the computer is booted.

Sometimes legitimate programs might need to start up when system boots, at such time registry monitoring could lead to false alarms.

(The author is Head - Consulting, K7 Computing Pvt Ltd, and Joint Secretary & Director, Cyber Society of India. The views expressed here are personal. He can be contacted atj_prs@consultant.com)