Virus protection no no no no no

c: | f: /

How effective is your virus/malware/rootkit protection? Do you think the software’s doing its job properly? I think otherwise.

Regular readers of this haphazard collection of characters should already know my stance on virus scanners. I’ve mentioned it a few times. But I’ve never dedicated an article to it, so it’s time to rectify that: here comes The Quick Guide to Virus Protection:

Step 1

Uninstall your existing virus scanner. Remove every trace of it. Reboot to make sure.

Step 2

Use your computer carefully and enjoy a newfound level of speed and power from your machine.

B… bu… but I’m not protected

Au contraire! You now have the highest level of protection available: your own vigilance. Forget putting your trust in software as it’s a fallacy. At best it gives you a little protection in exchange for making your computer as responsive as a camel in quicksand. At worst it gives you a false sense of security.

Think about it: you choose some virus software, free or otherwise, install it and scan your machine with an up-to-date virus definition file. It reports “your computer is virus free” and you relax, then go about your online business. “It’s alright, the virus scanner has got my back.”

Nope. What that statement of intent really meant was “your machine is probably virus free”. Always remember that.

If you had the inclination to uninstall your virus software of choice and immediately try another product, there’s a good chance it’ll report you have a virus, trojan or rootkit installed: each piece of software does different things with different definition files in different ways.

Now how secure do you feel? How much do you trust the piece of software that yesterday you swore blind would keep your machine safe from any web nasties?

Exactamundo. It’s snake oil.

Virtual wool over your eyes

Given time, your favourite virus software might detect a threat that other vendors have found or that was recently released. It might detect it today, tomorrow, or maybe next month. The question is: how long are you willing to wait to find out? And what’s the rogue software on your computer doing in the meantime?

Let’s look at the ways antivirus and antimalware software supposedly protect your machine:

Method 1: heuristic analysis

Big words always impress. But heuristic analysis is only as good as the vendor’s proficiency at comparing a current executable file with previously known executable files. It’s pattern-based, so in theory if Virus X overwrote System File Y, and the current executable under test in the virtual environment overwrites System File Y or Z, the virus scanner would probably flag it as a nasty.

It’s just as likely to be a regular installer which you downloaded, double clicked, and agreed to waive Microsoft’s responsibility by allowing Windows to execute it. Your virus scanner checks what the installer is about to do and frantically waves its hands in the air yelling “Noooooo”. Even if it tells you what it’s doing, how are you to know whether this action is OK or whether the file it’s overwriting can be trusted not to be part of something else later? You don’t.

Heuristic analysis is also next to useless against new strains of virus — things that mutate or haven’t been seen before.

Method 2: signature-based detection

Since this is the lesser-cousin-twice-removed of heuristics, this method falls foul of the same pitfalls.

Method 3: rootkit detection

Only offered by some scanners — sometimes offered solely by others. Rootkits work deep, deep, deep, underground, often as close to bare metal as you can get. They tend to be very clever, therefore are very hard to detect; especially if it’s trying something new.

Existing kits are fairly easy to spot but new ones take significant effort so it’s down to how much time and expertise virus eradicator staff have between finding it in the wild, analysing it, writing a new definition file and getting it to you. These things have to be found first, and that’s the hard part since they’re so sneaky.

Method 4: personal firewall

A system that offloads decisions about whether to let some tool perform an action like access the internet, overwrite a file, etc. That decision is up to you, based on either dumbed-down or incredibly detailed diagnostic information in an alert box.

The frequency of these alerts popping up will be approximately one every ten minutes or so. At the end of the day you’re not even reading them and just clicking “allow”. Useless protection unless you spend hours training it and rarely install anything new.

Method 5: just being there

The very act of antivirus software existing exacerbates the need for virus writers to evade them. The challenge of writing a virus that can beat all the scanners and gain notoriety is a hacker’s wet dream, so the stakes are raised the cleverer antivirus software becomes.

A second problem with the software being there is that it takes up resources. Worse than just slowing your machine down, it also creates unpredictable delays in your everyday interaction with the computer, masking erratic behaviour. For example, right-clicking a file might take a second, instead of a tenth of a second without the software installed. Next time it might take half a second, or two seconds.

This variability means that in the event the virus scanner misses something important and a surreptitious virus is let loose in your system, you don’t have a benchmark to know what feels right. So you might miss it as well. Some of the actions a virus performs might be very subtle, but if you truly know how well your machine responds and in what time frame tasks normally take, any variation is easily detectable and can be investigated.

Method 6: erring on the side of caution

The cardinal sin of a virus scanner is a false positive: a real threat it glossed over. If word gets out that a scanner is too lenient against a threat, that software’s credibility is shaken and a competitor gets the renewal dollars. In the business of stocks and shares and blanket media coverage, that’s corporate suicide.

Software engineers — those pale monkeys with poor personal hygiene who are caged up and told to write software to spec — know that if a line of code they wrote is found to be the line that let a virus through, they’re out of a job and unemployable. With self preservation being nine-tenths of human nature, they err on the side of caution and flag every little potential problem, either palming the decision to you or logging the decisions it made on your behalf and bragging about it in a report at the end.

While false negatives give you, the consumer, the feeling that the software is on your side (“wow, it’s working hard: this software is good”), too many and you’ll go elsewhere because the software will be notoriously annoying.

The human touch

As outlined in the previous section, software is not the answer to virus detection. By all means use it for virus elimination, but analyse the rogue agent and use the specific tool for its removal on a case-by-case basis.

The only ways to reliably beat viruses are:

  • Vigilance only execute things you are sure are safe. Check MD5 or SHA1 hashes if published on a vendor’s site. For others, have the software equivalent of a fire extinguisher (task manager) or bug spray (malware detection/eradication tool) nearby or running for that one task so you can kill anything that goes ape and limit the damage. An alternative is to take a system snapshot prior to running anything of dubious origin so you can roll back if necessary.
  • Know thy system software can’t get a feel for your computer; you can. Use your spider sense to detect when things don’t quite feel right.
  • Best practice surround yourself with little tools and techniques that help keep things under control and give you confidence in your system’s health:
    • set your browser to ask your permission to set 3rd party cookies.
    • block known ad sites using a hosts file and keep it up to date.
    • get a BHO viewer and use it every now and again.
    • turn off phishing protection in your browser so you don’t get caught out by fake alerts.
    • check your registry autoruns and delete unnecessary tasks.
    • be especially cautious about things like Java or Flash plugins. Set the browser to ask you before starting them up if you can.
    • sweep your system once every few months with a standalone scanner just for a sanity check. If it comes up with anything, investigate it and modify your tool suite above to mitigate the chance of something similar catching you unawares in future.
    • housekeep files, tidy the bin, delete temporary files, uninstall software you don’t use, blah blah.

In short, do yourself a favour: ditch the virus software and take ownership of your computer and your usage habits. It pays dividends in the long run.

Your two cents


(required, never made visible)

(optional, linked with rel="nofollow")