Monday, October 29, 2007

the myth of what anti-virus is

if you're like most folks the term "anti-virus" elicits images of a virus scanner methodically checking each and every file on a system for something that matches one of it's hundreds of thousands of signatures... obviously that is the most well known aspect of the anti-virus field, but if you (like many others in this day and age) thought that that was all there was to anti-virus then you'd be dead wrong...

it is an exceedingly popular misconception that can be found underlying such pejorative statements as "anti-virus is a fundamentally flawed technology" and the new favourite "anti-virus is dead"... the simplest way to express the idea is that 'anti-virus == known virus scanning', but it's an idea that betrays a profoundly superficial view of the field... for example, it ignores the fact that the first anti-virus tools weren't scanners at all - flu_shot (which predates virtually any anti-virus product you've ever heard of) was a behaviour monitor/blocker and that was just one of many generic tools developed in the early days of the virus problem...

of course known virus scanning was developed before too long and became hugely popular (largely because it required and still requires the least amount of know-how from the operator) but although it thoroughly eclipsed generic techniques in market penetration it never completely displaced generic techniques from the spectrum of anti-virus technologies as evidenced by tools such as integrity master, advanced disk infoscope, chekmate, and invircible (all primarily integrity based tools)... then of course there was the rather visionary product (for it's day) called thunderbyte anti-virus which was probably the first instance of what would today be recognized as an anti-virus suite, containing a known virus scanner (with one of the most instructive examples of an early heuristic engine), a behaviour monitor/blocker, an application whitelist, and more (if memory serves, frans veldman and the gang at thunderbyte also had hardware designed for virus detection but obviously that was separate from their software offering)... later thunderbyte's technology was bought by norman data defense which then went on to become known for their sandboxing approach to virus detection... i should also note that throughout the 90's a number of what most would consider conventional anti-virus vendors included integrity checkers in one offering or another in part due to it's theoretically perfect ability to detect the effects of viruses that got past their scanners (assuming the operator was capable of using an integrity checker to it's full potential)...

so what was anti-virus really? what did the av community/industry consider it to be? basically anything that was intended to fight (and i don't just mean prevent) viruses... blacklisting (scanners), whitlisting, sandboxing, forensic integrity checking, etc... in other words, the basis for virtually every anti-malware technology today...

now there were a couple of developments in the late 90's (and just beyond) that bear some attention... one is that the incumbent anti-virus industry was slow to jump on the non-replicative malware problem, which obviously created a market opportunity for things like anti-trojan and anti-spyware tools... another is that some new entrants to the emerging anti-malware field realized that, although they could do the generic technologies as well or possibly even better than the existing anti-virus industry, there was no way they were going to be able to compete in what was still very much the anti-virus market without comparable scanning technology and that developing comparable scanning technology from scratch at that point was probably next to impossible... so instead they had to try to differentiate themselves not just from anti-virus companies but from the entire anti-virus industry (while still applying essentially the same techniques) which eventually lead to an apparently fractured market - but not before the av industry finally committed itself to non-viral malware and became fully anti-malware...

of course we still call them anti-virus products in spite of the fact that they are intended to fight a lot more than just viruses now... this is because the concept of a computer virus has a far better foothold in the public's psyche than this new term 'malware' has... and why not? the computer virus has had decades to penetrate into the public's awareness... so much so that the term 'infect' frequently gets used in the context of any and all malware, even by otherwise knowledgeable security experts... we also still call them anti-virus products in spite of the fact (often completely ignoring the fact) that they are increasingly embracing the comprehensive suite approach that thunderbyte anti-virus took over a decade ago (which, by the way, is the real reason for the interest in new testing methodologies, as the old methods are still perfectly reasonable for testing known malware scanning on it's own) and thus broadening the technological footprint of individual products to be closer to that of the field in general...

so no, anti-virus is not just scanning... it was anything intended to fight viruses and has now become an archaic reference to (and the root of) what is now properly referred to as anti-malware (anything intended to fight malware)...

2 comments:

Didier Stevens said...

Yeah, I remember when an AV could be as simple as a TSR program that created the right mutex.

And the "flat file scanning" myth is so prevalent. Recently, I found a nice example where the AV's file scanning fails, but the other protection mechanism kicks in and stops the malware. So I put a blogpost with a screencast to show this.
Yesterday, this got slashdotted, and all they're talking about is how AV fails...

kurt wismer said...

yes, well, that's slashdot for you...

congratulations on getting slashdotted though...