Pages

Tuesday 13 October 2015

Antivirus

A long time ago, I wrote an antivirus program. It was the best in the world; it was faster than any other, it had a better detection rate, and a better false alarm rate. It used algorithms that I think were particularly cunning - it would scan files for thousands of viruses faster than any ordinary program could just read the files, and people would ask me how that was possible. The answer was simple - you didn't actually need to read the whole file in order to verify that each of the known viruses wasn't present. Also, the scanning algorithm scarcely slowed down with an increase in the number of viruses scanned for. 99% of files could be certified as clean after reading 2048 bytes from the file. I chose a pair of bytes from seven places in the file, and if I got no match between that pair of bytes and a string of pairs of bytes taken from each virus, then the file was clean (and scanning for a pair of bytes can be very fast if you use the machne code instruction REPNE SCASW). As you can see, this is *very* fast. The other 1% of files needed a bit more study, but if you can eliminate 99%, that's well worth doing. And by the way, I'm reliably informed that the engine I designed and wrote, is still in use (I'm sure massively updated), currently owned by Intel. And I got the Queen's Award for Technology for that in 1993.

Anyway.

What's the situation today?

I don't run an antivirus, and that's because A) I run Linux, which while not invulnerable to viruses, is not susceptible to 99% or more, and B) I don't blindly open files that are sent to me by email and C) I don't know of an antivirus that would be useful.

So let's examine C). Here's the problem. Today, it isn't so much viruses, although I expect there are still some being written - it's malware (malicious software). These aren't programs that replicate themselves in order to spread. These are one-shot programs that install themselves on your computer and do something bad.

Back in the day, that's 20 years ago, I could state that I'd see a virus several months before you would. Often years. Most of the viruses I saw, didn't make it to userland. So quarterly updates made sense; monthly updates if you were paranoid. That meant that we had a monthly update cycle. Four weeks of updating the virus database (and maybe modifying the software), two weeks of testing, and then release. And during the two weeks of testing, the four weeks of updating would overlap. So what we shipped, was thoroughly tested.

Today, new malware gets emailed out every day. So the antivirus (actually, they should be called antimalware, but the old name has stuck) programs are updated every day. So they get a few hours of testing. Which is why you occasionally see a HUGE false positive, such as this or this.  Or the mother of all false positives, which isn't new - I remember when Virus Bulletin published a scan string that flagged COMMAND.COM as infected. That file is, of course, on every Dos computer.

But that's not the big problem.

The big problem is this. I was recently emailed a DOC file. As I'm sure you know, DOC files can be malicious. I remember the Windows Word "Concept" virus that came out on the same day that MS launched Windows 95 - the launch made it really impossible to contact MS about anything else.

So although this DOC file came with a plausible story (a company was billing my credit card for £40, and this DOC file was the invoice). But I'm not as green as cabbage, so I was about to delete it, when I thought - I wonder ... So I uploaded it to VirusTotal. This is a free service. You can upload a file, they'll scan it with 56 scanners, and tell you the result. All the big names are included, and some of the smaller names I know, and a ton I haven't heard of.

Five scanners flagged it; 51 didn't. And another email purportedly from Paypal. It was a ZIP file, inside it was an exe file; Virustotal said that 8 out of 56 scanners spotted it. All the scanners were last updated today or yesterday. And, by the way, each of the 8 gave it a different name, and looking at the names, it seems to me that they detected it generically, not specifically.

So would I run software that gives me a 10 or 15% chance of detecting the malware? I can't really see the point. I get sent *dozens* of emails per day with malicious software; if I stopped 15% of those, I'd be hit dozens of times per day.

So what's the answer?

I don't have one. Sorry. I can tell you what I do.

1) I run Linux. That eliminates 99% of the problems - that exe file I just mentioned, isn't going to work on Linux.
2) I delete, unread, files from random senders enclosing doc file, zip files, scr, exe, pdf, docx and a bunch of others.
3) I don't use MS Word. But I do need to read documents sent to me in that format, so I use LibreOffice. And I've set the security level in that software to "bar macros except from trusted sources", and I have zero trusted sources. Ditto for excel spreadsheets. I'd guess you can do the same thing for MS Word.
4) I don't use Adobe Acrobat, I use a different PDF reader.
5) I don't use Internet Explorer, I use Firefox.
6) I use uBlock as an ad blocker (I used to use Adblock Plus). I regard ads as a security issue, because when I go to a reputable web site such as Theregister.co.uk, their ads are served by some third party, and a several years back that third party got hacked and served malware.
7) I use NoScript. That prevents a site from using javascript unless I authorise it.
8) I have Flash installed, but each time it wants to run, it has to ask me. That means that I can happily use Youtube (I just watched "The Knowledge", which I first saw 25 years ago and is still brilliant) but when I go to a new web site, it blocks flash.

In the last 20 years, I've only had a malware problem once (this was theregister incident); quickly solved by zapping the entire hard disk and replacing the previous Windows install with a fresh Linux install.

Trying to keep a corporate network free from malware must be a total nightmare.

update ... another one just arrived, detected by 24/54 scanners.
update ... another one, detected by 11/55
update ... another one, detected by 12/55
update ... another one, 5/56
update ... another one, 15/56
update ... another one, 8/56

3 comments:

  1. Youtube works fine with HTML5 video. Not sure why that isn't working on your Linux/Firefox install.

    ReplyDelete
  2. I think antivirus must install for any internet connected machine. I have a Android Tablet and I'm using paid anti virus which i think give good performance than other.

    Modern Palmtops

    ReplyDelete
  3. Nowadays there are a lot of different antivirus programs, but the main problem for most of it's devise performance. Want to tell about the great application with better performance on Windows devises. It can not only protect your device from viruses, but also helps to protect your device from spy and hack programs and software. http://removalbits.com/

    ReplyDelete