Wednesday, April 04, 2007

Internet Security Is More About Prevention Than Disinfection

By Coenraad De Beer

Almost everywhere you go on the Internet, you come across victims of malware, hackers, phishing attacks and e-mail scams. These victims turn up like wounded civilians at all the malware removal forums and the security divisions of community driven web sites, seeking for help and advice to recover from the damages caused by these malicious threats. It is like a war ground, claiming casualties everyday. As with any war, you suffer a lot of casualties when you allow the enemy to get past your defences and it is even worse when you have no defences at all.

An anti-malware application is just as good as its resident shield. Anything that gets past an active resident shield will seldom be detected by any anti-malware protection system. Today's generation of anti-malware packages have heuristic detection technology helping them to detect virus- or spyware-like activity without actually knowing anything about the threat. But heuristic analysis is only a secondary layer of protection, your primary line of defence against malicious software is a definition or signature file containing the details and characteristics of specific malware threats. Even firewalls and spam filters have definition files in the form of blacklists. Neglecting to keep your signature or definition files up to date is like neglecting to pay your monthly insurance premium. Your insurance company will refuse to pay out any claims because you did not maintain your insurance policy. An update a day keeps the malware at bay.

A decent anti-malware application will isolate any known malware before it enters your system, but becomes vulnerable when unknown malware enters your system undetected. It is harder for anti-malware applications to take over a system, already infected with malware, than protecting a clean system from getting infected. Anti-malware software is primarily designed to protect your system from getting infected and its secondary objective is to neutralise threats as quickly as possible before they start to spread throughout your system. I have seen how top class anti-virus systems self-destruct when they are infected with high-risk viruses that were already present on the system, before the anti-virus software was installed. It basically means that the virus infects critical components and files of the anti-virus application, the anti-virus application detects these infected files and delete them or move them to the virus vault. If the anti-virus software deletes any of its critical components, it will eventually shut down, crash or become inoperable. The only way to repair the damaged anti-virus software is to re-install it.

Installing an anti-malware application on a system already infected with malware can be troublesome. Many viruses and spyware are aggressive and kill the setup wizard of many well-known anti-virus and anti-spyware packages, preventing them from gaining control over the system. They even terminate some anti-malware scanners if they attempt to disinfect infected files or remove any threats. It is a case of taking over some territory and defending it. Malware can be programmed to do almost anything in order to retain control over your system and it is hard to get rid of stubborn and aggressive programs refusing to surrender to an anti-malware package. Viruses and spyware are normally small, operate very fast and are very flexible. They mutate all over your system, making it hard for anti-malware applications to pin them down. On Microsoft Windows systems, you can always start your computer into Safe Mode when malware refuses an anti-malware application from being installed in Normal Mode, but many anti-malware applications rely on the Windows Installer, something that is normally disabled under Safe Mode. When it comes to disinfecting an infected system, you can't expect the installer to rely on faulty, damaged, infected or disabled components of the operating system. Off course it is not possible to make the anti-malware application completely independent, but at least develop its own independent installer, with built-in malware protection. This will make it possible to run the software under Safe Mode, where many malicious programs are automatically disabled, making the job of disinfection a little easier for you and the anti-malware application.

Unfortunately there are people under the false impression that they are untouchable when they have an anti-malware application installed on their system. Any defence system will eventually fail if you continue to expose it to constant attacks. I have come across people asking for the best anti-virus protection because they have a friend or cousin using their computer to browse porn web sites, but they do not want to confront this person about it, they rather want to increase the protection on the computer. Porn sites are polluted with viruses and spyware, not viruses alone. It is because if this approach that people fail to remove spyware from their computer, because they are using the wrong tools for the job. You can't protect your system effectively against spyware, or remove spyware from your computer if you are using an anti-virus package or vice versa. You can't keep viruses from infiltrating your system by using a firewall alone. It may block a virus attempting to enter your system through a blocked port, but it will not be able to block a virus travelling through a trusted application like your browser.

Today you need protection against malware (viruses, spyware, rootkits, trojans, etc) not just viruses or spyware alone. You also need a firewall and a good spam filter. You need a browser that protects you from phishing attacks, browser hijackers and pop-up windows. Anti-malware applications are not super applications, they have their limitations and you can't expect your system to stay malware free if you constantly expose it to malware attacks from porn, illegal music and pirate software web sites. You can keep your system clean, your identity safe and prevent someone from destroying his/her life with junk like porn, by disallowing anyone (including your cousin) from using your computer for illegal and indecent activities. Who do you think is going to take the fall for illegal porn, music or pirated software? Your cousin? I don't think so, especially if YOUR computer and YOUR Internet connection were used. Even if you can prove it wasn't you, you will still be seen as an accomplice.

So what is the bottom line? Internet security is more about prevention than disinfection. The large number of single purpose disinfection tools, available for specific threats, is proof of this. Definition files are mainly for prevention and detection purposes. When a malicious program exploits vulnerabilities beyond the reach of definition files, you need a specific tool to get rid of it and often a special patch to prevent re-infection. This is why anti-malware developers have to release new versions of their software on a regular basis to stay abreast of the latest threats and vulnerabilities. Developing anti-malware applications, limited by strict standards, protocols and rules, is like arming a S.W.A.T. team with water pistols when they need to go up against a group of terrorists armed with AK47's. Malware does not play by the rules, it is time that anti-malware developers follow the same route, but without compromising the stability and performance of our computer systems.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.

No comments: