Main Menu
More From ICS
Buying Guides
Tips & Tutorials
Magazines

Why Anti-Virus Programs Are Not Fool Proof

When you click on email attachments or browse the wrong web pages, you are running programs. Continuing the traditional approach, the operating system designers don't see their job as protecting you from programs you choose to run. To fill the gap, the security companies have written programs that try to add this protection.

An anti-virus program has a very demanding task in front of it. It has to check all your incoming email and all the web pages you visit and try to spot malicious programs. It then warns you that the program is suspect, so that you will not run it. If it misses a piece of malware (or you approve it by mistake), it may also catch some of the effects -- attempts to communicate with the internet, or modify your operating system, for example. It can then warn you again, or offer to remove the offending malware. Finally, it can scan all the files and system settings of an existing system, trying to find malware to remove.

The first problem is to determine what constitutes a virus or other bit of malware. The anti-virus program cannot analyze a suspect program on its own. There's no simple rule that says what a program should or shouldn't be able to do. A useful program might want to read files to manage your bank account (Quicken, for example). A malicious program might want to scan those same files to steal your credit card information. To the operating system (and the anti-virus program), they are both programs that read files. The difference is in the intent, and no computer is smart enough to determine intent.

So the anti-virus programs all rely on the company that makes them to list all possible malicious programs. It downloads this list (and updates it regularly), and checks your system for any of these programs. This is a "blacklist" of all malware. One common security program, "Spybot Search and Destroy", has a blacklist of 86,018 different pieces of malware.

The first problem with a blacklist is that a virus may appear on your machine before the security company knows about it. In fact, they only know about it because people complain of viruses, or they see them on their own machines. They can't visit all suspect websites, or receive all the email you receive to check for attachments. So they are inevitably behind the curve. New viruses are being written all the time and any that haven't been seen by the security company can get into your machine and past the anti-virus program without setting off any alarms.

Second, there's the problem of identifying the virus. It used to be that these were simple programs that were the same everywhere they occurred. On each infected machine, Virus X would look the same. So when the security company sees Virus X for the first time, it adds a description of Virus X to its blacklist. Then your anti-virus program could use those descriptions to catch Virus X on your machine.

Something similar used to be true of spam email. A spammer would send out a million copies of the same message. Now, you'll notice that spam varies a bit. The same spam may arrive with different subject headers, it will include lots of misspellings to make sure simple rules (no "Viagra" messages allowed) will fail, since the key words are all missing. By slightly randomizing the message, so that no two copies are exactly alike, the spammer gets past the spam filter.

The same thing is now happening with viruses. Instead of sending the same program to each machine that it infects, the virus varies itself a bit, sending slightly randomized copies to each new machine. And just as randomized spam gets through spam filters, randomized viruses can get through anti-virus programs. The security company can't add every possible random variation to their blacklists, and the anti-virus program can't analyze the malware on its own.

Finally, clever viruses can attack the anti-virus program itself. If the anti-virus program is disabled, it will never alert you about the virus, no matter how many descriptions are added to the security company blacklist. On Windows, the virus can dig itself so deeply into the operating system that even when the anti-virus program removes the virus, it returns again quickly.

As viruses become more sophisticated, security companies are losing the battle against them. They will see the virus, but be unable to write a description of it, since the virus changes too quickly. When the anti-virus program detects it, it will reappear. Or the virus will disable the anti-virus software. Using other techniques, the virus writers can disguise the internet sites they report to, making it impossible to track them back to their source. And with millions of infected botnet machines at their command, a virus writer could probably attack and shut down any of the large security companies. They simply have more resources.