Back to Top

Friday, November 21, 2008

The first rule of computer security is

You don't talk about computer security. No, that's not it, but it sure seems like many people adopt that attitude. Getting back to the subject, I want to talk about the first of the 10 Immutable Laws of Security:

If a bad guy can run (persuade you to run) his program on your computer, it's not your computer anymore

This is an axiom which (I feel) people (like to) forget or neglect when talking about AV. However it is something which will become more and more important when we slowly start to realize that using AV software as the only defense means trusting it to clean up the infections (because AV is a reactive measure - which means that if you rely only on it, there is a high chance that you will get infected).

The problem is that automatically disinfecting even a moderately powerful malware is nearly impossible with standard tools. This is so because malware can (and many do) have its own "blacklisting": as long as it is allowed to run with enough privileges, it can kill off and prevent reinstallation of AV software. Interestingly this means that the roles of the attacker and defender are reversed in a sense (the malware is defending itself from AV software via blacklisting). There are several options to "attack" this problem (I'm talking here about organizations rather than individual users, since users are very unlikely to have the necessary resources - however they can become part of an organization - ie pay somebody for support for example - to get access to these method):

  • Organizations could develop in-house disinfection tools. This is not as hard as it sounds if you have the required know-how. Unfortunately this isn't the case in most organizations.
  • AV companies could develop custom disinfection tools/instructions. This happens quite often, however the problem is that as soon as it becomes public knowledge (and it has to, so that affected people can use the method), malware authors can defend against it.
  • Organizations can use lesser-know products which are less likely to be "blacklisted" by the malware - VirusTotal lists currently 37 engines. This is certainly a viable option, however a careful selection is needed to identify products which (a) are not "blacklisted" by the malware and (b) can identify/remove the malware
  • AV companies can try to modify their product so that the blacklisting component from the malware doesn't recognize it any more. This is very unlikely to happen for at least three reasons: (a) there are marks which would be very difficult to remove, like the company name from digital signatures (which is needed to load drivers in Visa x64 for example) (b) system administrators rely on these "marks" (like service names) to do legitimate tasks (like starting/stopping AV, checking if it is functional, etc) - changing it would break their workflow (c) the rate at which change can be introduced in these products is limited by the QA processes (new kits have to be tested).
  • Use "cold boot" solutions like putting the HDD in an other machine or booting from USB/CD and perform the scan that way. Some companies already offer this option, but it is complex (you have to have a blank CD, a writer and knowledge to write CD's) and has many problems (like not being able to write to NTFS partitions, not being usable if the disk uses full-disk encryption, not storing the updated signature files, which results in the need of downloading them after each update, not recognizing the networking hardware, etc)

The conclusion would be: it is good to have multiple layers of defense, including AV. However, using it as the one thing which stands between your computer and the ton of hardware out there is foolish. Finally, the AV product which perfectly cleans up after a malware infection (which it didn't manage to catch at the point of intrusion) is a dream. After an infection, if you have any kind of sensitive material on the machine, wipe, reinstall and patch.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.