Limits and challenges of antivirus software

1 - Definitions

Antivirus software is a program, which is able to detect and remove computer viruses on various types of storage. The effectiveness of such a program is closely related to frequent updates, which are upgraded with new forms of virus. A virus is a malicious program that can infect files and potentially cause various dysfunctions such as restarting the system, removing of files, etc. “False-positive” occurs when the antivirus blocks a legitimate file because of a too severe filtering. “False-negative” corresponds to the lack of detection of a real virus by the antivirus due to insufficient filtering.

 2 - How antivirus products work

 Most antivirus function according to three modes:

• Static mode: The user activates the antivirus on demand.
• Dynamic mode: The antivirus software runs in the background and analyzes all events and actions of the machine
• Scheduled mode: The antivirus software is launched based on a schedule the user or the administrator has set up.

Antivirus programs can perform two types of analysis:

• File content analysis
  • By analogy: Thus the antivirus recognizes an already known virus thanks to the base of signatures of malicious codes. However, the antivirus program does not always succeed in detecting changes of viruses (mutations, polymorphism). Keeping up to date the base of signatures is the main inconvenience of this mode. 
  • By spectral analysis: The antivirus program seeks from a list of instructions of a program, characteristics of viruses or worms. The disadvantage of such a technique is that it generates more false alarms. Its advantage is however that it can detect new viruses even if they implement polymorphism techniques.
  •  By heuristics: This technique is based on the principle of recognizing behaviours or malicious actions or system abuse attempts, from signatures. The main disadvantage of this technique is that the antivirus is quickly limited because of innovative exploitation techniques.

• Dynamic analysis: The antivirus program analyzes suspicious or abnormal behaviours when a file is executed upon its usage. Thus certain unknown viruses can be discovered if they already use known techniques. In dynamic mode, slow downs can be noticed and false alarms can be numerous.

To analyse data or files, antivirus programs must solve various problems.

Bugs

Antivirus programs are pieces of software and as such are not free from bugs. Thus, the complexity of virus detection can bring two main types of errors:

• Over-detection of virus, that is to say “false-positive”, is a bug that can involve dysfunctions of information systems. The recent disappointment of McAfee in is a good example. Thus the McAfee DAT update had cause the “svchost.exe” system file to be quarantined and detected as the “W32.wecorl.a” virus, leading lockups of thousands computers.

•  No-detection of virus, that is to say “false-negative”, is a bug being that cab lead to dysfunctions of the security of information systems. 

Multiple formats

Antivirus programs must be able to process multiple formats and types of files such as the executables (exe, DLL, sys,…), documents (DOC., XLS, PPT,…), compressed archive files (ZIP, RAR, TGZ,…) packed executables (UPX, FSG,…) and media files (JPG, GIF, AVI,…). Each one of these formats can be somewhat complex; hence antivirus programs have more difficulties to process all these formats in a suitable way.

Decompression

Most antivirus vulnerabilities are present in two components:

• Executable decompression
• Data decompression

Thus antivirus programs must decompress executables and data in order to analyze them. The problem with the decompression of executables and data is that the process is complex. It can therefore lead to vulnerabilities. 

Speed of virus mutation

Malicious codes mutate very fast, letting little chance to antivirus to adapt, even for the non-obfuscated codes. Antivirus programs are generally based on signatures detection in order to identify a malicious code. However, signature based detection cannot ensure a protection against a targeted attack using a specially tailored code and not yet included in signature virus database (since the virus has not been widely spread and thus not identified by antivirus editors).

Antivirus programs have their own known weaknesses, and can be the target of many attacks.

System privileges required by antivirus programs make them privileged targets of attack. In the same way, the various components of the antivirus (scan engine, decompression module, etc.) can also be vulnerable and exploited by attackers.

However this kind of attack requires a good knowledge of operating systems, and a good knowledge of the way antivirus software operate. All are not prone to the same type of vulnerabilities. There are the numerous ones:

• Antivirus neutralization (deny of service of the software, blocking of  the scanning process),
• Antivirus bypass via “rootkits” (e.g. technique described by MATOUSEC).
• Flaws in the scan engine (e.g. recent vulnerability of the SOPHOS antivirus),
• Flaws in decompression modules (e.g. vulnerability in Symantec products when processing RAR and CAB files, vulnerabilities regarding ZIP and RAR files in F-Secure  anti-virus).

The antivirus remains an essential protection in an information system. However it is neither sufficient, nor infallible. The recent iAWACS challenge from the laboratory of ESIA, showed the existence of many vulnerabilities in well-known antivirus products by using aggressive techniques. The evolution of information technologies, the knowledge and skills shared by the attackers, show that it is fundamental to be conscious of their limits and that security cannot only rely on them.

Within an industrial antiviral context, the enterprise must ensure the respect of best practices, which is essential to maintain a satisfactory level of security in the information system. Regular updates of the antivirus, of signatures, of the scan engine are a prerequisite. Thanks to a simple and effective signature qualification cycle, they would make it possible to avoid such problems as the one with the McAfee recent update, which blocked several thousands of user systems.

However, an antivirus solution cannot ensure alone the security of the whole information system, technical and human measures must also accompany it.