Antivirus – Just one piece of a big puzzle

Many users think antivirus is the last, and sometimes only, line of defense. Sadly the majority of the Mac users feel they need no defenses at all, after all Macs are impervious to any kind of viruses or attacks right 😉 *cough*. Very slowly Mac users are starting to catch on to the fact that the previous statement does not hold true so there is an increase in interest for protection, something many antivirus / protection companies are trying to get in on. When searching the web or asking others what is a good way to protect your computer, the first term that comes up is always antivirus so an antivirus gets picked, installed and the user thinks they are now as protected as they can be. This is far from the case. While malware is certainly a growing concern, there are many ways in which your system(s) can be compromised and an antivirus application only partially protects you from a few of these ways.

How an antivirus does what it does
Simply put, a virus or piece of malware in it’s final form (app, script, etc.) can be analyzed. This analysis results in a identifiable string of code also called the signature. This signature is added to the blacklist or database that the antivirus application downloads every time it checks for updates. This is why update frequency is important, the sooner your antivirus application knows what signatures to look out for the better. For emerging threats that are not analyzed yet by the antivirus company some applications leave you with heuristics. Heuristics analyze the contents of your computer to look for suspicious code and may be able to detect a piece of malware before the company is even aware it exists. All this should prevent any type of malicious code to run on your computer. This is why it is important to pick an antivirus application that has a good detection rate and good protection track record, see this page for the latest details on that.

Some of the problems with antivirus
Claims – Some companies will protect their users from the latest high profile threat and use that to gain more users. Once that threat has passed (no longer active or exploitable) they fail to detect new threats or half-ass it until the next high profile threat comes along. They attracted new users, got the cash and kind of leave those users hanging. The users think they are protected around the clock by “this company that did amazing when this or that malware was around” while in fact they are not. Or a company detects just a few of the signatures from a certain malware family and simply tells everyone they are protected. For example, at the time of writing i have 31 samples of the DNSChanger malware family, that’s 31 unique signatures for different variants of the same malware. A good antivirus should detect them all but i have found that quite a few only detect a few and still claim to protect their users from the DNSChanger malware. It’s like bulletproof glass claiming to be impervious to 9mm bullets but only red, blue and orange ones. If a purple or green 9mm bullet happens to find the glass, sorry, you’re not protected. I suck at analogies but i hope you understand this one.
Heuristics – I watched a very interesting webcast today on sans.org “The Three Most Common Tools Used to Breach Systems” presented by John Strand and PaulDotCom’s Paul Asadoorian. (the archived footage is not online yet but i will link to it as soon as it is) I asked: “Heuristics in general is said to be a great asset for AV (AntiVirus) apps, do you agree?”. The answer i got surprised me, i did not know there are different type of heuristics. John answered: “Not necessarily, it depends on how the AV company implements the concept of heuristics. There are some AV engines out there that do that true type of heuristics. It’ll either be on a blacklist, whitelist or a greylist. So if it’s blacklisted, it’s not going to run, if it’s whitelisted it’s going to run and if it’s greylisted, meaning it’s not on the black or white list, it uploads it to a sandbox and then it runs it to check and see if there is something malicious in it. That is a great approach but [connection stalled]. With the vast majority of the AV engines out there now that say that they do heuristics do a couple of different things. Either they go through the first 150 bytes of an executable to see if there is something interesting and then dig deeper or they go through and they jump at those 512 byte offsets to check the different sections of code at those different offsets. So it really boils down to what your vendor means when they say heuristics. If it’s sandboxing and analysis, awesome. If it’s just going through and doing static code analysis for heuristic detection it is very very easy to bypass those types of products if you know what you’re doing.” The presentation covered how to bypass antivirus applications as well, very interesting stuff. I had never thought of this, i never stopped to think there may be different ways of doing heuristics. John blew my mind. (I admit it is not that hard to blow my mind as the security industry is so enormous and all the new information i try to absorb and learn every day has tons of stuff in it i did not know) John had very little (nothing really) good to say about antivirus for Mac in general. Paul did mention that certain browser add-ons and Little Snitch are great ways to protect your Mac. I have covered this before in articles here and here.
Updates – As said before, the sooner updates are available the better. And some companies do not update often. An application may check for updates once an hour but if there is no actual database update available to download from the server, that hourly check becomes useless.

The rest of the puzzle
The other pieces are making sure you keep your OS and software up to date, the use of strong passwords, using a firewall, educating yourself and other users on your network about security risks like malware and phishing, making sure routers and networks are set up properly etc. Antivirus, while a nice addition to your security solution and i do recommend using it, is by no means enough. (At this moment Sophos is my best tested antivirus application, it’s free and very light on the system so install it just to be safe).

Check out the above mentioned sans.org presentation if you are interested in learning more about security. Apart from some shenanigans from attendees that have yet to grasp the concept of professionalism, drawing on the presentation whiteboard, it’s good stuff that’s worth viewing. I was also not aware of PaulDotCom but the quick glance i gave it earlier makes me think this is also a great resource to keep an eye on from now on.