Anomalous Anomaly

Okay, sorry about the delay on posting this one. I had some other priorities to take care of first.

Last time, I explained why antivirus is basically a sham. This week, I’m covering firewalls.

Firewalls are only a half myth, really. Generally, firewalls do as they should: block either incoming or outgoing connections (or both). But in order for people’s internet connections to be functional, firewalls have to have exceptions. Certain connections must be allowed to pass through the firewall, or the network is essentially rendered useless.

Problem #1: In the case of end-users, firewalls can end up causing confusing symptoms (for instance, Windows file sharing failing to work properly because of a denied connection). The typical user probably wouldn’t know why file sharing refused to work, and would eventually get frustrated and either give up on the task at hand or resort to an inappropriate means of sending files (such as email). An informed user would probably add an exception for that set of ports and allow Windows file sharing to function.

Problem #2: Unfortunately, exceptions are the second issue. Firewalls are blanket security that we can punch holes in when we need to. Exceptions mean that we’re selectively exposing ports that we probably shouldn’t for security reasons. Further, the Windows file sharing ports are the most exploited for security holes of any ports on Windows. Blaster, Sasser, Bagle, MyDoom, NetSky, and Sircam all used Windows file sharing ports for infection.

Problem #3: Open ports are really not the problem. The problem is poorly written software. Windows file sharing was exploited so many times because it was truly that badly written. So many security considerations were ignored. To Microsoft’s credit, they are now developing software in such a way that most buffer overflows are avoided. They’ve basically made their developers use their secure C functions (sprintf_s, strcpy_s, etc), lest they get a compiler error. I’ve seen this myself when visiting Microsoft.

But now we’re at the root of the problem: we’re covering up programmer errors by making those errors publicly inaccessible while reducing functionality. What really should be done? Programmers should thoroughly test their programs, and potentially even implement their own secure C functions (for non-Windows platforms). But unfortunately, we’re stuck with firewalls because programmers don’t write secure code.

I would love to hear any opinion you may have about this blog. Email me directly at steven@uplinklabs.net and let me know what’s on your mind!

There isn’t such a thing as antivirus software, at least in the most ideal sense of the term. No software can detect malicious code without foreknowledge of specific patterns inside the program to search for. To detect new viruses before they wreak havoc on your system, you’d have to either monitor everything yourself, manually, or you’d have to have software with artificial intelligence. This doesn’t exist today. What we have today is not antivirus. What we have is essentially a sham. The top antivirus manufacturers, except for AVG, currently use tactics I despise. They’ve essentially made antivirus into a subscription-based service. Every six months, antivirus software will ask for more money if you want to continue getting sub-par service. They’re not looking out for their users’ best interests, they’re trying to rake in the cash.

How is the service sub-par? Antivirus detects only known viruses. What’s worse, if the virus you happen to get on your system is aware of your antivirus software, it’s possible for it to bypass or even disable it. For example, in 2001, it was widely reported that Norton Antivirus had a flaw which made it possible to change a single registry entry and disable the antivirus. So really, what good is antivirus software if a virus can simply hit the ‘off’ switch?

Even further, some antivirus software is incompetent. Much more recently than the aforementioned security hole in Norton Antivirus is the news that some new laptops pre-installed with Home Premium were infected by a 13 year old virus. Worse, the preinstalled antivirus software could not remove the virus. The fortunate thing here is that the virus itself was basically just a proof-of-concept and had no payload, so the damage was quite light.

A recent article on The Register brought to light a study by a German magazine in which they tested various antivirus programs’ effectiveness in detecting new variants of known threats. Antivirus companies make heuristics sound great and powerful, but the results of the tests were less than encouraging. 20-30% is pathetic. Why are people continuing to pay for such ineffective software?

An even more annoying flaw is when antivirus software yields a false positive when checking a piece of software for viruses. A very publicized incident of this kind of failure was most recently posted on The Register about how AVG thinks Adobe Reader’s installer is a virus.

Some have suggested that a solution for these sorts of problems lies in having independent testing firms to validate antivirus software’s capabilities. I don’t believe this to be the solution, because the security model itself doesn’t make sense and I believe the whole concept of antivirus needs to be redesigned. I also don’t believe blanket security is good security, largely because most blanket security solutions yield more problems than they solve. There are exceptions to this rule of thumb, but for the most part, blanket security is worthless.

Another solution that people have suggested is the concept of “intrusion detection”. Intrusion detection is the concept of monitoring programs for suspicious activity, such as deleting files, modifying registry entries, and so forth. There are intrusion detection programs available, like the OSFirewall feature in ZoneAlarm Security Suite. Intrusion detection systems will be very noisy about pretty much any suspicious behaviour, but such behaviour can be exhibited by perfectly normal programs as well. Programs add and delete files all the time, but this is also how viruses propagate. Programs modify the registry all the time, but this is how viruses inject themselves to run at startup. The intrusion detection model is far too noisy and picky about events taking place on a machine.

So what can be done about this difficult issue? How can viruses be effectively eradicated? Unfortunately, there is very little that can be done right now. Until someone writes a real antivirus program, you are essentially forced into using one of these pseudo-antivirus products on the market. Aside from being vigilant about what you download and run, you should always be sure to keep your antivirus software up to date. I recommend AVG to most people because it’s free. My own solution to the threat isn’t very useful to the average person, so I rarely recommend it. I’ll be detailing my own solutions to primary security concerns in a few weeks. Next week, I’m going to be covering firewalls, the next great security myth.

I will continue this article in part two next week.

I would love to hear about your own virus problems and solutions as well as any opinion you may have about this blog. Email me directly at steven@uplinklabs.net and let me know what’s on your mind!