Sunday, October 12, 2008

Why do we need Anti-Virus/Anti-Malware on our PCs Anyway?

Ok, before everyone starts jumping on me for this, I'm talking about the need for our individual PCs to be processing this sort of stuff.

Recent Issues - Scanning
I've been finding myself increasingly turning McAfee's services off in order to do simple tasks without massive interference.

It's a well known and demonstrated fact that applications which use a lot of small files, like the new version of the Notes client (the Eclipse version) do not run happily with Anti-Virus.

Why? Because everytime they pick up a file to execute it, the Anti-Virus app "snatches it off them for a look". In the days of large applications, the anti-virus would simply scan a massive EXE file once and then move on. That's no longer the case.

Last Friday, I was trying to download some things from the IBM site using their "Download Director" facility. McAfee seized the Java applet and took so long to scan it that it kept timing out. In the end, the only way I could download the file was to turn off my Anti-Virus.

Recent Issues - Malware Detection
Then of course, there is malware detection. I've been becoming quite irritated with the otherwise good (and FREE) McAfee Site Advisor software because whenever I went to look at my own blogs (and any other blogs hosted by Google Blogger, it would block the site and tell me that the site was a Phishing site. If I looked the site up in Site Advisor, it would tell me that the site was clean.

I spent about a week and a half trying to get responses out of McAfee about the problem. Eventually I got a response that said;

After some investigation, we have discovered that this error was related to a bug in the SiteAdvisor program, which has now been fixed.

Anyone who sees this error should uninstall SiteAdvisor, and then reinstall it via the following link:

Please write back to me if this error is still occurring after these instructions have been followed.

I'm pretty annoyed about this. Who else has been getting this problem and is it "trashing" my internet reputation? I hope not.

Anyway, this again points to a problem on my PC - actually, I think it's very widespread because I've got the problem on both my home and work PCs.

Recent Issues - Anti-Spam
My anti-spam issues with Symantec were pretty bad (and I reported them on this blog a couple of years ago) but they've all disappeared since then. Since I moved the Anti-Spam off our servers and onto a hosted servivce.

I think that there are two good solutions to this problem;

1. Border Management
2. Safety Scans

Border Management
There are about five ways in which executables or malformed data can enter your PC.

  1. Drives - Floppy, CD/DVD and USB
  2. Internet
  3. Wired Network Connections (Generally trusted)
  4. Wireless Network Connections (Not necessarily trusted)
  5. Other Means (Developed, Parallel Laplink etc) - Unlikely.

All computers should have a firewall which is secure enough to actually lock off floppy drives, network connections and other direct ports.

For the trusted connections, there should be a simple check on boot to determine if the connection is still the same. If the network is the same (as one previously authenticated), then the connection to the resource should be opened. If not, perhaps a scan might be initiated, or a key might be required to be entered by the user.

In the case of rewritable media, like CD-RW or USB Sticks, the user should be offered either an opportunity to scan the entire device once or to open a "realtime scan/protected" connection.

In this way, the onboard firewall could protect the PC without having to constantly scan files as they are opened. The impact on the PC's performance would be minimal.

All other scanning services, such as scanning of network file shares, scanning of internet connections etc, should be done by dedicated hardware to remove the need for individual PCs to do the work.

Safety Scans
These can be done after hours. all PCs and File Servers probably should have some sort of anti-virus and anti-malware task running on them by default after hours.

The Waiting Game
Well. It all sounds good in theory... now I just have to sit back and wait until someone develops the technology. IMHO, it's a good market opportunity for the right company.


Phil said...

Welcome to the wonderful world of crap scanning engines.

Symantec and McAfee, COME ON DOWN! You're our WINNERS!

In my experience, their scanning engines are slow, bloated, and just plain ineffective sometimes.

The sad thing about this is that good scanning engines have been around for years. There are a number of tricks that can speed up scanning massively - including using smaller signatures, using targeted scanning, and using checksums.
But the "big two" just don't seem to want to learn from these engines.

In a particulary ironic regression, McAfee used to use checksums to speed up scanning. (Remember the DOS days of validate.exe?)

However, these days it seems that McAfee and others put more effort into making their applications look like they're doing something - with animations, swish dialogue boxes, and constant nannying.

The integration of antivirus as just one function in a suite seems to have made the situation worse, especially as these suites are tailored towards the consumer market. Now reminders that the software is working (via intrusive popups telling you that they're updating, scanning etc.) seem to be thought of as positive by the developers, as they let uneducated users know that their purchase is "worthwhile".

Sadly, it's due to that kind of market pressure that you won't see the kind of security suite you (and I!) would like to use.


Anonymous said...

On Windows, set the virus scanner to only check on write for the directory containing the bazillion little java files used by Notes/Ecllipse.

You'll see a huge improvement in loading Notes standard client.