[Part 8 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series will also be available shortly as a white paper.] Anti-Virus isn’t Total Security Don’t expect antivirus alone to protect you from everything. Use additional measures such as a personal firewall, antispam and
[Part 8 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series will also be available shortly as a white paper.]
Anti-Virus isn’t Total Security
Don’t expect antivirus alone to protect you from everything.
Use additional measures such as a personal firewall, antispam and anti-phishing toolbars, but be aware that there is a lot of fake security software out there. This means that you need to take care to invest in reputable security solutions, not malware which claims to fix non-existent problems, or toolbars that are designed to divert you away from the sites you want to visit and towards the ones that generate revenue for adware providers.
That apart, even the best protection might not protect you as well as common sense and caution does: there is no silver bullet in protection in malware, which is why we always advocate multi-layering or defense-in-depth. Specifically, don’t fall for the "I can do anything and click on anything because my antivirus will protect me" trap. There seems to be a temptation for people to cluster at one of two extremes.
- Some people have such touching faith in their AV that they assume it will catch everything malicious that’s thrown at their system, so they don’t run anything else and are convinced that they don’t need to think about their own security. When they eventually find that their system has been infected, whether it’s by something they’ve clicked on incautiously or something a little more subtle like a zero-day vulnerability or a drive-by download, they feel betrayed and angry. That’s understandable, but it comes from a misunderstanding of the limitations of all security software. For every technical solution (not just AV) there is at least one way of getting round it.
- Others take the view that antivirus is no use at all because it "only detects malware it already knows about". That isn’t the case: only the most primitive modern antimalware relies purely on signatures of known malware variants. Good anti-malware products incorporate tools like generic detection, advanced heuristics, sandboxing, whitelisting and so on into an integrated product that catches a high percentage of all malware, not just viruses.
The danger in both scenarios is that the individual is tempted to substitute one partially successful solution for another. (Some marketing departments may overstate the effectiveness of a product, but that isn’t a problem restricted to the anti-malware industry, or even the security industry!)
The trick is not to rely solely on one solution at all: a diverse spread of partially successful solutions may be more successful… However, note that word diverse. For most people, half a dozen antivirus packages on a single desktop machine is likely to cause more problems than it solves… By multi-layering, I mean using a diversity of product types: using multiple antivirus products may catch more specific malicious programs, but the increased detection may not be worth the additional strain on resources and risk of program conflicts, false positives and so on.
Please bear in mind also that malware gangs spend a lot of development time tweaking binaries so that they will evade specific scanners. The more effective a scanner is, the likelier it becomes that it will be targeted in this way. Of course, we monitor these tricks closely and enhance our own detection accordingly, but there is always a risk that such a tweaked binary will reach you before we’ve received a sample and updated our detection.
For this reason, we’re always grateful to receive samples of malware (or indeed false positives) that have evaded our products. For details on how to do this take a look at http://training.eset.com/kb/index.php?option=com_kb&Itemid=29&page=articles&articleid=141
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/