Anti-Virus Solution: More Anti-Virus

If virus scanning slows computers down too much, users will vote with their feet. That’s why anti-virus vendors take scanning shortcuts, like identifying a file by its embedded filetype designator, a.k.a magic byte, in the file header.

This allows the a/v software to scan a file, looking only for those virus signatures that apply to its filetype. And filetypes not associated with viruses can be skipped entirely. It’s a great time saver… When it works.

Unfortunately, the identifying header for some filetypes, like JPEG, can be located anywhere in a file. SecurityElf researchers found that by embedding files within files, they were able to bypass many a/v scanners to deliver psuedo-noxious payloads. This discovery, they conclude, “will probably force antivirus developers to change the way they detect filetypes. This may even require scanning the entire file for floating headers, in which case scan speed will be significantly reduced, although it may also be possible to develop more intelligent header analysis algorithms.”

Before you toss your copy of Kaspersky, NOD32 or AVG, consider that magic byte is just one of many antivirus challenges. Virtually all of the marquee offerings have extensive histories tracked by security banks like the Open Source Vulnerability Database.

Some were Johnny-on-the-spot at stopping Sober. Others did better with MyDoom. F-Secure, Kaspersky and NOD32 are more or less respected by the rootkit community, although the author of Hacker Defender claims that, of the eight antivirus vendors he tracks… Avast!, Panda, Norton, McAfee, Kaspersky , NOD32, AVG and PC-Cillin… not one can detect his anti-detection-fortified rootkit.

So what can you do to assure reasonable security? Limit network-spanning real-time applications. For instance, if you don’t need to run instant messaging, don’t. Use SMTP-based email instead. Whenever network politics allow, squelch peer-to-peer file sharing, and push FTP. Both SMTP and FTP give your anti-virus scanning software the time it needs to do a thorough job. They also give you a chance to filter out potentially dangerous scripts, webbugs and other nasties.

Then make sure you layer-in multiple antivirus brands. Don’t use the same products on your network borders and servers. And shoehorn Yet Another A/V Brand into your PCs.

Will this finally give you Perfect Security? Silly wabbit.

Background (updated):

• About; Hacker Defender.
• Anti-Virus Response Times To MyDoom.BB; PC Mag.
• Anti-Virus Solution: More Anti-Virus; Email Battles; 9 November 2005.
• Anti-Virus Vendor Response Times To Recent Sober Outbreak; PC Mag.
• AOL,MSN,Yahoo: Instant Message vs Email; Email Battles.
• Did Virus Scanners Just Become Obsolete?; Tech Dirt.
• How To Dig Out Rootkits; Email Battles; 22 March 2005.
• How To Stop Uber Worms Before They Hit; Email Battles.
• Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte; Wayne Langlois; SecurityElf.
• P2P Safer Than Buying The DVD; Email Battles; 11 November 2005.
• Rootkit Guru: Win 9x/ME Are Hopeless; Email Battles; 13 December 2005.
• Rootkitters Lay in Wait for Vista 2006; Email Battles; 7 December 2005.
• Signature War: Rootkits vs Antivirus; Email Battles.
• Tests of Anti-Virus Software; AV-Test
• The Magic of magic byte; Wayne Langlois & Andrey Bayora; SecurityElf.
• Which anti-virus does the least good?; SpamRoll.