Antivirus Software

Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software, or malware. Malware threats take many forms, including viruses that are carried via infected files, worms that spread autonomously over the network, and humans who use malicious software as agents to remotely control or monitor victims' systems. Many established vendors, such as Symantec, McAfee, Sophos, Trend Micro, and F-Secure, offer products that detect and, in many cases, eradicate malware from the system. This is accomplished by monitoring the local host's boot sector, memory, and file system for signatures of known instances of malware. Another detection mechanism that is often used in conjunction with the database of malware signatures monitors programs for behavior patterns frequently associated with malware. When properly deployed, antivirus software can be effective at helping to establish an in-depth security architecture.


Software for defending hosts against malicious software is called antivirus primarily for historical reasons, even though it protects the system against several categories of malware, including viruses, worms, Trojans, and malicious mobile code. Antivirus software can also detect some forms of spyware, particularly those that use traditional malware mechanisms.

Strengths of Antivirus Software

Antivirus software establishes a significant layer in a reinforced security perimeter. Just like all defense components, antivirus software has its strengths and weaknesses. Some of the core strengths of antivirus software are listed next:

  • Antivirus software is effective at identifying numerous popular malware specimensfor most products, tens of thousands. Antivirus companies enjoy the benefit of significant research investments and can analyze malicious software relatively quickly to the extent that it allows them to produce a signature for a specific instance of malware.

  • Antivirus software can monitor many client applications for malware activity, such as email clients, web browsers, instant messaging clients, and other common mechanisms for receiving and transmitting malware.

  • Antivirus software is unobtrusive partly because it has a relatively low rate of false positives. Even when configured to operate in a "real-time" protection mode, antivirus software runs in the background, rarely drawing attention to an event that should not require the user's attention. As a result, end users do not mind having virus protection enabled on their workstations.

  • Antivirus software is affordable and has been accepted as a necessity by many budgetary decision makers. It is not easy to find a person who is unaware of the dangers associated with malicious code. Antivirus software has been around long enough that it has become an accepted part of the corporate lifestyle.

The EICAR Test File: The Ultimate False Positive

Although antivirus software may be installed on systems, it may not be enabled or configured properly. Take care to verify that virus protection is active on your systems and that it operates as expected. One of the quickest ways to check this is through the use of the EICAR test file. Most antivirus products are programmed to recognize this file's content as a virus, even though it does not actually contain malicious code. The file, which can be downloaded from, consists of 68 ASCII characters. If saved with the .com extension, it actually executes on Windows platforms to print the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" to standard output. Of course, if your antivirus software is active, it should not let you execute this file in the first place.

In addition to protecting individual hosts, antivirus software is effective when integrated with gateways that process network traffic for common application protocols such as SMTP, HTTP, and FTP. Most major antivirus vendors offer specific software products for these protocols that can be quite effective at removing known malware threats from network traffic before they reach individual hosts.

As you can see, malware protection can take place at several different locations on the network. You do not need to limit yourself to any one of these. In fact, it is generally advantageous to perform such scans on individual workstations, as well as on file servers and Internet gateways. If malware is a large concern for your business, consider deploying one vendor's antivirus product on your hosts and another vendor's product on the gateways. This configuration increases the likelihood that a malware specimen will be blocked. Such redundancy can be justified because antivirus software has many significant limitations that impact the design of the security perimeter.

Limitations of Antivirus Software

In most cases, the effectiveness of the antivirus product depends on the extensiveness of its malware signatures. When a major new worm emerges, it typically spreads so rapidly that most organizations are affected by it in a matter of hours, before antivirus vendors have time to analyze the worm and create, test, and distribute signatures. Even when a signature is available, not all companies are capable of automatically distributing the latest signatures to their hosts. As you might recall, we discussed some of the ways of preparing for such incidents at the end of Chapter 1, "Perimeter Security Fundamentals." As one of the measures, be sure to set up your systems to routinely poll the signature distribution server for updates. Most antivirus products allow you to configure the software to automatically download the latest signature database from the vendor's website or FTP site. Enterprise versions of such software allow you to distribute signature updates from your own server within the organization. This approach allows you to centrally monitor infection-related alerts across many systems and allows you to force remote hosts to retrieve the latest updates outside of the routine schedule, especially when you know about a worm outbreak.

Another limitation of current antivirus products focuses on their effectiveness at detecting mutations of known malware specimens. For instance, if you receive an email attachment with a known Trojan, your antivirus software is likely to detect it and display a warning. Unfortunately, it might be sufficient to modify a particular byte in the Trojan's executable using a plain text editor to prevent antivirus software from recognizing it as malicious. If you know what you are doing, this change would not affect the Trojan's core functionality. By modifying the executable in a relatively trivial manner, you might alter one of the characteristics that antivirus software uses for the Trojan's signature.

Another way of mutating a malware specimen is to use one of the many packers that compress and often encrypt the compiled executable. The encoded version of the executable is self-contained and contains a small decoding routine that is triggered during runtime to extract the original program into memory. For example, another way of mutating the Trojan without changing its functionality would be to use a freely available packer called UPX. When the Trojan's original executable is compressed, its size and content are altered. Antivirus software may no longer recognize the Trojan, and the compression may complicate the analysis of the Trojan's functionality.

Of course, individuals who possess the source code for malicious software have the luxury of modifying it directly with the specific goal of bypassing signature-matching antivirus engines. Malware mutations are not as effective against behavior-based scanners, but behavior-based techniques are not as accurate at identifying known threats as signature matching.

Packers for Executables

Many packers are available for compressing and possibly encrypting executables. Some of these allow you to reverse the packing process to recover the original executable; others purposefully do not make such a facility available. In some cases, antivirus software might be able to automatically reverse the encoding to compare the original version of the program to malware signatures. Some of the more popular packers include these:

  • ASPack (

  • PECompact (

  • UPX (

Polymorphic malware, which changes itself on the fly, is another challenge that antivirus vendors have been working to overcome with a varying degree of success. One of the first mechanisms that facilitated the creation of polymorphic malicious code was created in 1993 under the name Dark Avenger's Mutation Engine (DAME).6 Although modern antivirus products easily uncover the polymorphic tricks DAME performs, other techniques can significantly complicate the detection of malware. The evolution of malicious software is running its course in parallel with advancements in antivirus technologies. Ways to bypass controls enforced by antivirus software will probably always exist.

Antivirus applications, just like any other software, can have vulnerabilities that expose its host to attacks while helping to combat malware. For example, some versions of Norton AntiVirus allowed a remote attacker to perform denial of service (DoS) attacks against hosts (CAN-2004-0487, CAN-2004-0683) by creating a file containing many compressed directories. There are dozens of CVE entries for antivirus software vulnerabilities, many of which are common flaws that have affected several products.


When spyware threats began growing exponentially, most antivirus products did not have spyware signatures or the capability to detect some forms of spyware. In part, this was because some spyware mechanisms, such as tracking cookies, do not use any malicious code, even though they have similar effects to malware-based spyware. Antivirus vendors are starting to make progress against spyware threats by adding new capabilities and signatures to their products. Also, several specialized spyware detection and removal utilities are freely available, including Ad-aware and SpybotSearch & Destroy, that can provide more protection against spyware.

Despite the limitations, antivirus software remains one of the most effective ways to control the spread of common malware specimens across multiple systems. Many instances of malware are difficult to block using traffic-filtering devices alone because they can enter the network through legitimate network channels, such as email and web browsing, as well as non-network means such as CDs, floppy disks, and flash drives. After malware is inside the organization, it can be programmed to communicate with its author via outbound connections that are often allowed to pass through the firewall unchallenged, whether to announce its presence via SMTP or to retrieve additional instructions through an HTTP request. An attacker can use malware as an agent working inside the targeted network, facilitating further, more directed attacks on internal resources. Host-based firewalls, deployed on systems throughout the network, are another part of an in-depth security architecture that can mitigate some of the risks network-based and host-based antivirus software doesn't cover.

    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: