Anti Virus Is your AV doing the job?

Is Your Antivirus Software Failing You?

When doomsayers moan about Microsoft Windows and security in the same breath, I'm quick to point out Microsoft's gains and the role we all must play in security.

So when Information Security Magazine, www.informationsecuritymag.com, subtitled their cover article "Why Your AV Software is Failing to Protect You," I felt a stirring in my blood. Yet another case of misplaced concern, I thought. However, after reading the article and doing a little checking, I'm going to have to add my voice to the alarm. Not to berate the antivirus vendors -- not just yet -- but to challenge them to tighten up their defaults, and to challenge you to take a solid look at your antivirus strategy, management procedures and configuration standards. If I'm going to ask for vendor accountability here, I'm going to ask that you get busy, too.

The article is the result of the magazine's antivirus testing. Tests specifically avoided the normal suite of known sewer sludge that antivirus software handles well and looked at some really scurrilous stuff, although nothing rare or exotic. None of their tests were designed to make products fail. Three tests caught my attention:

- Alternate file streams. Virus and worm writers have learned to hide their sludge in the NTFS alternate file stream. When they do, of course, you're not going to see the files using Windows Explorer.
Unless your antivirus product scans for this, it won't either. Many current antivirus products scan alternate file streams, but amazingly this capability isn't turned on for real-time scanning by default. Go check your settings now, OK?

-Malware that disables antivirus products. Many antivirus products do an excellent job of fighting malware, but can't if they're turned off. Much of the newer malware attempts to do just that.

There's no clear-cut solution for this. While using a product the testers gave a clean bill of health might seem to be the solution, it doesn't give you any assurance that future untested malware won't be able to clean its clock. One step you can take is regular testing to make sure antivirus products are still turned on; that will also catch situations where users have turned antivirus off themselves.

- Unix virus detection. Why should a Windows antivirus product detect and clean a Unix virus? It won't harm Windows, will it? While the answer to the latter is no, you're potentially vulnerable if you have Unix in your organization. Unix viruses and worms are being developed that use Windows systems to launch attacks on Unix hosts.

You're going to have to read the article to get the skinny on which antivirus products did what. Then revisit your antivirus plan. Ask the antivirus folks what they're doing about these issues, and visit with your employees. Use this wakeup call to make sure configurations are in place to deal with all possible threats.

While you're at it, check to make sure normal antivirus installations and maintenance are in place. If users can turn antivirus off, have checks and balances in place to make sure they understand why they shouldn't do this. Make sure you're checking antivirus status, and have a procedure to get it turned back on if it's off. Use defence-in-depth and scan at gateways. Here's hoping you find my alarm unjustified. As usual, please let me know how your analysis comes out.

Roberta Bragg, MCSE: Security, CISSP, Security+, and contributing editor for MCP Magazine, owns Have Computer Will Travel, Inc., an independent firm specializing in information security and operating systems.

MCPMag - June 2004