In this first article we’ll just show that the couple scanner
(antivirus/antitrojan/antispyware) + Firewall is not sufficient to mitigate security
risks for home users.
Then we'll review and list available Desktop/Host Intrusion Prevention Systems designed for home users.
Mr and Miss “hé we’ve bought our first PC yesterday” often consider only the
need of an antivirus, and their children Kevin and Kevina have heard vaguely of
the need of a firewall.
But if we take into consideration the evolution of internet threats (attacks and
malwares) which become more and more sophisticated; and the weaknesses of
scanners protection, we need to admit that alternative approaches such as
proactive solutions can be necessary.
Malwares and threats: more and more sophisticated
Threats and Malwares are becoming more and more sophisticated.
In the past, there was sometimes a competition between virus writers groups: which virus and worm will generate the fastest infection and which one will cause the more damage.
Threats become less noisy: if the goal is always criminal, the target is more to
steal finacial informations, and then real money, but as silent as possible.
That's why the malware terminology has evolved from basic trojans, virus and
spywares to crimewares, krugueware and so on.
Websensesecuritylabs reports each day cases of malwares and phishings attacks.
For instance here's an example of crimeware with Petrobras and Losango
An an other interesting example here.
For more information about the subject, it can be suited to take a look at these
links and papers:
Future Trends of Malwares by D.Dantchev
Websensesecuritylabs report2005 (pdf)
McAfee Virtual Crime Report (pdf)
Crime-research web site
Limitation of scanners in general and antivirus in particular
Here we admit the fact that the firewall is the first line defense, and is more
necessary than an AV:
if Mister Bean closes his door in his Alaska home, it’s much
more important than if his video camera alarm detects a wolf, a burn or a cat.
Without door protection and in front of a grizzly, he can begin a prayer.
The main concept of scanners is to protect a system by catching malwares with
signature database: they block only what they know.
It’s like the police which tries to combat crime only with a criminal database:
there’s a criminal database in most countries, and each day, crimes are commited.
The limits of signature database file protection is evident:
-any programmer can create his own malware for his own goal: the less his tool is
noisy, the more he has chance of success.
Since a malware is not dicovered in the wild, and reported or submitted, it can still
unknown for a long time.
-Zero hour/day malwares take advantage of vulnerabilities, and it ‘s often a great
vector for malwares, specially for trojans and worms.
And if the vulnerabilty concerns the OS, it’s much more serious: this is not the job
of AV and scanners publisher to patch the OS.
Zero day malwares are really an important problem for scanners publishers: they're confronted in front of their own limits: how to prevent unknown malwares and how to increase the creation of an antidote as quickly as possible.
There's consequently a laps of time of total insecurity: the protection does not operate in real time.
Does a bank or an online shopper addict shoul be considered as secure with only an antivirus protection?
As usual with security, the protection is never ultimate.
Some publishers integrate heuristic and proactive solutions such as Nod32 with
which has been higly rated by AV-Test.org for his results in recent tests; and a
Commtouch zero hour defense technology.
Sophos and McAfee also integrate a zero hour defense with the Proofpoint technology, but only for a corporate environment.
Each publisher tries to implement new technologies to mitigate signature file
detection weaknesses, and also to stay in the right market's wagon...business is business as usual.
But is it really enough? Not sure, really not sure...
Some antivirus without signature file database like Invircible and Viguard with the
DVP use since years a proactive technologies mostly based in integrity protection.
I.S.S also includes such technologies (VPS or virus prevention without signatures)
in its products to combat new and unknown virus.
I.S.S which sells intrusion prevention (and vulnerability) system softwares
provides interesting white papers about limits of signature detection (examples:
The lifecycle of a vulnerability).
Some products combine signature file detection with proactive technologies based
This is here certainly an interesting evolution for scanners.
In all cases, the antivirus market is higly competitive, and the rule is always the
same for any business: evolve or die.
-antivirus themselves can be affected by vulnerabilities, bugs, flaws; another
good vector for intrusions (Buffer overflows for instance) and opportunities for
Here for instance a quick search on Secunia
detect new or unknown malwares: even heuristic engines are limited, and can’t
covered all malwares programming possibilities.
-malwares are becoming more and more sophisticated and use many techniques
to evade scanners engines: it can be packers like Morphine, Executor, Antidote,
rootkit tecthnologies (API hooking, memory subversion), cryptovirology and so on.
If we use API hooking with a legal software (Hide Folders XP 2) to hide a test file (or any malware) like eicar.zip, it is not detected by an antivirus like Kaspersky for instance: we can hide a collection of virus on any desktop, and scanners will detect nothing (fortunately, this tool is certainly more used to hide a collection of porn babes images from childrens, wifes or girlfriends!).
-Antivirus are mostly designed to combat malwares, and not attacks.
Phishing is statistically an attack which increase the number of victims every day.
Some antivirus softwares integrate anti-phishing protection: in fact, this protection is often limited (blocks private informations from being sent) and can't cover all techniques used in phishing like web spoofing, Cross Site Scripting...).
-even the most exhaustive malwares databases (Kaspersky for AVs and
Webroot/Sunbelt for ASs) can't take the census of ALL available malwares.
We can take a few example to show that it’s not diificult to install a keylogger, a
trojan, or a backdoor without being detecting by the majority of antivirus.
Example 1: There’s a real problem with keyloggers, simply because in a corporate
environment these softwares can used to spy employees.
We can take for instance KgSpy: during my HIPS test last year, i’ve submitted it to virus total online scan, and only Kaspersky has detected it:
Here again the result of an online scan with this image.
Example 2: some banks provide virtual keyboard solutions to combat id account theft.
But as software is not security, this solution is not secured at all, but it costs
less money than hardware or authentication solutions (more info here).
Debasis Mohanty for instance has prooved against Citibank that their solution
was not secured, and has created a specific tool to demonstrate his POC.
So let’s scan this tool on Virus Total: result here.
Example 3 : virtual keyboard keyloggers can be downloded for free on the net,
here’s an example, mostly intended for demonstration purposes: result here.
Example 4 : now a simple experience: we use a zip file of eicar test:
Example 5 : with a backdoor based ICMP (i've renamed the file): the file is not recognized, and great, anyone can use it... and not only to audit his line defense.
Example 6 : with a nice french vbs trojan: here's the scan's result (nothing is
And there’s many undetected files and methods that we can use for bypassing
scanners engines with no particular know how but just by using Google.
Andrey Boyora for instance, has studied the weaknesses of antivirus softwares.
The complete and very interesting study and research is available here ( HTML).
At BlackHat Europe 2005, Wheeler and Mehta from the X-Force team have also
In the past, the problem was already commented: example with the article:
"antivirus: great business, lost cause"
Why antivirus protection just isn't enough 'by ISS)
Dont't Play the Blame Game
Why relying antivirus signatures simply doesn't work anymore?
The Contemporary antivirus industry and its problems (by Eugene Kaspersky)
Other Links and Resources
-antivirus independent tests (only the tests provided by the two Andreas can be
really considered as independent):
Malware blog (test in the wild by Eric Johansen from IBM)
About virus and antivirus:
Virusall (other links on this page)
Softpanorama (exhaustive and recommended site)
And also the giant resources site of Eric Howes (virus info or antivirus products)
Many Antivirus publishers provide online scan on their web sites (Panda, Symantec/Norton, NA/McAfee and so on) or the possibility to scan specific files.
But this solution is quite intrusive and an interesting alternative is to use some tools like Sysclean (TrendMicro), Vcleaner (removal list) or MicroWorld Toolkit.
Jotti Virus Scan
The Wild List
Virus Bulletin (registration required)
Online Malware ReSearch Tool (launch simultaneaously a search in many AVs database)
Antivirus-online (scanners vendors)
Other interesting sites