The Anti-virus Times

Thursday, July 5, 2018

Do you know how companies often pick an anti-virus solution?

Do you think their information security personnel examines the results of comparative anti-virus tests and then chooses the one that scores highest in most of the tests? That's what home users and very small companies usually do.

Or, perhaps, they test various solutions themselves? Only the most sensible companies use this approach, and their number is relatively small.

Believe it or not, most company security specialists pick an anti-virus based on its list of features. And we don't blame them—they don't know any better.

Every information security expert wants to know what an anti-virus is capable of. But setting up a testing environment, writing test scripts and comparing the results require a great deal of effort. Besides, how can you test anti-viruses that only appear to be similar at first glance? "I'd rather ask the developer for a feature comparison table and see what features are available. That way I'll know which anti-virus will better protect our company's assets". You'd probably say that this is ridiculous, right? Well, this approach has been in use for ages.

Let's get back to the list of available features. One of the features that is regarded as a major advantage and the one Dr.Web doesn't have is a vulnerability scanner for Windows.

Why do Dr.Web products for Windows have no vulnerability scanner?

For starters, different types of vulnerability scanners exist.

Such a scanner can be a specialised program that scans applications on PCs and servers. It can discover known vulnerabilities—flaws in software code that can be exploited by attackers to penetrate computers and perform various tasks in the compromised systems.

A vulnerability scanner doesn't prevent attackers from exploiting unknown loopholes. This statement is true for vulnerability scanner programs as well as for the corresponding anti-virus components.

A vulnerability search is facilitated using a database containing information about known flaws in software code and fixes for the respective loopholes. Vulnerability scanners do not merely look for loopholes; they can also determine whether a vulnerability has been patched properly.

Furthermore, the scanners can also examine an application’s settings—it's no secret that a security misconfiguration (e.g., when certain files and scripts are permitted to be launched in a system) can enable criminals to achieve their goals even if no vulnerabilities are found in a system.

Even better, web vulnerability scanners can examine scripts. In this case, they operate using rules based on the developer's experience in code analysis.

And there is even more to vulnerability scanning than that! Static and dynamic analysis, as well as fuzzing, can be used to look for code errors (learn more in the issue "Is no one to be trusted?"), etc.

Unlike specialised applications, the corresponding anti-virus components offer a much more limited set of features. The reason is simple: performance. Everyone knowns that scanning of any kind affects system performance. And what happens if you launch a vulnerability scanner that has a huge database?

Anti-virus vulnerability scanners only use information about a limited number of loopholes. As a rule, those include the most frequently exploited ones, such as browser vulnerabilities and loopholes in Adobe and office suite applications. But applications exist in abundance, and any of them can have a vulnerability!

Doctor Web believes that this feature of anti-viruses for Windows creates a false impression of security. And here is why:

• Application developers release security patches and notify their customers about them.
• Vulnerability and anti-virus scanners operate in a similar way. Unlike a resident anti-virus monitor, a scanner is launched according to a schedule. And this leaves a system unprotected when the scanner is not running.
• A vulnerability scanner can only recognise known loopholes. But there exist flaws even the developers of the vulnerable applications know nothing about. And some vulnerabilities are considered to be too unimportant to be patched.
• It is not the vulnerabilities themselves that are dangerous but the code that can be deployed in a system by exploiting them.
• Dr.Web protects computers from attempts to deploy malicious code through known and unknown loopholes, and, thus, attempts to exploit vulnerabilities yield no results.
• Because of its limitations, a vulnerability scanner can't keep a system secure.

In some situations updates can't be installed. And this situation can be more dangerous than the presence of an unknown loophole in the system. And no vulnerability scanner will help solve these problems. But an anti-virus will. We've already mentioned that vulnerabilities are exploited to deploy malware. A running anti-virus will detect the malware, and the attacker won't be able to take advantage of the vulnerability. That's exactly what happened during the WannaCry outbreak: Dr.Web detected the Trojan as soon as systems came under attack.

#exploit #vulnerability #Dr.Web