Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (39)
  • add to favourites
    Add to Bookmarks

The more anti-viruses, the better the protection?

Read: 22884 Comments: 9 Rating: 15

Tuesday, March 3, 2020

It is well known that installing and running two anti-viruses on the same computer can have dire consequences. However, some security standards across the world do recommend that more than one anti-virus be used within an infrastructure. Who’s right? Let's try to find out.

To protect a computer, an anti-virus must be closely integrated into the system—it watches over all the system venues that can potentially be used by malware. A thorough analysis is required whenever USB media is being connected to the computer or if a file is being downloaded over the Internet. Real-time protection facilitates the constant monitoring of all file operations to make sure that no malicious action is being performed in the system at any point.

If an anti-virus is operating solo, it will enjoy sufficient freedom and system resources to get on with its tasks. The more anti-viruses you add to your computer, the less memory will be available to them to watch over all the potential points of intrusion. As a result, the computer will not have enough memory to perform other tasks, which, in turn, will lead to serious performance issues.

Fair enough. The more tasks being performed, the more memory and CPU power required. However, our avid readers will object to making an anti-virus scan USB drives automatically as soon as they are plugged into a computer, because many people remove flash drives without using the Safely Remove hardware feature. If they unplug their device while scanning is in progress, they may lose their data.

Let's assume that you are downloading a file from the Internet. A reliable anti-virus will intercept the inbound data and scan the destination folder immediately to make sure that the object is safe to download. If multiple good anti-viruses are running in the system, they will all simultaneously dash to scan the file that is being downloaded. As a result, access to the file may get blocked. And that, in turn, will lead to a noticeable decrease in performance.

If the examined file is indeed malicious, even more severe issues may arise. Both anti-viruses will attempt to delete the file and prompt the user to move it to the quarantine. Should the user allow one anti-virus to quarantine the file and deny that action to the second one, the latter may regard the isolated files in the other anti-virus's quarantine as a threat and keep putting out pop-up threat alerts.

But this is not entirely true. First, if a file is being downloaded from the Internet, it will most likely be scanned in real time while the data is being transferred (in the case of Dr.Web, this task will be performed by the HTTP monitor SpIDer Gate). But suppose the anti-virus hasn't checked the file while it was being downloaded. A file monitor (Dr.Web SpIDer Guard) can examine files while they are being opened and closed and in paranoid mode this component will scan files whenever data is written into them. If a file has been downloaded, there is little utility in checking it while it is being closed—a closed file poses no threat and scanning it will only waste system resources. It is more expedient to examine the file when it is opened again. But let's assume that all the anti-viruses have rushed to scan a newly modified file. You also need to understand that an operating system can't perform these actions concurrently (well, as a matter of fact, modern multi-core systems can do that, but one has to be very careful because if the same file segment is being processed by several processes simultaneously, the consequences can be disastrous). Anti-viruses install special drivers in the system to hook into file access routines, and those hooks are queued. Thus, a well-designed system will grant anti-viruses access to the file one after another.

Important! File access hooks of this kind may enable malware to queue a hook function of its own to be executed first and thus remain undetected by all the anti-viruses. That's why Dr.Web hooks into the file access routines of the system drivers rather than the file operations being used by applications.

Indeed. This issue's author managed to run three anti-viruses on the same computer. Only the browser seemed nervous. That's why we do not recommend that you repeat this experiment.

The main problem with multiple anti-viruses in one system stems from their lack of trust in one another. Every anti-virus regards itself as the sole system protector. Because of this, it may treat another anti-virus's files as malicious. In the best-case scenario, you will have to deal with repeated false positives. At worst the programs will attempt to delete each other, which may have an adverse impact on overall system stability and corrupt important system files.

Well, that's a bit confusing. Why would an anti-virus assume the role of a sole protector? People often use other third-party firewalls and parental control solutions as well as other security and backup tools. Does this mean that anti-viruses engage in a battle with all those programs?

Can one anti-virus regard another anti-virus's files as malware? First, there is this ancient myth about virus definitions. Because malware signatures are stored in virus databases, people believe that an anti-virus will go insane should it stumble upon another anti-virus's database and detect a huge volume of malicious code in a single file. But signatures only incorporate typical code fragments, and there is no telling which piece of code will be picked by each anti-virus developer for their detection routines. Even if we assume that all the developers in existence accidentally came up with the same signature (probability theory deals with even more incredible things), even then nothing horrendous will happen—signatures are stored in the databases in compressed formats. An anti-virus won't start decompressing someone else's database—there is no utility in that.

But every now and then media outlets report how a certain anti-virus started blocking another similar application. Yes, things like that may happen but no more often than incidents involving other legitimate applications being blocked. And sometimes an anti-virus starts removing its own files. No finger pointing here, but this is something that’s never happened to us.

However, anti-viruses do warn users that a certain application is being installed. In fact, no anti-virus can be 100 percent certain that all the applications in the system are legitimate. That's why installation alerts from the preventative protection are to be expected. And that's how the anti-virus reacts to any installation attempt, be it another anti-virus or some other software.

But suppose that one anti-virus does indeed start deleting another one. Let's forget about self-defence mechanisms for a minute since those will never let that happen. What will happen if deletion commences? Well, nothing out of the ordinary. An anti-virus is just a piece of software. It is complex, but still it is only a program. No shooting exchanges and partition formatting to cleanse the area of an opponent.

Users often take advantage of system cleaning utilities to further enhance their security. Those programs do not run background file scans but rather clean systems when necessary. Can these scanners conflict with a running anti-virus?

If you only run periodic system scans, problems can be avoided.

That doesn't sound logical. For example, if Dr.Web CureIt! opens a file, the installed anti-virus (as described above) is supposed to notice that and examine the file before Dr.Web gains access to it. "As a result, access to the file may get blocked". But, as people who use Dr.Web CureIt! know, nothing of the sort ever happens.

If you are interested in anti-virus software, you may decide to install several of them to protect your PC even better. But, in fact, you will achieve quite the opposite.

As a matter of fact, all those arguments give no information about protection technologies. They focus on possible issues—something that can actually be avoided if well-tested products are being used.

But does this mean that security standards are based on sound reasoning and two anti-viruses can indeed be installed on the same computer? And this is not quite true either. The rationale behind the idea about anti-viruses being used concurrently is based on the premise that different anti-virus developers may receive different malware samples and should one anti-virus miss a certain trojan, the other one will surely detect it. But, in reality, it's not that simple. Virus makers test their malware against all known anti-viruses before their trojans are unleashed into the wild. And no matter how many anti-virus databases are being used in your system, multiple anti-virus scans won't protect you against a well-orchestrated attack. There are other technologies that can indeed enhance overall security (e.g., the behaviour analyser).

#anti-virus_scan #security #Dr.Web_CureIt!

The Anti-virus Times recommends

  • The more anti-viruses running in a system, the more CPU power and memory are used. That makes sense.
  • If an anti-virus has been tested thoroughly by its developer, perhaps, you will experience no compatibility issues whatsoever. Why “perhaps”? Well, because real-time protection mechanisms are not supposed to run alongside other similar applications. Meanwhile, Dr.Web CureIt! and Dr.Web KATANA work just fine in the presence of other anti-viruses.
  • Getting more anti-viruses won't give a significant boost to your system security. However, scanning a system regularly with another anti-virus can be quite useful. Some virus databases may lack information about certain malicious programs. Dr.Web CureIt! has been designed specifically to rid systems of the things the installed anti-virus knows nothing about.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.