Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (38)
  • add to favourites
    Add to Bookmarks

Multi-engine scanners are so last century

Read: 697 Comments: 12 Rating: 14

#drweb

Vladimir Mayakovsky "You shall not pass!" 1892

You've probably visited websites where they advised you to turn off Dr.Web Security Space's SpIDer Gate or Parental Control so that you could easily get to a location the anti-virus was blocking.

If a user is undecided about whether Dr.Web is actually wrong, some sites recommend that they make sure the alarm is indeed a false one. To do so, users are given the suggestion to check the file with a multi-engine scanner (such as VirusTotal), before downloading it. But these advisers overlook certain aspects of the complex phenomenon that anti-virus security has become.

What are multi-engine scanners? These are websites where users can upload files to scan them with multiple anti-virus applications. VirusTotal is probably the most popular site of this kind, but there exist other similar services. To have their files checked by the engines, users may choose to upload a file's checksum rather than the entire body of data. In this case, the site can only deliver a verdict if a file with the same checksum has previously been scanned.

Legitimate multi-engine sites relay information about new malicious files to anti-virus developers, while disreputable ventures offering the same services naturally don't.

How do multi-engine scanners work? Uploaded files are handed over to running anti-virus scanners that examine them and return a verdict. However, they only check files against their malware database records, without actually launching them. As a result, if an anti-virus doesn't have the required malware signature in its virus database and if its heuristic routines don’t detect anything, even an ordinary encryption ransomware trojan will be pronounced as harmless. On a side note, Dr.Web was able to identify and block Wannacry, thanks to its heuristic methods, which have been honed and perfected—we kid you not!—since 1994.

A multi-engine scanner report merely shows whether the anti-viruses "know" about the file. Nothing more. No multi-engine scanner can warrant that a file is clean.

But let's present our arguments in their proper order.

  1. Virus makers use multi-engine scanners, too—before they release a new malware sample into the wild. They check it against all popular anti-virus engines. By doing so, they ensure that no anti-virus can detect the new pest with 100 percent certainty, at least for a while.
  2. And that only includes signature-based scanning. But seriously, who now actually expects virus databases to ensure robust anti-virus security? Should another Wannacry-like outbreak happen, the time needed by malware analysts to add the new signature to the database may be just enough to bring the entire world to the verge of destruction. Anti-viruses have long been supplementing virus databases with technologies that enable them to detect malicious behaviour—after a file has been launched. These include the preventive protection functionality.
  3. Executable packers. A file can be compressed with a packer that the anti-virus scanner doesn't support. In this case the anti-virus won't be able to extract the contents and verify it against signatures in its database. How does this undermine anti-virus security on computers? If a malicious file has been compressed multiple times or if the container uses a compression format that many anti-viruses do not yet support, the malware will be guaranteed to bypass a multi-engine security check, without being detected by at least some of the anti-viruses. On another side note, Dr.Web incorporates technologies that can extract malicious objects compressed with unknown compression formats.
  4. Privacy. Let's say you have just received a strange email, ostensibly from your boss, but something doesn't feel right. You want to check it and upload the message to a multi-engine scanner site. It may turn out that the file is actually clean, but the problem is that you have just forwarded it to someone else's server. If no anti-virus regards a file as malicious, some multi-engine scanners make an extra effort to send the file to anti-virus laboratories for more in-depth examination—which is the right thing to do. But would you like your classified corporate document to be disseminated across multiple anti-virus companies around the world and potentially be used to harm your employer?

And here’s an anecdote to wrap things up. Several years ago, a renowned anti-virus developer set out to prove that other less known developers had been stealing its malware signatures. To accomplish this, a Windows calculator file was compressed several times, ranked as malicious in the anti-virus's databases, and uploaded to VirusTotal. A few minutes later, a number of other anti-viruses began to regard the Microsoft file as malware.

This story is not intended to reveal the heinous nature of multi-engine scanners but rather to demonstrate that one can't rely on them completely. Nowadays, the scanners are a thing of the past. In our new century, they can't keep computers safe—unlike Dr.Web’s comprehensive security technologies.

#Dr.Web #anti-virus_scan #signs_of_infection #technologies

The Anti-virus Times recommends

If your anti-virus prevents you from downloading or launching a file, beware of even trying.

If it warns you against visiting a certain site, heed the warning. The anti-virus does that for a reason.

It is trying to keep you safe!

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments