Immunet Blog

Many of us have some sort of Anti-Virus (AV) software  installed. AV is almost as common as word processors yet it's still not really that well understood outside of it's basic (often unfufilled) promise to protect you from malware. In fact, rather than people speaking about how effective their AV is I generally hear people judge their AV software's quality by how much it does or does not slow down their machine.  I recently had a user ask me to explain the basic fundamentals of how AV software works so they could actually judge how well *our* stuff was working. Fair question but I'm afraid the response will be a bit long winded (in Internet terms anyhow).  

My goal here is to provide something to the average user to help demystify some of the black magic around Anti-Virus. This is not a blog specific to how Immunet builds Immunet Protect or how we leverage the cloud. This about the fundamentals.

I also think it’s important to narrow our scope here a little so we can cover this is in two or three short blogs.  The primary topic of the blog in general is malicious file detection, this is the working man's portion of any AV product. It’s the software that tells you whether files you are encountering (how ever you may get them) are good, bad or indifferent.  

In the interest of brevity I will avoid the sundry of other features most AV suites ship with because for the most part they fall into two categories:

1. They are too important to review with brief coverage so I’m skipping them in favor of a future blog.
2. They are superfluous features designed to make you feel better about paying $60 for an already bloated AV product and don’t really merit discussion.

So, now that we’ve narrowed the field and set your expectations, let’s dig in.

What exactly is your AV software supposed to do?

You will encounter a wide variety of available AV software packages in the marketplace today. Even though packages will vary wildly in their aesthetics their end goals are ultimately the same. These goals in broad terms are to:

• Help you keep unwanted software off your computer.
• Help keep your identity to yourself (versus it being sold for $20 on the open market).    
• Help you recover from any possible infections.

All of these products are expected to affect these goals within some very tight constraints, namely users want them done with low system overhead and with high degrees of accuracy. Most users also want this done in a way that is largely out of their sight. In short, people want their computers to remain snappy and responsive and do not want to get a virus.  This is the challenge set out to AV makers the world around.

To sit in judgement...

A great many of the threats in the field today (not all, but most) come by way of programs that attempt to get onto your computer, execute and do things you would generally prefer rather they not do. In order to stop these files from getting into a position to do anything harmful your AV software first must understand them, or classify them if you like.  Modern Anti-Virus Software generally has three ways of seeing a file:

Clean – If a file gets this stamp them your Anti-Virus software is pretty sure this file is not a virus and so it marks it as ‘clean’.

Unknown – This means your Anti-Virus package is really not sure what this file is. It does not look dirty yet it’s not known to be clean. Generally it’s going to get treated as clean though.

Malicious – If a file get’s this designation then your Anti-Virus software feels this file is unwanted software of some description.

Suspicious – This is where a file has some attributes that look odd or suspicious but are not enough in and of themselves to draw outright condemnation. Often these dispositions will default to the same treatment as Unknown files receive unless users opt for more ‘aggressive’ detection.   

Cleaning up after the party.

In the case your Anti-Virus fails you and you end up with an infection Anti-Virus software is tasked with removing the threat.  If you were an Anti-Virus software package this would, by far, be the most thankless part of your job.  The problem here, the real root problem, is that once a virus is on your system removing it is often a best guess sort of business. Most threats today invite all of their friends to the party once they get a foothold on your computer and these new invitees follow suit and often do the same thing! Pretty soon one infection with 10 associated installs/files becomes 10 infections with 200 installed files and maybe a new kernel driver or two.  Your software is now left with the bewildering task of trying to sort out this tangled mess. As many of you know, AV software often fails here. Take a look at any major anti-virus vendor. They all have ‘virus removal services’ attached to their tech support. This is obviously because their software (which is probably very good) will fail enough at this that they need to build a whole part of their support organization to deal with it. It’s not nice to hear but the reality is, removal is tough and it will from time to time fail. Be aware of alternatives and remember that an ounce of prevention (good AV plus good behavior) in this case is worth a pound of cure.

Our next blog will cover various Anti-Virus detection engines you are likely to see in your product.