How do antivirus programs really work? Detection after the fact or prevention?

[RayLopez99]

Just like the title says, do the AV programs (or most of them),
including MBAM, such as found in this list:
http://anti-virus-software-review.toptenreviews.com/index.html, work
by preventing virus programs from infecting your system in the first
place, or, do they work after the fact in preventing their spread and/
or deleting them? Same for any kind of badware, malware.

Also if you browse websites will these AV programs stop infections /
malware from loading onto your system via the browser?

Assume best case scenario, in that you have the registered, paid
version of MBAM and the other AV programs, since I understand the free
version of MBAM does not work in real time and the same could be true
of the other AV programs, since the free versions are often just
crippled "detect only" versions.

RL

 

[FromTheRafters]

Just like the title says, do the AV programs (or most of them),
including MBAM, such as found in this list:
http://anti-virus-software-review.toptenreviews.com/index.html, work
by preventing virus programs from infecting your system in the first
place,

This is basically what "detection" is all about, and it used to be
mostly a preventative measure. The idea was that you scan a program file
before you execute it - and "known" malware would be detected so that
you could avoid executing it. Best practice included a 'cooling off'
period for new (to the machine) programs in order to allow them time to
become "known" to the AV program if they are malicious (the zero day
period used to be weeks or more for some malware.

Nobody wanted to use the quarantine 'cooling off', nor it seems did they
want to scan new programs at all. The "on access" detectors act as a way
to take the user out of the loop - all programs will be scanned by the
detector *after* the new program is invoked but before it actually executes.

From a purist's standpoint, all that is needed is to detect. You can be
given the chance to not execute it, and delete it (and get a clean copy
from your backups). AV's became competitive in their ability to "clean"
virally infected files, but still it is better to delete them and *have*
a file backup plan in place. As for most classic trojans, no need for a
backup or a cleaning - just delete them when detected as they have no worth.

or, do they work after the fact in preventing their spread and/
or deleting them?

This depends on the individual program being discussed. Some programs
will "detect" by program behavior - and for programs to have a behavior,
they have to be executing. This is where "identification" comes into
play. The scanner has to clearly identify a malware program in some
cases if it is going to be able to "remove" it from a system.

Same for any kind of badware, malware.

There may be differences between how one type of badware is handled as
opposed to how another is. Also, if a lame malware detector were to
"identify" a trojan by a cryptographic hash algorithm of the file and
the trojan got infected by a virus, *both* would get through. If the
"real-time" component of the detector used behavior monitoring then you
may get a warning and a successful cleaning on the known malware and it
would miss the virus.

A better malware detector might not rely on a hash algorithm or two, but
might use other indicators within the trojan file and "prevent" the the
trojan *and* the viral infection.

Also if you browse websites will these AV programs stop infections /
malware from loading onto your system via the browser?

Some will, I think they generally call these "web shield" or something
like that. Others will only do that if a recognized malware is saved on
your harddrive (temp files for instance).

[...]

 

[RayLopez99]

Just like the title says, do the AV programs (or most of them),
including MBAM, such as found in this list:
http://anti-virus-software-review.toptenreviews.com/index.html, work
by preventing virus programs from infecting your system in the first
place,

This is basically what "detection" is all about, and it used to be
mostly a preventative measure. The idea was that you scan a program file
before you execute it - and "known" malware would be detected so that
you could avoid executing it. Best practice included a 'cooling off'
period for new (to the machine) programs in order to allow them time to
become "known" to the AV program if they are malicious (the zero day
period used to be weeks or more for some malware.

Nobody wanted to use the quarantine 'cooling off', nor it seems did they
want to scan new programs at all. The "on access" detectors act as a way
to take the user out of the loop - all programs will be scanned by the
detector *after* the new program is invoked but before it actually executes.

 From a purist's standpoint, all that is needed is to detect. You can be
given the chance to not execute it, and delete it (and get a clean copy
from your backups). AV's became competitive in their ability to "clean"
virally infected files, but still it is better to delete them and *have*
a file backup plan in place. As for most classic trojans, no need for a
backup or a cleaning - just delete them when detected as they have no worth.

or, do they work after the fact in preventing their spread and/
or deleting them?

This depends on the individual program being discussed. Some programs
will "detect" by program behavior - and for programs to have a behavior,
they have to be executing. This is where "identification" comes into
play. The scanner has to clearly identify a malware program in some
cases if it is going to be able to "remove" it from a system.

Same for any kind of badware, malware.

There may be differences between how one type of badware is handled as
opposed to how another is. Also, if a lame malware detector were to
"identify" a trojan by a cryptographic hash algorithm of the file and
the trojan got infected by a virus, *both* would get through. If the
"real-time" component of the detector used behavior monitoring then you
may get a warning and a successful cleaning on the known malware and it
would miss the virus.

A better malware detector might not rely on a hash algorithm or two, but
might use other indicators within the trojan file and "prevent" the the
trojan *and* the viral infection.
 >

Also if you browse websites will these AV programs stop infections /
malware from loading onto your system via the browser?

Some will, I think they generally call these "web shield" or something
like that. Others will only do that if a recognized malware is saved on
your harddrive (temp files for instance).

[...]

This was all very interesting but specifics were left out. I supposed
it would be impossible to list all specific programs, but does Norton
for example (I'm leaning towards getting it) do the "prevention" and
"shields" thing, as well as the detection-after-the-fact thing? I
guess the answer is yes. perhaps the key is this: for known badware,
that fails the hash check, it is prevented. For unknown (zero-day or
rare viruses/malware) badware, the "prevention" thing is done
(heuristics). And the "shields"--does it block redirects to known bad
sites, or prevent your Java from being exploited (apparently in my
case the trojan got in because--it seems--I was using an old version
of Java that had some sort of security flaw--I've since updated to the
latest version of Java)?

RL

 

[FromTheRafters]

Just like the title says, do the AV programs (or most of them),
including MBAM, such as found in this list:
http://anti-virus-software-review.toptenreviews.com/index.html, work
by preventing virus programs from infecting your system in the first
place,

This is basically what "detection" is all about, and it used to be
mostly a preventative measure. The idea was that you scan a program file
before you execute it - and "known" malware would be detected so that
you could avoid executing it. Best practice included a 'cooling off'
period for new (to the machine) programs in order to allow them time to
become "known" to the AV program if they are malicious (the zero day
period used to be weeks or more for some malware.

Nobody wanted to use the quarantine 'cooling off', nor it seems did they
want to scan new programs at all. The "on access" detectors act as a way
to take the user out of the loop - all programs will be scanned by the
detector *after* the new program is invoked but before it actually executes.

From a purist's standpoint, all that is needed is to detect. You can be
given the chance to not execute it, and delete it (and get a clean copy
from your backups). AV's became competitive in their ability to "clean"
virally infected files, but still it is better to delete them and *have*
a file backup plan in place. As for most classic trojans, no need for a
backup or a cleaning - just delete them when detected as they have no worth.

or, do they work after the fact in preventing their spread and/
or deleting them?

This depends on the individual program being discussed. Some programs
will "detect" by program behavior - and for programs to have a behavior,
they have to be executing. This is where "identification" comes into
play. The scanner has to clearly identify a malware program in some
cases if it is going to be able to "remove" it from a system.

Same for any kind of badware, malware.

There may be differences between how one type of badware is handled as
opposed to how another is. Also, if a lame malware detector were to
"identify" a trojan by a cryptographic hash algorithm of the file and
the trojan got infected by a virus, *both* would get through. If the
"real-time" component of the detector used behavior monitoring then you
may get a warning and a successful cleaning on the known malware and it
would miss the virus.

A better malware detector might not rely on a hash algorithm or two, but
might use other indicators within the trojan file and "prevent" the the
trojan *and* the viral infection.

Also if you browse websites will these AV programs stop infections /
malware from loading onto your system via the browser?

Some will, I think they generally call these "web shield" or something
like that. Others will only do that if a recognized malware is saved on
your harddrive (temp files for instance).

[...]

This was all very interesting but specifics were left out.

Indeed they were, and I left them out too.

I supposed it would be impossible to list all specific programs,
but does Norton for example (I'm leaning towards getting it) do
the "prevention" and "shields" thing, as well as the
detection-after-the-fact thing?

I'm sure it does, if you are talking about the security suite and not
just a plain AV program. It might even be something that their regular
AV offering does, but I'm not sure.

I guess the answer is yes. perhaps the key is this: for known badware,
that fails the hash check, it is prevented.

Well, in that scenario it was a blacklist not a whitelist, so if the
hashes matched it was a known badware. If the comparison *failed* it
would fail to recognize it and would let it through. It was a very
simplistic example, I doubt that many detectors rely solely upon hash
comparisons. Much of the malware out there today uses server-side
polymorpism so many many hashes are needed for different forms of the
same malware variant.

Same idea as you wrote above, just kind of upside-down.

For unknown (zero-day or rare viruses/malware) badware,
the "prevention" thing is done (heuristics). And the
"shields"--does it block redirects to known bad sites,
or prevent your Java from being exploited (apparently
in my case the trojan got in because--it seems--I was
using an old version of Java that had some sort of
security flaw--I've since updated to the latest version
of Java)?

Usually, you can find a list of features on the website
where they advertise. Everything seems to be a "shield"
of some kind, the important thing is what kind of shield.

 

[(PeteCresswell)]

Per RayLopez99:

I supposed
it would be impossible to list all specific programs, but does Norton
for example (I'm leaning towards getting it) do the "prevention" and
"shields" thing, as well as the detection-after-the-fact thing?

Maybe somebody who actually knows something can comment on this,
but my question would be "Why get something that costs money when
Avast's freebie version will do the job?"

I've had Avast on all of my own PCs and on two family member's
PCs for over five years now. The only time I ever had a problem
was when somebody deliberately over-rode one of Avast's "You've
got a virus in this email and we're not going to open it unless
you override this prompt...." messages.

Had occasion to do a Kaspersky boot-time scan a couple of times
on my main PC, and it came up clean... so I'm guessing Avast is
doing the job.... and the price is definitely right.

 

[RayLopez99]

Per RayLopez99:


Maybe somebody who actually knows something can comment on this,
but my question would be "Why get something that costs money when
Avast's freebie version will do the job?"

I've had Avast on all of my own PCs and on two family member's
PCs for over five years now.   The only time I ever had a problem
was when somebody deliberately over-rode one of Avast's "You've
got a virus in this email and we're not going to open it unless
you override this prompt...." messages.

Had occasion to do a Kaspersky boot-time scan a couple of times
on my main PC, and it came up clean... so I'm guessing Avast is
doing the job.... and the price is definitely right.

What is your OS? Windows 7 or XP?

Do you practice Safe Hex? I surf free porn and that's a bit more
risky.

I think if you just answer emails from known friends and visit Groupon
free coupon sites, your chances of getting any kind of badware is very
small, assuming you use the default Widows firewall. In fact I think
the firewall is more important than the antivirus programs.

RL

 

[RayLopez99]

Usually, you can find a list of features on the website
where they advertise.

Not really. They don't get into details.

Everything seems to be a "shield"
of some kind, the important thing is what kind of shield.

And what would those kind of shields be?

Thanks for your other answers, and i'm curious, if server-side malware
morphs, then how is it detected in a blacklist? Or I guess it cannot
be?

RL

 

[(PeteCresswell)]

Per RayLopez99:

What is your OS? Windows 7 or XP?

Do you practice Safe Hex? I surf free porn and that's a bit more
risky.

I think if you just answer emails from known friends and visit Groupon
free coupon sites, your chances of getting any kind of badware is very
small, assuming you use the default Widows firewall. In fact I think
the firewall is more important than the antivirus programs.

I run XP on my desktop machines, 7 on a laptop.

Somebody else - whose laptop I recovered from a really nasty
virus after they had been going bareback - has Avast also.

This person surfs real estate sites a *lot* (which is where one
of the nasties they picked up probably originated) and her
husband uses the same machine to surf porn sites.

It's been almost a year, and no problems reported.

Also, I use Chrome as my browser and heed the advice of an Add-In
called Avast WebRep. I'm also fooling around with another
Add-In called "WOT" ("Web Of Trust").

From what I've read so far, the vectors for viruses seem tb
shifting from email to web pages.

Avast purports to check web pages (as well as files, mail, P2P,
IM, and a couple others)... but I'm a belt-and-suspenders
advocate if it doesn't cost too much... and the Chrome Add-Ins
don't cost anything - either in money or time.

 

[ASCII]

Thanks for your other answers, and i'm curious, if server-side malware
morphs, then how is it detected in a blacklist? Or I guess it cannot
be?

The existence and (false) trust in blacklists
is what enhances the value of 0day releases.
Better than try to win an often un-winable race,
is to prevent the opportunity of disaster.

 

[FromTheRafters]

Not really. They don't get into details.

Yeah, they may say web shield but be secretive about how they implement
it - or 'download protection' or 'proxy filtering' without enough detail
for you to know exactly how it does what it does.

And what would those kind of shields be?

'Active shield' might be "on access" scanning where a 'real-time' shield
might be a "behavior monitoring" they all try to make it sound like they
have something else the other guy doesn't. Web shield might be proxy
filtering of HTTP/HTML and scripting or maybe even just a cloud based
blacklist/whitelist implementation.

Thanks for your other answers, and i'm curious, if server-side malware
morphs, then how is it detected in a blacklist? Or I guess it cannot
be?

Each new sample is analyzed and a signature created and distributed.
This is in sharp contrast to polymorphic viruses where the algorithm for
creating the differing forms is carried within the virus and can be
analyzed - the server side morphing doesn't have to stay the same, it is
human driven.

This is one reason I thought it was a bad idea for the antivirus
companies to delve into the antimalware business. Antimalware is a whole
'nuther ballgame. It is also a reason to continue to try to educate
others that the dichotomy (distinction) between trojan and virus is an
important one and not 'mere semantics' as some suggest.

 

[FromTheRafters]

Per RayLopez99:

I run XP on my desktop machines, 7 on a laptop.

Somebody else - whose laptop I recovered from a really nasty
virus after they had been going bareback - has Avast also.

This person surfs real estate sites a *lot* (which is where one
of the nasties they picked up probably originated) and her
husband uses the same machine to surf porn sites.

It's been almost a year, and no problems reported.

Also, I use Chrome as my browser and heed the advice of an Add-In
called Avast WebRep. I'm also fooling around with another
Add-In called "WOT" ("Web Of Trust").

From what I've read so far, the vectors for viruses seem tb
shifting from email to web pages.

Avast purports to check web pages (as well as files, mail, P2P,
IM, and a couple others)... but I'm a belt-and-suspenders
advocate if it doesn't cost too much... and the Chrome Add-Ins
don't cost anything - either in money or time.

I read somewhere that some web shield type program even follows links
and scans those pages too. That's not something I would want, but I can
see how somebody else might. I run with antivirus only (and I'm not sure
that I really need that) - no HOSTS file or any antispyware or
antimalware except as on demand scanners.

 

[RayLopez99]

Each new sample is analyzed and a signature created and distributed.
This is in sharp contrast to polymorphic viruses where the algorithm for
creating the differing forms is carried within the virus and can be
analyzed - the server side morphing doesn't have to stay the same, it is
human driven.

I see. So perhaps the morphing, if I read this correctly, is not
really done in the server but in the virus. That is, I can envision a
virus/malware that lives on an evil server and changes say every 10
minutes.

This is one reason I thought it was a bad idea for the antivirus
companies to delve into the antimalware business. Antimalware is a whole
'nuther ballgame. It is also a reason to continue to try to educate
others that the dichotomy (distinction) between trojan and virus is an
important one and not 'mere semantics' as some suggest.

Not sure what you mean here...sorry if I missed the threat about the
important distinctions between a virus and malware. I know that you
and David L and a few others like maybe Dustin went back and forth a
while ago, but as a layperson and high level language (C#) programmer
I did not really pay attention to the details, which seem to have been
cryptic one-liners that only you guys know what they mean. Perhaps
another thread and a synopsis of the differences are needed. Other
than the "trojan is a worm" and "virus replicates in your PC" I'm not
entirely clear myself on the differences.

RL

 

[RayLopez99]

I read somewhere that some web shield type program even follows links
and scans those pages too. That's not something I would want, but I can
see how somebody else might. I run with antivirus only (and I'm not sure
that I really need that) - no HOSTS file or any antispyware or
antimalware except as on demand scanners.

A bunch of issues raised by your post. You seem to like this whole
enchilada style of prose. <g>

Why don't you like a AV web scanner (which I assume refers links such
as transfer to links from a host page to a server run by the anti-
virus company to check the links linked to)?

Why do you run AV only? You a professional? Maybe you trust you can
remove any malware/badware yourself? By noticing stuff loaded in Task
Manager? Man you're good if that's the case.

HOSTS file. I have no idea what that is, except once to get a cracked
copy of Adobe running I had to change the HOSTS file. From what I can
tell it's a sort of primitive lookup table used by browsers. You
killed your HOSTS file I take it, though how your software that
depends on this HOST file, like say Adobe Acrobat or Photoshop, would
work is beyond me.

RL

 

[RayLopez99]

Per RayLopez99:




I run XP on my desktop machines, 7 on a laptop.

Somebody else - whose laptop I recovered from a really nasty
virus after they had been going bareback - has Avast also.

Avast! is a good product. I use it myself on a few machines. I also
use Panda (for XP) and even Comodo which is predicated on having a
clean machine but it will keep it clean. I also use Microsoft
Security Essentials (it was this program that failed to catch a
certain scareware trojan, but no matter I still continue to use it,
and I've supplemented it with freeware from Malwarebytes MBAM). All
of these programs with firewalls of course, both hardware and software
driven.

This person surfs real estate sites a *lot* (which is where one
of the nasties they picked up probably originated) and her
husband uses the same machine to surf porn sites.

It seems then that the non-porn sites are possible carriers of viruses/
nasties. I agree. I have a sneaky suspicion that I did not catch the
trojan from a porn site--I could be wrong, since I did surf a site on
page 2 of Google "free porn", which means it was a not heavily
trafficked site, and possibly it has exploits on it that were not
detected--but I swear the trojan seems to have sprung up almost right
after I went to the well known non-porn site of Speedtest.net, which I
use to get bandwidth statistics from. This site is very mainstream
and never has given me any problems (and I use it constantly every
day) but it could be, just speculating here, that the bad guys briefly
hijacked this page for a few hours and infected it with exploits.

It's been almost a year, and no problems reported.

Also, I use Chrome as my browser and heed the advice of an Add-In
called Avast WebRep.  

Yes I remember this for Chrome on my other machine. The first page of
Google free porn porn sites (my litmus test for malware) were all
given good ratings by Avast's WebRep.

I'm also fooling around with another
Add-In called "WOT" ("Web Of Trust").

From what I've read so far, the vectors for viruses seem tb
shifting from email to web pages.

Yes I think you're correct.

Avast purports to check web pages (as well as files, mail, P2P,
IM, and a couple others)... but I'm a belt-and-suspenders
advocate if it doesn't cost too much... and the Chrome Add-Ins
don't cost anything - either in money or time.
--

Right. I might buy a paid version only to get that extra 5% edge but
I agree you can do 95% or more it seems with freeware.

RL

 

[FromTheRafters]

I see. So perhaps the morphing, if I read this correctly, is not
really done in the server but in the virus. That is, I can envision a
virus/malware that lives on an evil server and changes say every 10
minutes.

Nope. The polymorphic virus doesn't need a server as it is
self-distributing, and it morphs *itself* into a new host program on
each iteration. The server-side poly is for non-replicating malware so
it can take many forms as it is being distributed as well.

Not sure what you mean here...sorry if I missed the threat about the
important distinctions between a virus and malware.

It's right here in this thread. Polymorphic viruses are "self"
polymorphic and carry the morphing algorithm with them. For
non-replicating malware the polymorphic engine is not carried with the
malware but is with the distribution program (or perhaps a human)
instead. Often it is part of the program on the server that serves up
the malware to visitors. You can't glean the algorithm by capturing an
instance of the malware like you can with viruses.

I know that you
and David L and a few others like maybe Dustin went back and forth a
while ago, but as a layperson and high level language (C#) programmer
I did not really pay attention to the details, which seem to have been
cryptic one-liners that only you guys know what they mean. Perhaps
another thread and a synopsis of the differences are needed. Other
than the "trojan is a worm" and "virus replicates in your PC" I'm not
entirely clear myself on the differences.

Well, understanding will help if you are trying to answer questions like
"will this defense help protect against that malware?" because different
methods are required to combat different malware types.

BTW, worms are replicators and as such are not trojans. Trojans are
non-replicators. As non-replicators they don't have iterations that can
take differing forms, each new form must be made by the distribution
mechanism be it human or programming on a server.

 

[FromTheRafters]

A bunch of issues raised by your post. You seem to like this whole
enchilada style of prose.<g>

Why don't you like a AV web scanner (which I assume refers links such
as transfer to links from a host page to a server run by the anti-
virus company to check the links linked to)?

I don't dislike them, I only don't feel the need for one on this system.

Why do you run AV only? You a professional? Maybe you trust you can
remove any malware/badware yourself? By noticing stuff loaded in Task
Manager? Man you're good if that's the case.

Nothing like that, I'm just a hobbyist with good recovery plans and
nothing of any real importance on this computer. Besides, many new
malware instances are capable of hiding things from Task Manager.

HOSTS file. I have no idea what that is, except once to get a cracked
copy of Adobe running I had to change the HOSTS file. From what I can
tell it's a sort of primitive lookup table used by browsers.

That's exactly what it is, but it has taken on a role for which it was
not designed - that of a blacklist of sorts that returns the loopback
(localhost 127.0.0.1) for certain "bad" site names.

Using an enhanced firewall is a much better way to accomplish that sort
of blacklisting.

You killed your HOSTS file I take it, though how your software that
depends on this HOST file, like say Adobe Acrobat or Photoshop, would
work is beyond me.

They don't actually depend on it at all, it just gets checked before DNS
(or whatever domain to IP# lookup in use) does. Kind of like a local DNS
service for static IPs.

I sometimes like to look at malware, and I don't need several programs
interfering with that ability.