Antivirus and its Discontents

4 03 2012

By Nchimunya Munjita

Sitting in on one of the computer security classes, I paid particular attention to the instructor’s explanation of the different types of malicious code. He listed and explained the different types of malicious code such as bacteria, logic bomb, trapdoor, Trojan horse, virus, worm, zombie, bot networks, and spyware. The instructor explained what characterizes different malicious code and mentioned the role of anti-virus (AV) program as a countermeasure. I was taken aback when he mentioned that although anti-virus does a good job at protecting our computers, it nevertheless suffers from some basic limitations which have given rise to the following criticisms: (1) it consumes inordinate amount of computer resources which slows down computer performance, and (2) it always misses some viruses. All along, I had not paid much attention to the second discontent, I followed along with the popular misconception that antivirus is the panacea for all malware.

As you may know, malicious software, or malware, which generally refers to “unanticipated or undesired effects in programs or program parts, caused by an agent intent on damage”[1] is one of the biggest security challenges facing the computer industry. One common type of malware is a virus, which is a program that can replicate itself and pass on malicious code from one computer to another across network connections, often with human intervention. It is also possible that virus code can be activated even without human intervention, such as when execution is been set to trigger on a particular date or time. Viruses use popular means of communication to propagate from one system to another through infected files (documents, pictures, music, videos,) from websites, peer-to-peer connections, email and instant messages. Often the presence of a virus on a computer is difficult to notice and the virus may not be easily destroyed or deactivated.

In the current issue of its bi-annual Internet Security Threat Report [2], Symantec Corporation revealed that it encountered more than 286 million unique variants of malware in 2010. AV-Test [3] estimates that in 2010 malware production continued at a record-setting rate of over 50,000 unique samples per day, although the number could be higher than that because the reported figure excludes malware variants which may have mutated into multiple strains. Although it is true that a number of researchers have different figures for the growth of malware, it is also true that most of them agree that the problem is on the upswing. The malware writer is no longer being driven only by power and ego-oriented motives but by profit motives also, and surely shows no sign of letting up. On the other hand, the anti-malware industry is working hard to keep pace with the pervasive stealthy malware which is being perpetrated by innovative writers.

It is getting increasingly harder to prevent, detect and remove modern-day malware by using traditional signature-based scanners. (A virus signature is a telltale pattern that uniquely identifies a virus or a group of viruses with similar characteristics.) A virus scanner can heuristically or generically detect viruses based on known patterns of data. However, this technique is less effective against completely new viruses. As more and more viruses are being discovered by the industry, new signatures are made available to be downloaded and added to the signature library of virus scanners. You would expect that the number of signatures would closely match the number of unique malware strains, however that is not the case. On average, a scanner can have signatures in excess of 3,000,000 [3].  As the signature library grows larger the scanner becomes less efficient at matching against the signatures. Often, the antivirus company will make a tradeoff between performance of the program and the need for effective coverage of viruses. Consequently, the signature library will only be populated with signatures of the most recent and prevalent malware. Think about it: What would prevent a motivated adversary, who is equipped with this knowledge, to compare the latest signature update with a comprehensive list of all known viruses and then exploit any vulnerability?

Signature-based scanners suffer from yet another drawback – the potential to slow down the computers on which they run by consuming much of the PC memory and resources. It is not only the large signature file that is responsible for slowing down a computer, but there are other reasons which have been identified by [4]: (1) virus scanners support an emulation functionality which is essential to safely analyze obfuscated polymorphic malware by unpacking and running the malicious executable file within a virtual environment. The process is often slow and expensive, (2) large scanning latencies may arise when scanners perform deep level file operations on certain file systems such as the Microsoft’s New Technology File System (NTFS), and (3) some security products scan data proportional to the number and size of scanned files. Since there have been progressive “changes in file size, file type, and storage capacity in modern operating systems” this could slow down virus scans.

In a nutshell, we have looked at the extent of the malware problem and examined some limitations of the anti-malware countermeasure. Given the complexity of malware-based threats, a number of AV vendors are now developing new approaches to addressing the problem. Rather than focusing solely on traditional signature-based approaches, some vendors are now developing behavioral-based technologies which are capable of real-time monitoring of program behavior for malicious actions. Gartner [5] provides an analysis of the emerging technologies which include default-deny application control (Whitelisting), browser or web protection modules, advanced forensics analysis of targeted threats, and cloud- or network-based delivery systems. Most of the vendors pioneering these technologies are emerging vendors and their contribution in effectively curbing malware by using alternative technologies remains yet to be seen and appreciated. Meantime, in this cat-and-mouse game between malware and anti-malware programmers the former seem to be a step ahead of their arch-nemesis.


[1] Pfleeger, C. P., and Pfleeger, S. L. (2006). “Security in Computing,” Fourth Edition, Prentice-Hall.

[2] “Symantec Internet Security Threat Report Trends for 2010,” Volume 16, Published April 2011.

[3] Morgenstern, M., and Pilz, H. (2010). “Useful and useless statistics about viruses and anti-virus programs.” AV-Test GmbH, Magdeburg, Germany. Presented at CARO 2010 Helsinki.

[4] Yan, W., and Ansari, N. (2009). “Why Anti-virus Products Slow Down Your Machine?” Computer Communications and Networks, 2009. Proceedings of 18th International Conference on Computer Communications and Networks (ICCCN 2009).

[5] McMillan, R., and Firstbrook, P. (2010). “Emerging Vendors in Malware Control, 2010.” Gartner, Inc.