Quite often, when coming to customers, in one form or another I have to ask the question: why do you need an antivirus? As a rule, they look at me like an idiot - everyone knows that! But in most cases, further discussion shows that the overwhelming majority of customers do not know the answer to the children's question. To be precise, over the past year they answered correctly in just two (two!) Companies. And by the way, according to statistics, this is not only Russia's misfortune - the situation abroad is similar.
This part was not originally planned, but apparently urgently needed. A number of comments to previous articles show that even IT professionals do not understand the difference between the concepts of "antivirus" and "antivirus protection system." This is quite clearly manifested in the comments, when instead of an antivirus in the form of a call it is suggested to use other software - as a rule, systems of restriction of rights, access, etc.
Therefore, I propose to return to what was said earlier. Let's determine if anyone has any objections to replacing the antivirus with alternative solutions and whether the antivirus is different from the antivirus security system.
')
Antivirus, given to us in the definitions
In the first part of our cycle, we realized that at the moment there is no definition of a malicious program in the world - regulators, in general, do not know what to protect against. Let's turn to the opposite side and see what an antivirus is from the point of view of the regulators of our country and the world:
- a program for detecting computer viruses, as well as unwanted (considered malicious) programs in general and restoring infected (modified) files by such programs, as well as for prevention — preventing infection (modification) of files or the operating system with malicious code. (Wikipedia)
- a program that pretends to be looking for viruses, trojans, worms and other infections in the Microsoft Windows immunodeficient environment, but in reality does not do anything, slowing down the device on which it is installed. Tries to protect against threats that are not in anti-virus databases, but sucks to do it (Lurkmor)
- a program that aims to detect, prevent reproduction and remove computer viruses and other malware
- a program that prevents PC infection with computer viruses and eliminates the consequences of an infection (The last two definitions are widely distributed on the Runet, but the source is unknown to me.)
- Anti-virus protection measures should ensure detection of computer programs or other computer information in the information system intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of information protection tools, as well as response to the detection of these programs and information (FSTEC Order No. 17 www .rg.ru / 2013/06/26 / gostajna-dok.html )
- protection of an information system, including the detection of computer programs or other computer information intended for unauthorized destruction, blocking, modifying, copying computer information or neutralizing information security tools, as well as responding to the detection of these programs and information (FSTEC Methodological Document. Information security measures in state information systems)
- a program that detects, prevents, and performs certain actions to block or remove malware, such as viruses and worms ( www.microsoft.com/ru-ru/security/resources/antivirus-whatis.aspx )
- the result of intellectual activity in the form of a computer program (object of copyright), the exclusive right to which belongs to the Rightholder (the Licensor) (quite a typical definition of the tender documentation)
Thus, it is clear that at least the definitions do not define the moment when the protection system should detect a malicious program, or include outdated definitions of protection measures (modification).
Do we catch fleas? By no means. Despite the fact that in previous articles it was quite clearly stated that the main task of the antivirus is the detection and removal of previously unknown malware - comments to two articles recommended replacing the antivirus with systems that prevent infections. That is, the myth is ingrained, and if we do not prescribe the correct definition, the protection system will not automatically receive the necessary functions.
The situation is illustrated by a great bike. It is said that when Kennedy said “we will be the first on the moon!”, A special commission made only minor corrections to the mission goal - “The system must deliver astronauts to the moon and return them back.” But you could save.
It is also a common mistake to include in the definition of the protection system an enumeration of types of malicious programs or their actions. In this regard, the emergence of new types of malicious programs or their actions automatically removes them from the action of regulatory documents.
Why does antivirus miss viruses?
Before introducing the definition of the anti-virus protection system, let us once again define the malware's potential for circumventing the anti-virus protection systems (risk level).
At the moment, the most dangerous malicious programs are not developed by lone hackers - this is a well-organized criminal business that involves highly skilled system and application software developers in its criminal activities.
Attention! It doesn't matter who played what role in this “firm”. Perhaps the role of a simple system administrator. Ignorance is no excuse.
Testing for the non-detection of malware being developed by current antivirus solutions has made it possible to release only malware that cannot be detected (before receiving updates) by protection systems supposedly used by groups of users who are scheduled for an attack — including using heuristic mechanisms. The number of such programs produced by a single grouping can reach hundreds of samples - and none of them will be detected by antivirus software used by the target group of victims.
What problems are there with ensuring anti-virus security?
We repeat what has been said in previous articles:
- At the moment, the main problem for anti-virus security systems is malicious programs that cannot be detected by protection systems (leaving the problem of users' ignorance and naivety behind the scenes, because without hypno-emitters in orbit, it can hardly be solved). This threat existed before, but earlier it was associated only with the delay in the detection of new malware samples in the “wild” nature.
- The number of non-detectable programs is at least 25 percent of their total number.
- Traditional heuristic detection mechanisms in connection with the modern malware development system have significantly lost their significance, which has led to the need to develop new malware detection technologies.
- It is impossible to provide anti-virus protection against penetration by antivirus forces. But the use of other methods also does not give a 100% guarantee, on the one hand, and requires highly qualified specialists, on the other.
By the way. We said earlier that the production of the most dangerous malware has been put on stream. But is this true for other malware? According to AVG (http://now.avg.com/kids-writing-trojans-show-computer-skills-friends), a third of modern malware is created by children.
Why do I need an antivirus?
Accordingly, the anti-virus protection system should provide:
- protection against the penetration of all already known types of malicious programs (including using technologies that allow detecting modifications previously found). The word "all" is not just highlighted - typical is a request to remove old viruses from the databases. Do not believe it - OneHalf is still alive!
- after receiving updates - detection and destruction (but not rollback of actions!) already running and actively opposing the detection of malicious programs.
The definition shows that the data in the regulatory documents definitions of anti-virus protection are not just false, but deliberately harmful to companies that focus on these definitions. Therefore, the functions implemented on the basis of these definitions and the composition of the anti-virus protection systems are also incorrect.
Comments to previous articles show that many, defining the task of anti-virus protection, forget about the second part.
You can perform the task of preventing the introduction of malicious programs without antivirus software - no one bothers you, and, moreover, sometimes the presence of an antivirus is contraindicated. But removing an already active infection without an antivirus is impossible. Yes, I know about the availability of specialists who can do it manually (and even there are companies that form such rapid response teams). But there are three but:
- most users are not capable of this;
- modern malware is often designed for a long imperceptible presence in the system (and moreover, they can close vulnerabilities, remove other viruses, and even install antivirus). Tested on protection systems, they can go unnoticed for years;
- Antivirus, if you have knowledge of the malware, will remove it faster.
What is the difference between antivirus and antivirus protection system?
Antivirus protection system is not always an antivirus. This is any program / OS setup / procedure by which you reduce the risk of infection.
Accordingly, no one bothers you (except for the regulators, but everything is not so obvious there) not to use an antivirus to prevent infection, but for treatment without antivirus you will not manage. But there is one thing but (
www.infosec.ru/news/8119 ):
The most common vulnerabilities and weaknesses are:
- Password policies are not configured or incorrectly configured.
- Administer network equipment using insecure TELNET protocol.
- Event auditing is not configured or configured incorrectly.
- Firewalls contain redundant rules.
- Network segmentation was incorrectly performed, in particular, server segments are not separated from user segments.
- The update management process is not implemented or implemented incorrectly, as a result, for example, outdated software containing known vulnerabilities is used
- The lack of security settings for access switches, in particular, protection against vulnerabilities to attacks of the ARP Cache Poisoning class.
- No signature update and alert settings for intrusion detection tool.
- Using insecure protocols for remote access using VPN technology.
- Incorrectly configured restrictions on access rights to system files.
You can use a Kalashnikov rifle, or you can turn a sniper rifle yourself. If you are ready not only to set up the system, but to analyze the news of the IB in real time and, accordingly, also to improve the protection in real time - neither I nor the regulators (especially in the context of the 31st order of the FSTEC) are completely against it.
Well, in the next article we will talk about whether regulators and creators of standards require the use of antivirus, and what benefits can be gained if you read information security documents at night