What did antivirus think about in the past?
As you know, before (at least) the grass was greener. But let's not talk about the beautiful. What modern regulators on Habré think about the capabilities of the antivirus has been discussed more than once (for example, you can read here ). Naturally, attempts to develop requirements for remedies have probably been made since the appearance of viruses - this is entirely in the interests of both the state and private users. And it seems logical that the accumulated experience should have led to the fact that over time the requirements become more and more detailed.
Is it logical And no!
Open the document titled “Guidance Document. Antiviral agents. Security indicators and virus protection requirements . ” The document was developed by the State Technical Commission under the President of the Russian Federation. Two versions of this document can be found on the Internet - in 1997 and in 1998. The documents are very different, for simplicity we will consider the version for 1998 as a newer one.
What is an antivirus for this rd?
')
The fundamental difference from the current definitions. Antivirus is not considered as a protection against penetration. And, in general, this makes sense, since the antivirus cannot guarantee protection against penetration. To do this, you need to use at least restrictions on rights, etc. And really. Further we read “The guiding document was developed in addition to the Guiding documents of the State Technical Commission of Russia“ Computing facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information. "". That is, protection was considered as a set of measures based on access restrictions!
Further, the RD indicates that there are requirements for the protection of workstations and servers. As now, in both cases, the requirements are divided into 6 classes, and the lowest class - the sixth. It's funny that the document constantly replaces the number 1 with an exclamation mark - A! and B!
What was required of the antivirus?
This is an antivirus scanner. It is required for the current profiles, but where much less detail is described there.
=> use of alternative, complementary detection mechanisms, at least methods of scanning, heuristic analysis and control of the integrity of the file system;
=> ABC must ensure the detection of facts of viral infection with known viruses of all types:
=> detection of facts of virus infection with unknown viruses:
=> ABC must provide detection of known active viruses in the RAM;
The list is much more detailed than the current profiles. Note that it is separately stated in the RD that the antivirus can resist both known viruses and unknown ones.
But then come the quantitative indicators.
Very high requirements, we note. And this is for the sixth grade - the fifth grade raised the bar even more:
Note that, unlike current profiles, where protection classes are artificially divided according to the functionality of the protection means, in the RD class depends on the quality of work. And, in my opinion, it is more correct.
Further according to the document requirements for the quality of work are reinforced with each class. But for simplicity, we will not quote.
Fifth grade added:
Full anti-rootkit!
In current profiles, you need to unconditionally treat - and no options.
Fifth grade added to these requirements:
But this is backup! Already in 1998, the requirements provided for the availability of backup and restore functions as part of the anti-virus protection system.
It is interesting to describe what a text format is:
I wonder if all products are now logging in a “human-readable” form?
Availability of administrative tools was also required: “Administrative tools should be provided at ABC”
Funny described the requirements for the update process:
In the age of self-defense, the requirement of self-examination looks funny.
It is also funny that at the time of creating the RD, when the memory of Sneeze was still fresh, they demanded from the antivirus "=> recovery of system nonvolatile memory areas (CM08)" (hereinafter all the quotes are taken from the original. I personally did not immediately realize what in mind).
Strangely enough, the blocking of the impact on the “application software and user data” appeared only in the second class, together with the requirement to block the impact on the service areas of non-volatile memory (WY $, CM08); ”.
In the first class appeared file and system of protection against attacks: "block virus exposure along the lines (channels) of communication".
Also, the first class required protection against "viruses when decomposing a virus carrier into sub-objects of a lower level of hierarchy (packages) in the case of application in a distributed speaker". I don’t remember anything like that now.
Requirements for file servers in general coincided with requirements for workstations with the exception of the processing mode of shared objects.
The list for simplicity is somewhat abbreviated, but even the above is inspiring. In fact, the RD anticipated the development of remedies for at least a decade ahead. Backup, behavioral analyzer, system of protection against unauthorized actions. In fact, there is a lack of a file monitor (although it is implicitly viewed, for example, in measures to protect removable media and attacks through communication lines). Well, there is no malware other than viruses. But for 1998 this is very, very forgivable.
As far as I know, the reviewed document has not yet entered into force, although it was discussed at one time in the industry. It's a pity. Despite all the shortcomings of the document, he is head and shoulders over current protection profiles , and perhaps the requirements of NIST.
Is it logical And no!
Open the document titled “Guidance Document. Antiviral agents. Security indicators and virus protection requirements . ” The document was developed by the State Technical Commission under the President of the Russian Federation. Two versions of this document can be found on the Internet - in 1997 and in 1998. The documents are very different, for simplicity we will consider the version for 1998 as a newer one.
What is an antivirus for this rd?
')
Antivirus tools (ABC) in this document are understood as specialized information protection tools designed to ensure the protection of computer aids (SVT) and automated systems (AS) created on their basis from the effects of virus programs and virus-like effects.
The fundamental difference from the current definitions. Antivirus is not considered as a protection against penetration. And, in general, this makes sense, since the antivirus cannot guarantee protection against penetration. To do this, you need to use at least restrictions on rights, etc. And really. Further we read “The guiding document was developed in addition to the Guiding documents of the State Technical Commission of Russia“ Computing facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information. "". That is, protection was considered as a set of measures based on access restrictions!
These indicators contain requirements for antiviral agents that protect AS in the conditions of program-virus exposure and virus-like effects both on individual elements of the AU (CBT) and on the AU as a whole.
Further, the RD indicates that there are requirements for the protection of workstations and servers. As now, in both cases, the requirements are divided into 6 classes, and the lowest class - the sixth. It's funny that the document constantly replaces the number 1 with an exclamation mark - A! and B!
What was required of the antivirus?
=> ABC must ensure the implementation of periodic checks for the presence of viral infection in dialogue and command (automatic) modes at the request of the operator (user);
=> preliminary check of critical elements of the OS for the presence of viral infection before installation. Installation procedures for ABC should exclude the possibility of viral infection of the installed components and distribution media;
This is an antivirus scanner. It is required for the current profiles, but where much less detail is described there.
=> use of alternative, complementary detection mechanisms, at least methods of scanning, heuristic analysis and control of the integrity of the file system;
=> ABC must ensure the detection of facts of viral infection with known viruses of all types:
- service areas of the media;
- objects on storage media;
- objects in archives created by various archiving tools;
- objects packed with various means of compression (compression);
=> detection of facts of virus infection with unknown viruses:
- service areas of the media;
- objects on storage media;
- objects in archives created by various archiving tools;
- objects packed with various means of compression (compression);
=> ABC must provide detection of known active viruses in the RAM;
The list is much more detailed than the current profiles. Note that it is separately stated in the RD that the antivirus can resist both known viruses and unknown ones.
But then come the quantitative indicators.
=> ABC must detect at least 95% of viral infections caused by known viruses;
=> detection of at least 70% of the facts of viral infection caused by unknown viruses;
=> no more than 3% of the facts of false detection of virus infection of objects;
=> ABC must ensure the temporary efficiency of the functions of detecting and processing infected objects, comparable to the execution time of system-wide procedures.
Very high requirements, we note. And this is for the sixth grade - the fifth grade raised the bar even more:
=> detection of polymorphic and difficult encrypted viruses;
=> detection of at least 99% of the facts of viral infection caused by known viruses;
=> detection of at least 75% of the facts of viral infection caused by unknown viruses;
=> no more than 2% of the facts of false detection of virus infection of objects;
Note that, unlike current profiles, where protection classes are artificially divided according to the functionality of the protection means, in the RD class depends on the quality of work. And, in my opinion, it is more correct.
Further according to the document requirements for the quality of work are reinforced with each class. But for simplicity, we will not quote.
=> ABC should provide the ability to delete objects (files) in which viruses are detected;
=> ABC must provide the ability to rename and / or copy infected objects into the specified (target) directory;
Fifth grade added:
=> the ability to remove the code of known viruses from the body of objects (treatment);
=> removal of known active viruses from RAM and (or) blocking the execution of their program code;
Full anti-rootkit!
Recovery:
=> ABC should provide the ability to restore the boot records of storage media;
=> ABC must provide data recovery on storage media, if they were reversibly changed as a result of viral exposure.
In current profiles, you need to unconditionally treat - and no options.
Fifth grade added to these requirements:
=> restoration of objects predefined by the operator (user).
=> administration tools that allow the operator (user):
- create a list of objects that can be restored later;
prepare the necessary data to restore the objects.
But this is backup! Already in 1998, the requirements provided for the availability of backup and restore functions as part of the anti-virus protection system.
It is interesting to describe what a text format is:
=> ABC should provide the ability to create reports on the results of the test in text (human-readable) format
I wonder if all products are now logging in a “human-readable” form?
Availability of administrative tools was also required: “Administrative tools should be provided at ABC”
Funny described the requirements for the update process:
=> In ABC, means should be provided to enable the operator (user) to connect updates.
=> ABC should provide the ability to periodically update as new virus programs appear;
=> when running, ABC should automatically check its components to detect whether they are infected with virus programs;
In the age of self-defense, the requirement of self-examination looks funny.
It is also funny that at the time of creating the RD, when the memory of Sneeze was still fresh, they demanded from the antivirus "=> recovery of system nonvolatile memory areas (CM08)" (hereinafter all the quotes are taken from the original. I personally did not immediately realize what in mind).
Strangely enough, the blocking of the impact on the “application software and user data” appeared only in the second class, together with the requirement to block the impact on the service areas of non-volatile memory (WY $, CM08); ”.
In the first class appeared file and system of protection against attacks: "block virus exposure along the lines (channels) of communication".
Also, the first class required protection against "viruses when decomposing a virus carrier into sub-objects of a lower level of hierarchy (packages) in the case of application in a distributed speaker". I don’t remember anything like that now.
Requirements for file servers in general coincided with requirements for workstations with the exception of the processing mode of shared objects.
The list for simplicity is somewhat abbreviated, but even the above is inspiring. In fact, the RD anticipated the development of remedies for at least a decade ahead. Backup, behavioral analyzer, system of protection against unauthorized actions. In fact, there is a lack of a file monitor (although it is implicitly viewed, for example, in measures to protect removable media and attacks through communication lines). Well, there is no malware other than viruses. But for 1998 this is very, very forgivable.
As far as I know, the reviewed document has not yet entered into force, although it was discussed at one time in the industry. It's a pity. Despite all the shortcomings of the document, he is head and shoulders over current protection profiles , and perhaps the requirements of NIST.
Source: https://habr.com/ru/post/263045/
All Articles