A Note on Virus Paranoia

by Dr. Nikolai Bezroukov

Version 0.81

It is probably fair to view the existence of antivirus industry
as a direct  proof of high long term costs
associated with any MS-based solution.

This article is a general overview of the virus-hype phenomenon with some specific suggestions for enterprise users. Be skeptical and not all of them are valid in a particular environment which might be substantially different from those that I have experience with. 

The author argues that the cost of AV protection is a part of the cost of the ownership of the Microsoft platform that should be carefully evaluated as such by enterprise users.

Part of the cost is irrational fear, frea of unknown,  that demostrateit self in various urban myths. 

My second argument is that AV defense should not always mean "on-the fly" scanning. Often other approaches are more effective. Anti-virus scanners are by definition one step behind. That means that the main virus fighting strategy should be creation and maintaining baseline configuration to which you can downgrade any infected PC without trying to understand what is particular virus about and what AV products reliably can disinfect PC from it. Simple Microsoft SFU3.5 + ssh combination, Ghost-based image of C-partition and integrity checker are much more productive approach that rat race of getting the latest signatures or trying to find a product that detects and disinfects particular virus.

A very good, but rarely used approach,  is to use  Microsoft Shared Computer Toolkit for Windows XP and keep user files on a separate partition or separate USB drive.

Virus hype overview

As many AV practitioners know too well and a lot of users at least suspect, the virus paranoia and preaching of Virus Armageddon is a marketing trick used and abused by all anti-virus vendors. The problem is that often cure is worse than the disease. Anti-virus products in their current incarnation actually represent a additional threat to PC stability and substantially contribute to crashes and total cost of ownership of Microsoft platform. For example the cost of false positives is largely ignored in the computer press, but they constitute a vital part of the cost of implementing of any virus protection solution and they are noticeable part of the total cost of ownership of any workstation with AV protection installed.

Moreover viruses can serve as a scapegoat -- the phrase "It must be a virus" is a standard in the arsenal of many corporate IS professionals when they do not understand what to do (and many of them really don't know what to do quite often -- MS platform is much more complex then most IS managers would like to assume ;-). 

The term "virus infection" is often used as a synonym for the "unknown PC or network problems that are difficult to troubleshoot", or as a synonym for "A generic Microsoft-software related problem" ? Like ancient people attribute evil to bad gods, IS folks are blaming "a very bad virus" to explain crashes of Microsoft Windows and sometimes to conceal their own blunders.

This paranoid attitude, the seemingly permanent threat of a devastating virus attack is heated by the constant flow of ads and vendor sponsored papers in the computer trade press. It even  created a special E-mail gender -- virus hoaxes -- oriented to users and sysadmins "who should know better".

The level of hype from AV vendors is really amazing taking into account that for almost every major epidemics it was AV tools that failed miserably being unable to cope with the new, often unanticipated,  threat, It is new direction, new angle of  attack that makes virus dangerous and can cause the epidemics, like was the case with MS Blaster and other major network worms in 2001-2005. Copycat virus simply do not stand a chance to create large disruption; you need to find some new widespread vulnerability in order to create a global epidemics.

The way AV software publishers use hype as the most powerful marketing weapons represents one of the most successful misinformation campaigns in the history of the marketing industry and probably should be studied in any book of high-tech marketing.

Symantec, McAfee, and the infamous National (now International ;-) Security Association (private company that started as a lobbyist organization for AV vendors and then successfully moved to firewalls; it was eventually bought by Gardner Group) are really great "doom and gloom" propagandists -- propagandists that Pravda (the leading communist newspaper in the USSR) journalists with their constant theme of "imperialist threat to communist world" can only envy (I know they employ programmers from former USSR region, but I doubt that former Pravda journalists are employed in marketing -- probably local gurus are as good or even better in this particular field ;-).

In marketing materials that one can find on the anti-virus vendors web sites the costs of virus attacks are listed in billion dollars. Cleanup costs on a per-site basis from a single virus attack are estimated at hundred thousand. That makes viruses very close to year 2000 Armageddon paranoia. See Fighting Virus Hype for more examples.

Microsoft -- the enemy within

Another interesting question to answer is to what extent the virus threat is the result of Microsoft architectural flaws - flaws dictated by its revenue oriented  culture. There are several of them that are present in MS DOS and Windows 9x series:

This list is outdated and not definitely not-complete as we need to add failure with the firewall implementation despite using many poorly documented and poorly understood network protocols.

I sincerely believe that 80% of virus/worms problems are due to serious architectural flaws in the Microsoft OS architecture (or let's call them more politely "technical compromises" adopted for the sake of backward compatibility and preserving the market share). My point is that from this point of view any Unix is superior to Microsoft OSes. Of course UNIXes have their own security problems (and unlike Open BSD bloated Red Hat 8,9 or 10 is a big security problem in itself, just due to the amount of installed packages; the slogan of Red Hat seems to be "no week without critical patch" which can be considered to be an interesting way to justify the color of hat ;-).

Unix probably should be used as a server, especially, when security is really important or when money are the problem or both.  For desktops the additional cost of AV defense should be calculated into the total cost of ownership of Microsoft platform. For a large organization with, say, ten thousand PC users the cost of AV defense is usually well over 300K a year  of $30 per year per user (at least one person + some probably equal investment in AV software, its maintenance and updates). That's not much ($30 per year per user is approximately the same that company spend on coffee).

Generally speaking the AV situation on Microsoft platform is often close to absurd.  Double extension hiding is the most recent example of  "road to hell is paved with good intentions" situation with security. I would like to know the name of Microsoft executive who in his/her  blissful ignorance approved this stupid trick and single-handedly created the whole new family of mail worms.

Moreover the real danger of viruses/worms on Microsoft platforms created the whole range of unproductive and even stupid behaviors. For example many organizations religiously update signatures of  F-prot, McAfee , Symantec or other scanner, despite using the version of AV software that is more than a year old. They just do not understand  that a typical AV scanner without each year updates is pretty much useless and new threats are not covered by an older versions no matter what signatures are used. 

In many cases the money spent on AV defense should better be spend on improving patching level of installing new versions of  Microsoft software or OSes. For example most users do not understand that Office 2000 is to a large extent is immune to old macro viruses and new macro viruses do not stand a chance due to increased awareness and existence (although far from being perfect, but still useful) heuristic scanners.

I would not like to go so far that to claim that all virus scanners are essentially useless. That's not true even if we (incorrectly) assume that even the best of them systematically let new viruses go undetected in each major epidemics, until it's too late.

What I would like to stress is that AV scanners are not the only solution. They should be supplemented with other tools. Right now it should integrity checkers and System Management Tools.

Moreover AV scanners in the "on the fly mode" often produce too much helpdesk tickets and often create more problems than they solve due to bugs and tricky interactions with other software.

If you add this to the fact that in large enterprise environment scanners are often so out of date that they are practically useless, one can agree that they belongs to the category of tools that introduce more problems than they solve.

You need to be more flexible and try to combine them with other approaches, that might be more effective and generic that signature based scanning.

For example, for home users using Netscape Messenger instead of Outlook is often the most efficient way to fight the latest Outlook based worms. Netscape Messenger is a pretty adequate mail client that is not much worse than Outlook functionality (and it provide simple text based database of messages that is much easier to recover then proprietary Outlook format).

The other question arise: where exactly do you need to deploy anti-virus solutions? On the client, on the server, or on the proxy?

The anti-virus industry marketing slogan is "no price is too high for anti-virus security" and they would like to sell you all three solutions. But what if the last two of them are completely unnecessary? Why pay to snake oil salesmen who speculate on the fear and very primitive level of understanding of computer viruses by IS professionals? As most viruses are entering the computer via mail stream it is often better to implement a simple proxy that blocks all attachments with executable extensions then to deploy the wonder of software engineering like Symantec (which periodically screw Norton Antivirus and Norton Utilities to the extent that is really dangerous to have them on  the desktop) or, God forbid,  F-secure desktop antivirus.

Blocking executable extensions in attachment is very simple and efficient proxy-based measure that should be considered before everything else. It considerably diminishes (but not completely eliminates, see miMail worm) the danger of  mail worms/viruses for the desktop.  If somebody propose you to installs AV software before implementing this measure he/she is either simply ignorant or somewhat connected to AV vendors or both ;-)  There is no productive use of attachment with executable extensions in the current Internet-connected environment. Even most ignorant users are now able to unpack archives.

As for the desktop, scheduled for lunch runs of  some simple virus scanner (or integrity checker) might still be an alternative to on the fly scanning on the desktop (current worms usually do not hide itself and even Unix find command can serve as a virus scanner for most of them). 

The same is even more true for the server. It's very dangerous to install AV software on the server and if it is used in the on the fly scanning mode then performance goes down the tubes.

While in some cases there might be a reason (or let's say tradition) to install a resident ("on the fly") scanner of the desktop, on the server it is definitely just waist of money and an invitation to problems.

Some people goes as far as to install them on Netware servers, thinking that scanning of all files will prevent infected files getting to desktops. Usually if NetWare file server spread the viruses than it is definitely misconfigured. In old days the most common example is that login.exe is writable to the user and became infected, see also Best samples of virus hype). Now the main reason is that sharing of files is usually too lax.

For client-based scanner the situation is such that the number of ticket that scanners produce in the environment with say o at least 10K desktops probably far outweigh the damage from the viruses. 

Let's discuss MS VBA-based macro viruses -- which were the most relevant in the corporate in 1996-2000. For simplicity let's assume that we work in MS Word environment (VBA is available for Excel and other programs as well, so threat is more generic). For MS Word what you really need is to know is if document is in native MS Word format and if yes what macros are present. Then you need integrity checker for these macros. That's it. And it should be free option programmed by this sackers from M$ at no cost. But what this suckers present to unsuspecting users. a crappy warning screen that looks like a marking for AV industry and contain almost no useful information. A palliative (but nevertheless helpful) solution is to use RTF instead on native MS Word format whenever possible (see AV_Secrets/doc2rtf). It has its own problems but at least to check if the document is in RTF format can be performed very easy and blazingly fast.

IMHO big corporation and government are often really ripped off by AV vendors -- I just forgot how much US Department of Defense paid McAfee for its AV solution in 2000 or so (15 millions bucks ???). Here again power breeds contempt and until recently Microsoft did not respect users enough to bother about this "minor" problem.

A decade ago boot viruses were a problem. Mostly it were primitive viruses like Form. Again here the best defense was not to install a commercial AV program, but to modify BIOS to check integrity of a boot sector and/or block loading from the floppies that are not write-protected (easy to implement for flash BIOSes). The last simple measure can save from 90% of boot virus attacks. IMHO millions of dollars spend on AV-protection from boot viruses were mostly wasted and should be considered as an additional component of the cost of ownership of Microsoft platform.

I would like to stress it again and again that in the absence of AV API on the fly virus protection usually negatively affect not only performance, but the stability of the system as well.

Although file viruses are now almost extinct, in the past they were the most sophisticated malware. But even for old polymorphic file viruses situation with scanners is not that simple and integrity checkers were often a better solution. 

While scanners are useful for finding old file viruses (probably the only type of viruses for which scanners are really useful) and finding Trojan programs (Back Orifice, etc.), even with network updates the substantial portion of PCs still have outdated signatures and outdated engines (BTW the AV products that can update scanning engine (Trend Micro) are superior to those that cannot).

The cost of  distribution of AV signatures in a large organization adds probably half to the total AV protection costs. And short cycles of deployment and emergency upgrades, of course, cost money and sometimes a lot of money.

The popularity of "on the fly" scanners for personal users can IMHO partially be explained by existence of "warm human being not particularly familiar with computer" and millions of dollars that I paid for them should be counted as a part of the cost of MS OSes. IMHO it adds to the cost of Windows ($200 in many countries, with upgrade like $80 ) at least another hundred bucks -- making it closer to $300 and often making OS 10% to 20% slower.

Moreover scanners are overused -- now they usually scan a large percentage of executable -- and many non-executables (just in case scanning of .rtf files, etc).  For example, in most corporation they are configured to scan files with extension RTF, as Microsoft Word detect the type of the file irrigating of the extension and a file with the extension .rtf can contain regular MS Word document with virus macros ;-). This is another Microsoft "virus-friendly" solution that keeps AV industry afloat :-).  It might be better periodically scan the files and detect and rename all files that have extensions that does not correspond to their type.

But Microsoft position on this matters was clear and simple -- why bother? With no choices in selection of OS due to bundling it with PCs the user will pay money anyway, and it's not a bad idea to create a new multimillion industry from own bugs :-). To certain extent it proves historical importance of Microsoft.  At the same time Microsoft already have perfectly suitable technique to ease this problem at least for its own software (which is dominant in a corporate environment, anyway) -- signing of executables like Active-X controls would be an excellent solution to the problem. But so far Microsoft prefers to be a passive observer.

And final observation. Any AV system does not operate in vacuum. As in every other software engineering task the quality of personnel is of paramount importance. If personnel is "under qualified" or engaged in "IS turf wars" than no matter how expensive protection is it will not help much. The same applies to computer security consultants. There is no substitute for expertise in computer security. Often that is not the case with security consultants (see misinformed) and the chances that organization will fall victim to such "professionals" in the absence of strong  local  IS personnel is quite high.

Some Open Source Alternatives

With the software distribution in place it is often better to use simpler and more flexible program that distributed by commercial vendors. Using scripting language to implement scanner that detects and delete a particular network worm is a matter of minutes (all you need is the exact understanding of locations and names of the files and registry keys that the work uses).

Flexibility of open source permit almost instant reaction to new threats. 

The first level of protection is email server. For Sendmail that is probably the most popular MTA there are several variants:

Qmail has its own Qmail virus scanner

It is also possible to implement a SMTP proxy in front of SMTP server. See for example MessageWall. It offers filtering via header and body checks, DNS-based blacklists for IP addresses (DNSBL) and domains (RHSBL), DNS-based distributed checksumming (DNS DCC) similar to Vipul's Razor, and Open AntiVirus pattern scanning. Unlike many existing ISP-level filtering solutions, it offers customization of filtering features on a per-address basis. Unlike SpamAssassin, it communicates via SMTP, so it works with any MTA. It also supports scoring based on rules with a rejection threshold; this allows hybrid warning/rejection configurations based on how many and which rules a message matches. 

For home computers POP3 Virus Scanner Proxy  makes sense instead of "on the fly" scanning. Brave people who know Perl well can also try to use Perl-based SMTP daemon like perl-esmtpd

For ftp downloads Viralator can protect your network from viruses by enhancing squid proxy server with a virus scanner. Before a user can download a file, the proxy passes the file to the Viralator script which, in turn, uses a virus scanner to scan, disinfect, or delete the download.

For individual viruses I would recommend to use Perl File::Scan  module that allows users to make virus scanners which can detect  typical worms and viruses. It include a virus scanner and signatures database.

Why Code Signing is Important AV Measure

With all its flaws Microsoft platform is the most popular platform in existence (flaws are logical continuation of strong points ;-). that means that it is reasonable to find a solution that is less radical that the outright switch to the other platform. My proposal is to use Java  and ActiveX code sighing solutions. It looks very promising indeed. Code sighing was introduced as a response to a challenge of electronically distributed programs, but it is equally important for virus/worm protection. There are several viable implementations:

Unlike the encryption technologies there is no export control for signed executables.  


Created October 7, 1997. Last modified: December 05, 2011