Now, we’ve all heard about detection, prevention, cleaning, behaviour blocker, firewall, Antivirus, Anti malware, Anti spyware, Anti Trojan, Anti Rootkit, Adware, HIPS, Internet security suite, detection tests, antivirus tests, penetration tests….it can be confusing right ;)… What is what and and more importantly what do I need as a consumer!
I will try to explain whats involved in desktop security products and hopefully will arm you with enough knowledge about what to expect from them in an interview like style, hope you like it.
First of all: What the hell is a Virus, spyware, trojan, rootkit etc?
Well, you know when you click on an application to run….. well it’s just that.. a malware (which is a general name used for all the bad stuff like virus, spyware, trojan, rootkit and so on) is an application (a program that is made of bunch of code that a programmer puts together). Just bunches of code that you send to your CPU (Central Processing Unit) for execution. For example you send a code (an instruction) to your CPU to turn a specific Pixel on your monitor to a specific colour or you when you press a key you tell your CPU to go ahead and display the key pressed on the monitor.. Malware sends instructions to your CPU to do nasty stuff.. thats the only difference between a good application and malware.
Now that we get what malware is…which security product do I need? What is anti virus? why do i need Firewall and million other questions in my head as the consumer.
Lets get to the basics…..the security products can be classified into 3 areas
1)Prevention: Eg it prevents stuff from coming into your computer in the first place
2)Detection: it detects when stuff enters your computer (but only if it recognizes the nasties)
3)Cleaning: You are toast, cos you are infected so need a decent product to clean up the mess.
(by the way you can read more about these 3 areas Prevention Detection Cleaning(cure) in this blog)
So lets start by talking about AVs (Anti Virus)
A good analogy to Anti Virus would be a policeman who has a Photo Fit of a murderer and trying to find/detect that criminal amongst the people/files. So is Anti virus 1, 2 or 3?
Wow.. good job…you guessed right.. its 2! It can’t stop someone becoming a criminal but can detect them. So an Anti Virus product could never prevent a new Virus it doesn’t know about from infecting your machine. Just like a policemen can’t arrest a future murderer cos they haven’t committed the crime yet. Anti Virus products were invented in the late 1980’s as “Cleaning” products. Those days infections were at the speed of how fast you could exchange a floppy disk with your friends But nowadays the number of malware is increasing drastically and the speed in which the infections occur is increasing, thanks to internet. So can your Anti Virus company give you a guarantee that you will not be infected because they can’t possibly know the next Virus? Of course not, that’s why using Detection only mechanism as your sole protection will leave you as secure as a little lamb in the African desert surrounded by hungry lions! So today’s Anti Virus products are a reactive technology, thats why people still get infected even though they have Anti virus products installed….and they scratch their head, puzzled as to why they got infected! 🙂
What is Anti Spyware then?
Same as above…. there are few different nasties and they have been classified as virus, spyware, adware, rootkit etc etc.. at the end of day they are all Bad Code written by bad people. And when you put an Anti in front of the specific threat it becomes the product that is used to clean or detect these baddies.
Ok what is Anti Rootkit then?
Same as above… Products that is used for detecting baddies, but at the end of the day they are all baddies… just different names cos they way they operate is slightly different..at the end of the day they are all instructions sent to your CPU to do nasty stuff, from deleting files, to stealing your confidential information, to stealing your CPU power and internet connection. Same goes to Anti trojan, anti this and anti that…. same stuff…
What is a firewall then?
Firewall has 2 tasks really…one to stop people from getting access to your pc from internet..its like your internet door.. (but don’t be fooled cos everytime you browse some website you are opening this internet door to that website…just having firewall doesn’t mean you are secure). And the other task is for detecting if anyone is making a call home from your PC. Go to your local Clothes shop and try to steal something…..the alarm you will hear, as you try to get out of the door while 2 big guys are running towards you, is because the garment is tagged, so anything leaving the premises will raise alarm. Well thats firewall for your computer. It will sound the alarm bells if someone is trying to make a connection from your computer to the outside world. (Btw, I hope you didn’t go and steal Clothes… resale value is not there..try electronic goods )(just joking…..). So Firewall falls into both Prevention and Detection category…
So what can clean my computer if i get infected?
Now thats an important question…. Cleaning infection is not as simple as deleting a file on your hard disk. Some of these nasties hide themselves well and bring themselves back to life even after your Anti Virus deletes them at every start up of the operating system. Depending on what kind of nasty has infected you the choice of the cleaner (Anti Virus) product could be determined. The only sure way is to reformat your computer 🙁 It sucks..I know…but imagine this, if you are an Anti Virus product “you don’t know what you don’t know” , which means you can only clean what you know of, but how do you know there aren’t other baddies in your computer that your Anti Virus doesn’t know of 🙁 Don’t get me wrong, in good number of cases you only have an infection that an Anti Virus can clean, but being sure that you are not infected….is priceless!
So how do I prevent these nasties coming into my computer in the first place?
Well, you have to know how they get in and pull the rug under them!
They get in utilising latest vulnerabilities in your system. So its important for you to keep your system up to date..but i guess you heard that before! One of the nastiest ways is the Silent infection called BO… and no its not Bad Odour.. even though when that happens it does leave bad taste… its Buffer Overflow attack. Its as simple as you going to a web site and you get infected.. yup.. as simple as that..
So what does infection mean again pls?
Remember its just a piece of code that sends your CPU instructions to get your CPU to do nasty stuff like giving out confidential information etc.
Oh yeah..I remember…
So how do I stop these coming into my computer in the first place?
Excellent question! (By the way, this is THE MOST IMPORTANT STEP in your security strategy..stop them from coming into your computer in the first place)
There are new breed of security products called HIPS (Host Intrusion Prevention Systems). These products will not let any application/executable (piece of code that we talked about before) unless they are authorised.
well, that sounds good doesn’t it?
Yes it does! I use one of these (Comodo Internet Security).
These products literally block any code/instruction going into the CPU unless they are authorised.. its like a doorman at the night club saying: Sorry, your name is not in the list, you are not coming in. It denies the access to the CPU to any unknown and unauthorized piece of code (application). So why isn’t everyone using these?
The only potential issue is that they can be chatty and asking too many questions to the user if it hasn’t got a big list of authorised list of applications. I mean you don’t want to be disturbed everytime you run an application. Luckily with products like CIS (Comodo Internet Security) the number of times you need to get involved to answer a question is minimised.
You see the bottom line is: You should prevent any malware coming to your system if you have a clean PC. Cos you want to keep it clean. For that you need to use Prevention based products.
If you have an infected computer than you need to use Cleaning Product. An Anti Virus in main is a cleaning product. So you need an Anti Virus product to detect and hopefully clean the infection. Some people use Anti Virus only to protect themselves. Yep you guessed right, they are the perfect guinea pigs for virus authors! I mean come on… what do you think Virus Authors do when they create their Viruses? Of course they check to see if any of the major Anti Virus products detect it or not! Only when they test it with them and be sure that they are not detected, they go ahead and release their creation to these guinea pig population of people who think they are secure cos they are using legacy Anti Virus products. Of course there are also other kind of Virus Authors who release their viruses even though Anti Virus products detect them right off the bat.. They are the stupid ones! We like them that way though
But how about Anti Virus testing? doesn’t this tell us how good security is?
NO!
What do you mean no?
Its a No to your question! What part of the No do you not get?
Let me explain you how these tests are done: First of all, these tests do not and CANNOT test if these Anti Virus products will stop new viruses or not. These testers only have some limited access to some limited amount of malware. Basically, they put all these malware into a Computer’s hard disk and run the Anti Virus scanning to see if these Anti Viruses detect them or not. So it only checks detection capability of an anti virus product and ONLY for the subset of viruses that the tester have. I mean what tester might have nothing to do with whats out there and so on. In reality no Anti Virus vendor have access to 100% of all malware out there either! No AV company can! Which means they will always be playing catch up and cannot prevent malware that they don’t know of or don’t detect from infecting your computer. Remember, thats why I said Legacy Anti Virus products that exist today are all reactive in nature and playing catch up and NOT preventing a virus they don’t know from entering into your computer.
So how about Email scanning, IM scanning and web scanning? There are products who do these isn’t it important?
Ok, lets remember what a malware was.. piece of instruction designed to do bad stuff. You see, these instructions must come from somewhere to the CPU.. now for a computer these things can only live in 2 places… Hard Disks or RAM (it could also be like USB storage etc but you get the gist). What you see on email is either on hard disk or RAM… what you see on the web is either on your hard disk or RAM… what you see on your IM is either on your hard disk or RAM, period.. Marketing people will try to make you think that they are stopping bad stuff from coming into your computer before it hits your computer but thats misleading. All these emails, web, IM and so on are already in your Hard disk or RAM. As long as you check the hard disk and RAM and use prevention based technology, then you know that those baddies can’t get in and cause damage.
So in summary…a security product can provide you
Prevention
Detection
Cleaning
and you need to prevent the bad stuff coming in to your computer in the first place. For that you need prevention based technologies.
Melih