Quality and issues of protection

If we look at various antivirus solutions according to the criteria presented in the “Selection of antivirus protection” section, we will see that they score very differently. Unfortunately, an adequate level of antivirus protection is not always rendered, let alone guaranteed protection. There are no antivirus solutions that could offer infallible safeguard against all existing malware. The arms race between antivirus vendors and cybercriminals escalates year after year, and most antivirus solutions today fall short of providing reliable protection. This situation in fact can be described as a crisis in the antivirus industry associated with the inability to provide a reliable security level to the users.

Malware detection

This is the main aspect of protection quality. An antivirus solution must be capable of detecting the largest possible number of existing malicious programs – this is what it is designed for. It must be able to detect new modifications of known viruses, worms and Trojans, including those located in packaged files (executable files modified by archive utilities), scan the content of archives and installation packages.

So what problems may arise in front of antivirus programs apart from the usual competition between products? Looks pretty simple – there computer viruses at large, so there are antiviruses to combat them. On the face of it, an antivirus has long become a regular commodity that is no too much different from the competing products, and sells for its attractive design, shrewd advertisement or other non-technical reasons. So, it looks like an antivirus has become a plain commodity or a mass-consumption product like a detergent, toothbrush or a car.

However, an antivirus solution is more that a plain commodity, and the user’s choice may be affected by considerations other than the product’s design, price or aggressive advertisement. The basic criterion is the product’s technical performance, and different products may differ greatly if evaluated according to that criterion. So, the first questions to be posed are which specific IT threats a given product can guard against, and if the provided protection is of adequate quality.

An antivirus must be able to protect the user from all types of malware, and the better it does that job, the more comfortable the user’s life is and the better the system administrator sleeps. Should anybody fail to recognize that theoretical premise, reality will soon confront them with very practical problems, be it their money draining away from their bank accounts, their computer making unsolicited phone calls to unknown numbers, or the outgoing web traffic increasing dramatically without any obvious explanation.

Given the antivirus product X detects 50% of all viruses active in the Internet at a given moment of time, the product Y detects 90%, and the product Z detects 99.9%, it is a trivial problem to calculate the probability of your computer remaining intact after N attacks. If your computer gets attacked 10 times, it will almost certainly get infected in the X case (99.9% probability), more than probably does so in the Y case (65%), and most probably stays safe and sound in the Z case (1% only).

Unfortunately, far from all antivirus products available off the shelf or in the web provide a protection level any near to 100%. In fact, most products fall short of providing 90% security level! This is the major problem that antivirus programs face today.

Problem No. 1. The number and diversity of malware grows steadily year after year. Many antivirus vendors cannot keep up and are losing the virus “arms race”. So, users of their products are not completely protected against all IT threats that exist today. Sadly, far from all products delivered by antivirus companies can be actually called an antivirus.

Regular, frequent updates

An antivirus must be updated regularly: cybercriminals become more active year after year, and new malicious programs appear more and more often in increasing numbers. It is by no means always that antivirus solutions can stop new viruses and Trojans using proactive methods. Therefore, an antivirus must be able to react promptly to new malware.

Some five to ten years ago, one could say that protection should not be demanded against all new viruses and Trojans, as most of them are written by rowdy teenagers to raise their self-esteem or simply to satisfy their itchy curiosity, and never get to infect users’ computers; so, protection should be only provided against those few viruses that make it to the victim computers. However, today this is not the case. As Kaspersky Lab says, more than 75% of malicious software is today created by underground cybercriminals so as to infect a large amount of computers, and new viruses and Trojans arising daily number in the hundreds.

This means that the probability is far greater than zero that you can catch a new “criminal malware” while browsing, and it is quite possible that there are dozens to hundreds to thousands of infected users roaming around the web; however, if the new piece of malware happens to be a worm, the number of casualties may be counted in millions. The Internet is a very fast environment, and the antivirus vendors must release instant updates to address all newly detected viruses and Trojans. This is where the second problem lies.

Problem No.2. These days, malware spreads very fast, compelling antivirus vendors to release protection updates as frequently as possible so as to protect their users from all newly arising computer pests. Sadly, some antivirus vendors may fail to deliver protection fast enough, and the protection updates may reach the user all too late.

Removing malicious code

Let’s assume, however, that a virus still has made it to the victim machine across all barriers and settled down there, while the antivirus supposed to be on guard has failed to notice it creeping by. Or, alternatively, the laidback user or system administrator has not bothered to download the latest update of the antivirus database. The updates reach the computer sooner or later, and then the virus is detected. However, it needs to be carefully removed from the system before we call it a decisive victory. The key word here is “remove accurately”, and this is where yet another problem arises in front of the antivirus program.

Problem No.3. Removing the detected malicious code from the infected system.

Viruses and Trojans often take special action to disguise their presence in the system, or get embedded so deep into the system that it may be not an easy task to root it out. Unfortunately, antivirus programs may be sometimes unable to extract the malicious code smoothly and restore the system’s normal operation.

Performance vs. protection

The next step in this discussion is that any software uses computer resource, and an antivirus is no exception. In order to protect your computer, your antivirus program has to do certain activities, such as open files, read data from them, unpack archives for scanning etc. The more thorough the data scanning, the more CPU resource is used. An iron door is a good analogy: the heavier it is, the better it protects and the more effort it takes to open and close it. So we have to yet another problem: how to balance between complete security and computer performance.

Problem 4. Appropriateness of consuming CPU resource. There is no proper solution to this problem. Practice shows that the fastest antivirus programs provide no good protection and pass malware like a sieve leaks water. However, the opposite is not correct: a slow antivirus does not necessarily provide adequate protection.

Running more than one antivirus program

In order to scan files on the fly and safeguard the computer under care, the antivirus program has to penetrate into the system kernel quite deep. Speaking in technical terms, an antivirus installs interceptors of system events deep within the protected system and pass the intercepted data to the antivirus engine for analysis so as to scan intercepted files, network packets and other critical data.

Unfortunately, you cannot always use two lancets on a single incision. If there are two antivirus programs running on a single computer, they will try to install two interceptors into the same part of the system kernel. This will result in conflicts between the antivirus monitors. One of the two antivirus programs will fail to intercept system events or, alternatively, will attempt to install a parallel interceptor and thus cause the entire system to crash. This is the last but not least problem of antivirus protection.

Problem 5. Two antivirus programs cannot run simultaneously on a single computer. In most cases, it is technically impossible to install two antivirus programs on the same machine so as to give it dual protection – the two simply cannot get along.