3
Part 1
1.1 Weaknesses of antivirus software
Many security professionals agree that the current approach to defend against
malicious software with signatures is not good enough, but it is best solution that
we have right now.
Here is the brief summary of the main shortcomings in the signature-based
antivirus software:
1.
Reactive approach.
Your antivirus as good as your definition files. If you did not update them,
the antivirus program will not be able to detect a new malware. The most
critical problems for the antivirus software to detect malicious code are:
-
new or modified malicious code
-
rootkit programs
-
Software Misuse, as you will see in Part 2 of this book.
2.
Inability to protect themselves.
With sufficient system permissions, malware can change antivirus settings
and configuration.
3.
Inability to revert the results of malware infection process.
Too often, “installation process” of malware includes copying files,
changing registry and system configuration files, changing other software
configuration. Some of these changes still present in the infected system,
even after an antivirus program delete or disinfect malware files. Almost
for every severe virus/worm, antivirus vendors issues “Removal Tool”. For
my opinion, the existence of such “Removal Tools” means that antivirus
vendors saying to their customers: “our antivirus isn’t good enough to
clean your system – please use this tool”. I see those “Removal Tools” as
“functionality patch” that comes to close many functionality shortcomings
in the antivirus program.
1.2 Malware structure
Today’s malware have a number of basic structures and functionalities. From the
macro point of view, it can be represented as follows:
PROPAGATE > infection > PROPAGATE
This is simple and general representation of the current malware. The capital
letters of “PROPAGATE” functionality means that the malware is mainly
 |
 |
 |