Security software has long been considered a requirement for the Windows environment, whether in the enterprise or at home. Malware cannot only put sensitive information at risk, but can be an expensive nuisance, wasting precious time and bandwidth.
Security vendors claim to protect us against these threats — from a marketing perspective, their products are silver bullets: they'll stop malware in its tracks. When you look at how they perform in the real-world, though, the situation is quite different.
How antivirus software protects you
Antivirus software uses a mixture of signatures and heuristics to detect malware.
Signatures are identifiers that are written specifically for one piece of malware. They could be as simple as locating a fixed string within a binary, or as complex as fingerprinting many different sections of a file and examining the relationship between them. They have a low false positive rate if the signatures are well written, but they need to be manually written for each virus and they can often be bypassed by minor changes to the malware.
Heuristics are algorithms that attempt to understand what a program will do to figure out if that behaviour will be malicious. They do not need to be manually written for each threat, which means that they can potentially block an unknown piece of malware. Since the heuristics are never perfect, though, they generally have a higher false positive rate than signatures.
To find new malware the antivirus companies either maintain their own research teams, or purchase research from other companies. Many antivirus companies also run "honeypots", which are systems configured in a purposely insecure fashion, and heavily monitored for signs of compromise. The antivirus companies will examine any attempts to break in and write signatures accordingly.
The Race to Zero competition at last year's DEFCON Hacker Conference pitted contestants against a large variety of antivirus products. The winner was the first team that was successfully able to modify supplied malware samples to bypass every antivirus product tested. It took a matter of hours for the winning teams to bypass all antivirus suites for all malware samples.
The current threat landscape
Nowadays much malware is polymorphic, modifying its internal code to automatically carry out its own race to zero, resulting in billions of possible permutations in order to evade detection. Effectively, this means signature-based protection no longer has the same impact it once did, as it simply can't keep up. Other forms of protection used in concert, from heuristics, to whitelisting, to Symantec's new Qourom and Insight technology have become more important; but none are perfect.
It's not only the malware that evolves — the motivations for creating it have changed too. Whereas once upon a time malware was created for notoriety alone, the major impetus today is money. Organised crime funds the efforts of malware authors to find new and inventive ways of getting into your system.
In short: no solution will protect against everything. While installing desktop security software will increase the baseline security of your system, you'll still need to keep your software patched, design your network with security in mind, implement hardware firewalls, and generally follow good security practice.
Common types of malware
There are a few common classes of malware that we'll define for our purposes here, based on how they compromise a system:
Viruses: viruses replicate themselves, usually by infecting files, such as office documents or PDFs. This term is also sometimes used to refer to all malware.
Trojans: trojans are viruses that are sent to the user and require the user to run them. The user may think that the virus is a crucial document that needs reading or a birthday message from a friend or even an illegal crack for software. The file may even open as normal, but in the background a program is run to take control of the system or steal information. Trojans are most commonly associated with email, though they can also be loaded on a website, a USB key, a CD-ROM (using the autostart feature) or even an iPod or camera. Our CANVAS and Metasploit tests used in this article could be classed as trojans.
Worms: these are the big ones that make systems administrators sweat. Worms will run an exploit (or several) against widely used software in order to gain access to a system. Once in, it will continue this process in an attempt to compromise more systems. The Slammer and Blaster worms had a huge impact on the internet, and recently the Conficker worm has been causing enormous issues.
Enterprise editions of antivirus suites all come with a similar set of features. They generally contain the antivirus component, a firewall/packet filter, web and email scanning capabilities. They also all have a management console you can install on a separate server which will allow for easy administration of all of your antivirus suites, and will use both signatures and heuristics when attempting to detect viruses. Our examination is an attempt to separate the leaders from the followers.