PC Security - Scan, Clean and Protect
PC Security - Scan, Clean and Protect
I’ve been talking with my friends David and Tom about PC Security and we all have different views on the subject. Mostly due to our background and what we do for a living.
The quotes are things they have said and then you’ll get my take on the subject.
So let’s get started!
“PC Security” works in 1 of 2 ways. If you lack the knowledge to handle it, an all out, kill it all approach is what the security package manufactorers have decided you need. Never mind what it breaks while “protecting” your computer.
The other path is to have software that can do almost anything, but passing on the burden on deciding what and when to do what to the user. And most people doesn’t have a clue about what the questions asked are all about.
| Quote: |
| searching for virtually non-existent threats? |
Eh, I would hardly call it non-existent (se next quote).
| Quote: |
| Times evolve, threats evolve, sources of threats change. I just don’t agree with taking an approach that keeps piling on more and more stuff to deal with new threats and sources, and never removing the older stuff that’s obsolete. |
I completely agree with the evolution part. But I don’t think there’s much to remove.
| Quote: |
| Originally, viruses were little DOS programs that used common system calls to insert themselves onto the Interrupt Service Vectors that serviced disk reads and writes. They’d install themselves as “TSRs” and just create havoc with the hard drive. I don’t believe that Windows 2000, XP, or Vista will even allow ANY programs to access the Interrupt Service Vectors, let alone install themselves as TSRs. Windows does everything using DLLs now. TSRs went out after Windows NT was released. |
TSR or “Terminate Stay Resident” programs were normal software that used a special interrupt to load and in a way stop showing the user they were loaed, and still keep on running.
Viruses have been using TSR techniques back in the dos days but far from all viruses used that. And the most important reason for using it was that a pc only ran 1 program at a time and unless you somehow faked people into beleiving they were running a program while actually runiing a virus, the only way to be in the loop was by intercepting interrupts.
With an event driven operating system with built in message queues there’s no reason to fiddle with interrupts anymore and as far as TSR goes, any one can create the gui version of an TSR fast and easy as almost any program used in a multitasking, even driven operating system can be used in the same way as the old dos TSR.
The best known “TSR’s” in the windows world can found among the services (autostarts and run in memory without the user doing anything) and other types of software like anything that is minimized down to the task bar or even just running without any icon.
Hiding processes and services under the radar by having them run under svchost is another often used method to keep a software “hidden” or “secret”.
| Quote: |
| So why run security software that sifts through apps looking for signatures of viruses that are designed to run as TSRs? Every disk read and write gets inspected! That’s my beef. Over 80% of the threats most “security software” is looking for are obsolete. |
I think it would be a logistic nightmare to have signature files with only exact the possible “infectant signatures” for every possible version of windows. Technically it could be done of course but with people running at least windows 95 and up there would be a lot more to keep updated compared to have all signatures in one file.
But to be honest, I’ve never seen exactly what is in a signature file so I can’t really say how much of the signatures are unique for obsolete code.
Inspecting every disk read and write seems reasonable for me as part of a signature can be certain ways of doing disk read or writes. Especially now as signature based virus (or threath) analysis is falling back more and more and heuristic analysis is coming strongly.
Signatur based threath analysis is still the fastest way but in many cases very insecure for any modern virus (and all the group of adware, spyware, trojans, badware, backdoors …) as the regeneration time and easy of mutating code has made it possible to change a signature in virtually no time at all.
As code makers gets more creative in their ways of hiding code and find new ways of using alternative infection ways and bad code installation methods like piggy backing on semi.harmless code or plainly managing to get a “harmless” piece of code into a computer and let that program in turn download and install the bad code in stages, the ways of finding, stopping and repairing has become equally complex.
Heuristic evaluation with MCA (Multi Criteria Analysis) and virtual machines where “suspicios code” can be run and tested are now common techniques to combant these problems.
The problem is that more complex threaths do increase the complexity of the code that is protecting you from the problems as well. Making an resource impact on the computer where they run.
| Quote: |
| Nonetheless, people have been bamboozled into believing it’s necessary to suck up a huge percentage of CPU resources looking for these innocuous “threats”. Meanwhile, they get attacked from something new neither they nor their security software vendor has even heard about yet, and think they got hit by a “virus”. So they renew their subscriptions and update all of their anti-virus databases…. to what avail? |
I do agree fully with the fact that the “security” industry is trying to push multi-bega-super-security packages into all the computers they can find. More of their code=more profit and less competitors that have software installed.
And so far I think no one of the big packages are usable. They all have massive amounts of crap bundled just to “give value for money” and the only thing the acomplish is to mess up computers.
And simple is alwas better then complex when it comes to security. The more pieces and configuration options there are, the less likely it is that it will work as promised.
[/quote]
| Quote: |
| Is there a reason to upgrade your computer to a 3GHz machine with 2GB of RAM if the newest OS plus newest security software chew up half of that RAM and half of the CPU bandwidth, leaving you with a “brand new” 1.5 GHz machine with <1GB of usable RAM? Errr... why did you upgrade again? |
That’s why I use AVG for antivirus and not symantec or panda for example. I can actually use my computer and still have AVG running!
Security Software
Software created to help you with your security, antivirus software, spyware remover, system cleaners, trojan killers, anti spam solutions and similar are a must today. No one should use a windows computer without having at least a firewall and an antivirus software.
I’ll be posting more thoughts and details about this subject soon.
There. some thoughts of my own and ultimately I think that what I said boiled down to more or less the same as what David thinks about security software, I just took another way to get there!
Kenth
Related blogs
The Business Protector
The Toolwiz Blog
Tags: Pc-security,scan,virus,threat,registry,spyware,trojan,clean-pc,fix-registry,repair-registry, bots,botnet,bot-net,root-kit