Is an AT Really Needed?

Yeah...you may need to turn off 10 of your 50 "security" programs to read my post. When you do read it...feel free to comment

 

I run one security program: NOD32. (Of course, I disabled its sarcasm filter to read the latest bit of sarcasm.)

 

To all:

Let's keep the discussion focused on the topic.

Blue

 

One point raised in this thread has been that AVs and ATs take slightly different approaches to malware detection with AVs focusing on file scanning and ATs on memory scans.

File scanning has the advantage of being able to catch malware before it can execute and cause any damage. The downsides are that malware can (and often does) use encryption and/or compression to change its signature (Kaspersky apparently includes over 200 unpacking engines to counter this) and that checking files tends to consume more resources.

Memory scanning has a better chance of detecting compressed/encrypted malware since they all have to decompress/decrypt at some point before running. Scanning a program in memory should also be much faster than doing a similar scan on its files on a (relatively) slow hard disk. The key downside is that malware is given a chance to run, so the scanner has to be able to recognise and terminate it before it has a chance to do real damage. This is also the reason why properly testing ATs is far harder - you can't just run a scanner over a folder containing all your malware samples, you have to run each item and then restore your PC afterwards to ensure that it is clean. It is also theoretically possible for a sophisticated malware coder to produce a program that only partially decrypts/decompresses sections as it runs, which may be able to hide its signature from memory scanners.

The proactive defense/behaviour blocking/HIPS (grief, I hate that acronym) approach does not rely on signatures and (normally) imposes little overhead on a system. However it relies totally on the user to distinguish between legitimate program activity and malware so can only be effective in the hands of the technically skilled.

So is an AT needed? That depends on what your habits are and your technical expertise. New users that do not download files from dangerous sources (Usenet, P2P, IRC, etc) are unlikely to encounter anything not picked up by a mainsteam AV - experienced users would find proactive defense more effective. ATs would then seem best served for the middle ground of those who like to live a little dangerously while not wishing to have to deal with the intricacies of Windows itself in terms of monitoring program behaviour.