Functions of Anti-Virus software. . .

This discussion is concerning a notion initially brought up in another thread, but seeing as how it was somewhat off-topic in that thread, and because it is an important issue with potentially significant implications, I felt it deserved a thread unto itself. That being said, lets move onto the subject matter.

The notion put forth was that email scanners (POP3 scanning) were unnecessary and redundant and potentially detrimental to ones system. The explanation for that position can be found below. While counterintuitive, the reasoning appears to make sense. Importantly, it seems that a logical extension of that reasoning is that all on-demand or special area scanners (POP3, HTTP, etc) are unnecessary and redundant. The reasoning relies on several premises that I'll lay out below:

-a real-time scanner is always running

-the real-time scanner is able to catch all malware that the on-demand or special area scanners are able to

-malware can do no harm until it executes

These seem to be valid premises, and the conclusion seems to be logically sound. The conclusions from this run counter to the vast majority of people's perspective on the matter, which of course doesn't invalidate it in anyway, but if it ends up being correct then that widespread perspective is simply a widespread misconception. What im dumbfounded by is that if this is true, then why would all the AV vendors continue to include such features in their product if they were unnecessary and redundant and potentially harmful?

 

i think this should be an interesting read on why a pop3 scanner is welcomed: http://www.viruslist.com/en/analysis?pubid=204791929
it's about secure connections, but the basic idea can also be extended on regular pop3 connections.

 

This is one area that I must say I did/do disagree with the majority of people, on the topic of email scanning.
I have never used an email scanner they somehow always disable/uninstall/never install(if available) on my machines .
I find the repetativeness a bit too much, as in HTTP scanning also but that is a whole other monster.
I would love to hear the justification behind the email scanner(s) from a developer's perspective.

In direct response to the quoted post above, I have to say I agree 100%

 

read that viruslist article, Vitaly Denisov aka DVi is a kaspersky developer.

 

Right.

Not quite right. Usually, real-time scanners are configured to use "smart extensions" and with heuristics set to "medium". The on-demand scanner usually has more paranoid settings (archives, packers, high level of heuristics, etc)

 

If it's an ordinary attachment, then maybe yes (though it might be extracted e.g. as something.tmp on execution, and the antivirus resident protection might ignore such file extensions).
But - what if the malicious content is not an EXE file in attachment, but rather a simple HTML message, possibly with some javascript code, exploting a (mail client) HTML viewer vulnerability? In that way, the malicious code may be executed in the context of the mail client right when you display the message.
Or - what if the attachment is a malicious image? (remember the JPEG vulnerability a few years ago? and it wasn't the only one...) I'm not completely sure about it, but I don't think the mail clients extract the attached images into TEMP files when previewing them...

 

i think its fair to say most people here at least get there mail programs to display all emails as text?
which eliminates the possibilty of html exploits
i have always read that microsoft always reccomends not to scan the OE or OL database since it can cause corroption but most av's have a mail scanner so ive always used them.
lodore

 

i dissagree a bit here,

i like email scanning, i find the spidermail a massive part of my dr.web, not just for spam but for scanning too, it works a treat.

likuidkewl, its never disabled on me and it wont un-install as its a part of dr.web itself, so this is good right?

i get alot of emails, and id rather have my email scanner, than without...
alot of nastys float about through email, this is fact.

 

I have a question about this.
First let me say that I learn more from forums like these and the linked articles than I ever could hope to by reading a book.
My question is this. The Viral Irony article is from 2004. Has anybody with some contacts within Microsoft checked to see if the article and thoughts expressed were still valid?
Does this line of reasoning also cover Vista.
I'm currently trying Avira along with my Prevx1. Email scanner is on. That's because I don't use OE. I use Thunderbird.
But wouldn't the same reason for turning off mail scanners go for Thunderbird too?
Just curious.
And thanks for the education.
Doc

 

Saying that POP3 scanning or HTTP scanning is useless is completelly wrong.
Detecting exploits properly you NEED scanning service that checks the traffic before data actually hits the target program (email reaching email client or webpage components reaching browser). Sure resident scanner can pick most of the stuff but some are executed directly in memory using browser. Those won't be detected at all by resident scanner.
Only antivirus that has pretty much all the intrusion vectors covered is avast!.
When they add some more aggressive proactive form of protection to these it'll kick ass even more. For now it's an example of how transparent antivirus should be when using so many protection vectors. Some try, some fail but most of them have some mediocre thing with lots of problems.

 

i find it odd that so many antivirus program offer email scanners for outlook/outlook express even thou OE database is so fragile and microsoft reccomend you dont use a email scanner on it.
so why doesnt microsoft make OE database less fragile?
lodore

 

You're making the common mistake of confusing exploits and malware.

For malware, email and HTTP scanning are absolutely unnecessary. For exploits, then it depends on the nature of the exploit, but even then, most IE loopholes are perfectly covered by normal on-access scanning (I'm tempted to use "all", but I'll err on the side of prudence) because most IE exploits don't hijack the iexplore.exe process itself to directly cause damage, but merely cause arbitrary code execution downloaded from a hidden, redirected URL - which must be saved on the hard drive and executed to cause damage.

Either way, you don't need antivirus software to block exploits. Patches and/or stable programs and a good firewall are all that's necessary. Slammer, for example, was blocked completely simply by sealing the proper UDP port with a firewall.

 

Huh?

Patches? Not too useful if there's currently none for the vulnerability in question.

Stable programs? Which exactly do you have in mind?

Slammer is rather a speciality.

Think Codered.
Think Blaster.
Think Welchia.
Think Sasser.
Think the WMF-exploit.
Think the ANI-exploit.
(the list can go on and on and on...).

You cannot really block these in your firewall unless you want to sacrifice the basic functionality (such as web access).

 

A firewall + staying away from IE has never failed me so far. For about two years since last June (I don't do it anymore) that was how I kept an unpatched WinXP SP1 system malware-free even without any scanners installed.

www.opera.com Or something that doesn't have exploits in it discovered every few weeks or so.

I'm not familiar with Codered and Welchia, but IIRC Blaster and Sasser attack the usual vulnerable ports below the 1024 range, and I don't see why the inbuilt Windows Firewall, or any firewall with stateful inspection, will fail to stop them (unless you're speaking from a web server's POV, which I'll admit I'm not familiar with). The WMF and ANI exploits are easily stopped by any regular on-access scanner upon download, I believe. The strange thing is that I have a 10-month-old unpatched copy of XP SP2, and neither the ANI and WMF exploits seem to do anything on my machine (WMF was stopped by DEP).

 

Antiviruses are better at stopping exploits. Patches require lots of testing and QA, while exploit detection doesn't take that long, can be distributed faster and you can prevent it faster. Opera/Firefox? Sure, tell this to the other >80% of IE users... Firewalls. Sure they work but lots of users don't even have clue how to operate them properly and for one thing i hate those damn popups for every stupid thing. Same reason why lots of people hate them including myself.
Just some basic inbound/outbound firewall like Vista one is enough.

 

Without getting into the specifics of whether antivirus software or patches are better for dealing with exploits (specifically, the "directly executed in memory" type you mentioned that needs a HTTP scanner to block), my point was that you don't need antivirus software, much less dedicated email/HTTP scanners, to deal with exploits. Every single one of my friends whom I've introduced to Firefox/Opera has never looked back to IE, and you're perfectly right that the basic Windows firewall is enough to stop worms that attack vulnerable services listening on ports (a router will do the job just as well). All of which simply brings us back to the original topic: email/HTTP scanners are an unnecessary luxury. Nice to have if you have excess system resources to spare, but not really much point in keeping them around.