Editor's note: While 3000 managers look over the need to update XP Windows systems in their company, anti-virus protection is a part of the cost to consider. In fact, extra anti-virus help might post a possible stop-gap solution to the end of Microsoft's XP support in less than two weeks. A lack of new security patches is past of the new XP experience. Migrating away from MPE-based hosting involves a lot more reliance on Windows, after all. Here's our security expert Steve Hardwick's lesson on why more than one A/V utility at a time can be twice as bad as a single good one.
By Steve Hardwick, CISSP
If one is good, then two is better. Except with anti-virus software.
When it comes to A/V software there are some common misconceptions about capabilities. Recently some vendors, such as Adobe, have started bundling anti-virus components as free downloads with their updates. Some managers believe if you have one anti-virus utility, a second can only make things safer. Once we look how anti-virus software operates, you'll see why this is not the case. In fact, loading a second A/V tool can actually do more damage than good.
The function of an anti-virus utility is to detect and isolate files or programs that contain viruses. There are two fundamental ways in which the A/V utility does this. The anti-virus program will have a data file that contains signatures for known viruses. First, any files that are saved on the hard drive are scanned for signatures to see if they contain malicious code. This is very similar to programs that search for fingerprints. Once the A/V utility finds a match, the file is identified as potentially dangerous and quarantined to prevent any infection. Second, the anti-virus utility will intercept requests to access a file and scan it before it is run. This requires that the anti-virus program can inspect the utility prior to it being launched.
Anti-virus designers are aware that their utility is one of the primary targets of a hacker. After all, if the hacker can bypass the A/V system then it is open to attack, commonly referred to as owned or pwned. So a core component of the A/V system is to constantly monitor its own performance to make sure it has not been compromised. If the A/V system detects that it is not functioning correctly, it will react as if there is a hacking attack and try to combat it.
So here's what happens if two anti-virus programs are loaded on the same machine. Initially, there are issues as the second system is installed. When the second utility is loaded it contains its own database of known virus signatures. The first anti-virus will see that signature file as something highly dangerous. After all, it will look like it contains a whole mass of virus files. It will immediately stop it from being used and quarantine it. Now the fun starts -- fun that can drive a system into a ditch.
If the two systems do manage to load successfully -- in many cases anti-virus programs are now built to recognize other A/V systems - then a second battle occurs. When a file is opened, both A/V systems will try to inspect it before it is passed to the operating system for processing. As one A/V tries to inspect the file, the second one will try and stop the action. The two A/V systems will battle it out to take control and inspect the file ahead of each other.
Even if multiple systems do acknowledge each other and decide to work together, there are still some issues left. When a file is accessed, both systems will perform an inspection, and this increases the amount of time the virus scan will take. What's more, the anti-virus programs continually update their signature files. Once a new signature file is loaded, the A/V program will kick of a scan to see if the new file can detect any threats the old one did not catch. In most cases, new signature files arrive daily to the A/V system. That means both systems will perform file scans, sometimes simultaneously. This can bring a system to its knees -- because file scanning can be CPU intensive.
So two is worse than one, and you want to remove one of them. Removing A/V programs can be very tricky. This is because one goal of the hacker is to disable or circumvent the anti-virus system. So the A/V system is designed to prevent these attempts. If A/V programs were easy to install, all the hacker would have to do is launch the uninstall program - and in many cases, the A/V manufacturer does provide an uninstall program. Unfortunately in many cases, that uninstall may not get rid of all of the elements of the A/V. Several of the A/V manufacturers provide a utility that will clean out any remnants, after the A/V system has been initially uninstalled.
So are there any advantages to having a second A/V system running? There is always a race between A/V companies to get out the latest signatures. Adding more A/V providers may increase your chances of getting a wider coverage, but only very marginally. The cost of the decreased performance versus this marginal increase in detection is typically not worth it. Over time, A/V vendors tend to even out on their ability to provide up-to-date signature files.
In summary, the following practices make up a good approach to dealing with the prospects of multiple A/V systems.
1) Read installation screens before adding a new application or upgrade to your system. Think carefully before adding an A/V feature that your current solution provides. Even if a new feature is being provided, it may be worth checking with your current provider to see if they have that function, and adding it from them instead.
2) If you do get a second A/V system in there and you want to remove it, consult the vendor's technical web site regarding removal steps. Most A/V vendors have a step-by-step removal process. Sometimes they will recommend a clean-up tool after the initial uninstall.
3) If you do want to check your A/V system, choose an on-line version that will provide a separate scan without loading an utility. There are many to choose from - search on “on-line antivirus check” in your favorite engine and pick one that is not your primary A/V vendor. Be careful - something online may try to quarantine your current A/V system. But this will give you a safe way to check if your current A/V is catching everything.
4) Don't rely on A/V alone. Viruses now come in myriad forms. No longer are they simple attacks on operating system weaknesses. Newer ones exploit the fallibility of browser code and are not dependent on the operating system at all. A good place to start looking at how you can improve your security is the CERT tips page https://www.us-cert.gov/ncas/tips By following safe computing practices, one A/V should be sufficient.
5) Beware of impostors. There are several viruses out there that mimic an A/V system. You may get a warning saying that your system is not working and to click on a link to download a better A/V system. Before clicking on the link, check the source of the utility. If you don't know how to do that, don't click on the link. You can always go back to Step 3 and check your A/V yourself.