Lies, big lies and antiviruses. Part one. “And they were the first to start!”

    With this article, I begin a series devoted to some aspects of the so-called “antivirus industry”, which, I hope, will be interesting not only to me alone.

    For the umpteenth time, they scare us with horror stories in the style of “another virus has spread around the world in millions of copies. We will all perish! ” Just reading the next peppy press release of the next manufacturer of the next antivirus product, you are perplexed. How so? We are so reliably protected, so comprehensively: there are signatures, heuristics, and even the squeak of the season, a behavioral blocker. Then what ... people keep getting infected? Where does the epidemic come from? Are modern antivirus products really effective?

    The first antiviruses appeared around 1985 as a response to the first file viruses infecting executable and interpreted files and working in the MS DOS environment. Who else remembers, this is such a single-tasking operating system, where its kernel and applications run at the same privilege level. And it was precisely antiviruses that turned out to be the most rational tool for fighting viruses on this platform, both to cure already infected machines and to prevent infection. Viruses spread slowly, on floppy disks, from user to user, and signatures for capture and treatment were much faster via networks (BBS, NNTP, ...). And so it went on long enough, until about the beginning of the 2000s (that is, fifteen years at least), when there were three cardinal changes

    A fundamental change is number one: the Internet has come to us. So, the virus distribution environment has become the same as the signature distribution. Antivirus anticipation over viruses has been reduced to zero.

    A fundamental change is number two: instead of operating systems based on MS DOS (and this, as well, the entire line of Win1.xx – Win3.xx, Win95 / 96/98 / ME), the Windows NT kernel in the implementation of Windows 2000 / XP came to desktops. Now the kernel of the operating system, its code and data, are reliably separated from the address space of conventional programs.

    Fundamental change number three: viruses are now written for the benefit. Moreover, it was the “viruses” that, in fact, disappeared from the computers of the townsfolk. They were replaced by all kinds of "worms", "Trojan horses", "blockers" and other evil spirits, focused on receiving money.

    The first major failure of the antivirus industry is associated with a fundamental change in number three — antiviruses could not cure machines already infected with trojans. Here is a file infection - as many as you like, but when executable modules are introduced into the operating system - no. This has grown the whole industry of “anti-malware." All those who still remember such names as Spybot Search & Destroy, Ad-Aware, SpySweeper, I think, do not need to explain anything. I must say that the antivirus industry quickly realized that the money was flowing out of their hands and quickly caught up.

    That's just because of the cardinal change, the number one level of infection prevention has fallen below all criticism. Antiviruses are catastrophically late. And nothing saves - neither a heuristic, nor a behavioral blocker. Malicious writers go around everything.

    At the same time, in all forums, topics in the style of “antivirus A periodically popped up and missed the infection, it is bad. Advise a good one. ” A person is advised “good”, which remains in this status until the next pass. After that, the search cycle for a “good antivirus” is repeated.

    At the same time, a paradox arises - new infection prevention technologies created thanks to “cardinal change number two” and showing absolute results in infection prevention tests (the so-called “dynamic tests”) cannot break their places under the sun, because they have come to the market quite it's too late. The inertia of consciousness of the overwhelming number of users simply does not allow them to search for anything “protecting”, except for antiviruses. Protection is identical to antivirus. Point. “I need protection. Advise a good antivirus. " Is that familiar?

    But antiviruses are not the best in the task of preventing infection! They just started first!

    PS Next part

    Also popular now: