What did antiviruses think in the past?
As you know, before (at least) the grass was greener. But let's not talk about the beautiful. What modern regulators on Habr think about antivirus capabilities was discussed more than once (for example, you can read here ). Naturally, attempts to develop requirements for protective equipment have probably been made since the advent of viruses - this is completely in the interests of both the state and private users. And it seems logical that the accumulated experience should have led to the fact that over time the requirements are becoming more detailed and more precise.
Is it logical? And no!
Open a document called “Guidance document. Antiviral agents. Security Indicators and Virus Protection Requirements ”. The document was developed by the State Technical Committee under the President of the Russian Federation. Two versions of this document can be found on the Internet - for 1997 and for 1998. The documents are very different, for simplicity we will consider the version for 1998 - as a newer one.
What is an antivirus for this RD?
A fundamental difference from the current definitions. Antivirus is not considered as a means of protection against penetration. And, in general, this makes sense, since the antivirus cannot guarantee protection against penetration. To do this, use at least restrictions of rights, etc. And really. Further we read “The guidance document is developed in addition to the Guidance documents of the State Technical Commission of Russia“ Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information. "". That is, protection was considered as a set of measures, which were based on access restrictions!
Further, the RD indicates that there are requirements for the protection of workstations and servers. As now, in both cases, the requirements are divided into 6 classes, and the lowest class is the sixth. It's funny that according to the document, the number 1 is constantly replaced by an exclamation mark - A! and B!
What was required from the antivirus?
This is an antivirus scanner. It is also required for current profiles, but it is described in much less detail there.
=> use of alternative, complementary detection mechanisms, at least scanning, heuristic analysis and file system integrity control methods;
=> ABC should ensure detection of viral infections by known viruses of all types:
=> detection of viral infections by unknown viruses:
=> ABC should ensure the detection of known active viruses in RAM;
The list is much more detailed than in current profiles. Note that the RD separately states that the antivirus can withstand both known viruses and unknown ones.
And here comes the quantitative indicators.
We note very high requirements. And this is for the sixth grade - the fifth grade raised the bar even more:
Note that in contrast to current profiles, where protection classes are artificially separated by the functionality of protective equipment, in RD the class depends on the quality of work. And, in my opinion, it’s more correct.
Further on, the requirements for the quality of work are strengthened with each class. But for simplicity we will not quote.
Fifth grade added:
Full anti-rootkit!
Current profiles require unconditional treatment - and no options.
Fifth grade added to these requirements:
But this is backup! Already in 1998, the requirements provided for the availability of backup and recovery functions as part of the anti-virus protection system.
It is interestingly described what a text format is:
I wonder if all products now log in a "human-readable" form?
The availability of administrative tools was also required: "Administration tools should be provided for in the ABC" The
requirements for the update process were amusingly described:
In the age of self-defense, the requirement for self-testing looks funny.
It is also funny that at the time of the creation of the RD, when the memory of Chiha was still fresh, the antivirus was required to "=> restore areas of system non-volatile memory (CM08)" (hereinafter all quotes are taken from the original. I personally did not immediately realize that there is in mind).
Oddly enough, but blocking the impact "on the application software and user data" appeared only in the second class - along with the requirement to block the impact "on the service areas of non-volatile memory (ВУ $, СМ08);".
In the very first class, a filewall and a system of protection against attacks appeared: “block viral effects through communication lines (channels)”.
Also, the first class required protection from "viruses when decomposing a virus carrier into subobjects of a lower hierarchy level (packets) if used in a distributed AS". I don’t remember that now.
The requirements for file servers generally coincided with the requirements for workstations, with the exception of the processing mode of shared objects.
The list for simplicity is somewhat shortened, but even the described is impressive. In fact, RD anticipated the development of defenses for at least a decade in advance. Backup, behavioral analyzer, system of protection against unauthorized actions. In fact, there is not enough file monitor (although it is implicitly viewed, for example, in measures to protect removable media and attacks through communication lines). Well, there is no malware other than viruses. But for 1998 it is very, very excusable.
As far as I know, the document considered has not come into force, although it was discussed at one time in the industry. It's a pity. Despite all the shortcomings of the document, it is by far superior to current security profiles , and perhaps the requirements of NIST.
Is it logical? And no!
Open a document called “Guidance document. Antiviral agents. Security Indicators and Virus Protection Requirements ”. The document was developed by the State Technical Committee under the President of the Russian Federation. Two versions of this document can be found on the Internet - for 1997 and for 1998. The documents are very different, for simplicity we will consider the version for 1998 - as a newer one.
What is an antivirus for this RD?
Antivirus agents (ABC) in this document are specialized information protection tools designed to protect computer facilities (CBT) and automated systems (AS) based on them from the effects of virus programs and virus-like influences.
A fundamental difference from the current definitions. Antivirus is not considered as a means of protection against penetration. And, in general, this makes sense, since the antivirus cannot guarantee protection against penetration. To do this, use at least restrictions of rights, etc. And really. Further we read “The guidance document is developed in addition to the Guidance documents of the State Technical Commission of Russia“ Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information. "". That is, protection was considered as a set of measures, which were based on access restrictions!
These indicators contain requirements for antiviral agents that provide protection for AS under the conditions of exposure to virus programs and virus-like effects both on individual elements of the AS (CBT) and on the AS as a whole.
Further, the RD indicates that there are requirements for the protection of workstations and servers. As now, in both cases, the requirements are divided into 6 classes, and the lowest class is the sixth. It's funny that according to the document, the number 1 is constantly replaced by an exclamation mark - A! and B!
What was required from the antivirus?
=> ABC should ensure that periodic checks are made for the presence of virus infections in the dialogue and command (automatic) modes at the request of the operator (user);
=> preliminary check of critical OS elements for the presence of virus infection before installation. ABC installation procedures should exclude the possibility of virus infection of installed components and distribution media;
This is an antivirus scanner. It is also required for current profiles, but it is described in much less detail there.
=> use of alternative, complementary detection mechanisms, at least scanning, heuristic analysis and file system integrity control methods;
=> ABC should ensure detection of viral infections by known viruses of all types:
- service areas of storage media;
- objects on information carriers;
- objects in archives created by various archiving tools;
- objects packed with various means of compression (compression);
=> detection of viral infections by unknown viruses:
- service areas of storage media;
- objects on information carriers;
- objects in archives created by various archiving tools;
- objects packed with various means of compression (compression);
=> ABC should ensure the detection of known active viruses in RAM;
The list is much more detailed than in current profiles. Note that the RD separately states that the antivirus can withstand both known viruses and unknown ones.
And here comes the quantitative indicators.
=> ABC must ensure the detection of at least 95% of the facts of viral infection caused by known viruses;
=> detection of at least 70% of viral infections caused by unknown viruses;
=> no more than 3% of facts of false detection of virus infection of objects;
=> ABC should ensure the temporary effectiveness of the detection and processing of infected objects, comparable with the execution time of system-wide procedures.
We note very high requirements. And this is for the sixth grade - the fifth grade raised the bar even more:
=> detection of polymorphic and complex encrypted viruses;
=> detection of at least 99% of the facts of viral infection caused by known viruses;
=> detection of at least 75% of the facts of viral infection caused by unknown viruses;
=> no more than 2% of facts of false detection of virus infection of objects;
Note that in contrast to current profiles, where protection classes are artificially separated by the functionality of protective equipment, in RD the class depends on the quality of work. And, in my opinion, it’s more correct.
Further on, the requirements for the quality of work are strengthened with each class. But for simplicity we will not quote.
=> ABC should provide the ability to delete objects (files) in which virus programs are detected;
=> ABC should provide the ability to rename and (or) copy infected objects to a specified (target) directory;
Fifth grade added:
=> the ability to remove the code of known viruses from the body of objects (treatment);
=> removal of known active viruses from RAM and (or) blocking the execution of their program code;
Full anti-rootkit!
Recovery:
=> ABC should provide the ability to restore boot records of storage media;
=> ABC should provide data recovery on storage media if they were reversibly changed as a result of viral exposure.
Current profiles require unconditional treatment - and no options.
Fifth grade added to these requirements:
=> restoration of objects predefined by the operator (user).
=> administration tools allowing the operator (user):
- create a list of objects that can be restored later;
prepare the data necessary for restoring objects.
But this is backup! Already in 1998, the requirements provided for the availability of backup and recovery functions as part of the anti-virus protection system.
It is interestingly described what a text format is:
=> ABC should provide the ability to create reports on the results of verification in a text (human-readable) format
I wonder if all products now log in a "human-readable" form?
The availability of administrative tools was also required: "Administration tools should be provided for in the ABC" The
requirements for the update process were amusingly described:
=> In ABC, means should be provided that provide the ability to connect updates to the operator (user).
=> ABC should provide the ability to periodically update as new virus programs appear;
=> at startup, ABC should automatically check its components for evidence of their infection with virus programs;
In the age of self-defense, the requirement for self-testing looks funny.
It is also funny that at the time of the creation of the RD, when the memory of Chiha was still fresh, the antivirus was required to "=> restore areas of system non-volatile memory (CM08)" (hereinafter all quotes are taken from the original. I personally did not immediately realize that there is in mind).
Oddly enough, but blocking the impact "on the application software and user data" appeared only in the second class - along with the requirement to block the impact "on the service areas of non-volatile memory (ВУ $, СМ08);".
In the very first class, a filewall and a system of protection against attacks appeared: “block viral effects through communication lines (channels)”.
Also, the first class required protection from "viruses when decomposing a virus carrier into subobjects of a lower hierarchy level (packets) if used in a distributed AS". I don’t remember that now.
The requirements for file servers generally coincided with the requirements for workstations, with the exception of the processing mode of shared objects.
The list for simplicity is somewhat shortened, but even the described is impressive. In fact, RD anticipated the development of defenses for at least a decade in advance. Backup, behavioral analyzer, system of protection against unauthorized actions. In fact, there is not enough file monitor (although it is implicitly viewed, for example, in measures to protect removable media and attacks through communication lines). Well, there is no malware other than viruses. But for 1998 it is very, very excusable.
As far as I know, the document considered has not come into force, although it was discussed at one time in the industry. It's a pity. Despite all the shortcomings of the document, it is by far superior to current security profiles , and perhaps the requirements of NIST.