Wednesday, 10 December 2008

Are two better than one? Not always, IMHO

Although selling advice is what I now do for a living, I try to help out on the newsgroups as much as I can. I am a firm believer that you have to give something back as well as taking. I am no doctor or spiritual leader. I am a technical type. I give technical information.

One question that I answered on a newsgroup involved a very routine malware infection and there was a free anti-malware product that would remove it to a reasonable level of certainty. I recommended uninstalling the previously installed anti-malware solution first. Some people contacted me to say that they didn’t agree with that advice. Well, that is fine. Disagreement can be good. However, I disagreed with their reasoning. They argued that 2 anti-malware products would offer better protection. At most, one should be turned off during the scan, they suggested.

The reason that I recommended uninstalling as opposed to “turning off” the existing checker was that anti-malware programs typically work by inserting redirects into a thing called the kiServiceTable in the interface between the user mode functions OR by subverting the function starts in the kernel functions reached from the kiServiceTable. They do this so that they can monitor the system activity by monitoring the requests made. This is a good technique but there is no safe way to reverse it since there is no built in synchronisation that allows you to pause all kernel operations while you effectively rewrite the kernel. Accordingly, turning off a malware checker doesn't always unhook it from the system. It just causes it to ignore whatever it sees. So, disabling an AV product is not the same as removing it.

Now, anti-malware products work by subverting the system, by getting inside the internal functionality of it and modifying its behaviour. Ok, this is good and proper and done for the good of the user, more or less with his or her consent. However, malware does the same thing for malicious reason without the user’s informed consent. Her we have a competition. Everyone wants to be the first to subvert the system – as the saying goes, he who hooks lowest wins. When you are at the same level, the first is effectively the lowest level hook because it can control what happens after this point. If an anti-malware program finds that there are already hooks in place that subvert the system, what will it do? Well, it might set up a chain were one checker is called after the other in which case things work but it is a bit slow. That can happen accidentally if they use different hooking strategies. Alternatively, the second program to run might override some of the redirection and consider the other anti-malware as possibly hostile. You could and sometimes do end up with some system calls monitored by one program and others monitored by a second program.

So, what actually happens when you have 2 anti-malware programs trying to do the same job? No-one knows. It varies according to what decisions the programmers made and what order they start. Was that combination tested? It seems unlikely. If the products were tested together, were these versions tested together? Almost certainly not. It is normally considered “an unsupported scenario” which is code for “We don’t know what will happen or we expect it to break and don’t care”.

Are you much safer with two, assuming that they work? Not so much. Virus signatures are shared (using the Virus Information Alliance), anti-malware checkers with up to date signatures typically detect pretty much the same subset of malware as each other and fail to detect pretty much the same subset. Accordingly, the gain from running two is marginal at best even if they do play nicely together and that is uncertain at best. Of course, if one of the programs were much weaker than average then the second could help but why would you be running a lame antivirus in the first place?

I don’t know of any cut and dried research on this though. As stands, it is just my professional opinion. So much of our work against malware is at the limits of knowledge because each week, there are new variants and new exploits. Several times each day, vendors release new signatures. The industry is running as hard as it can to keep up and frankly, it is losing. Infections are up 100%. Spam is up more than 90%. In such shifting sands, a best guess is often all that you have.

We live in interesting times and the road promises to get bumpier before it smooths out

Signing off,

Mark Long, Digital Looking Glass

No comments: