Link Trouble: Watching the Dectectives Isn't Always Pretty


Here's a report in ZDNet that could ruin many CSOs' evenings: The firm n.runs AG recently ran tests that discovered about 800 vulnerabilities inside antivirus products.


The significance of this can't be overstated. Vulnerabilities were found in every virus scanner on the market. This isn't just finding out that a piece of software is vulnerable. It's finding that the very products that companies rely on for protection -- and that are embedded in the deepest and most vulnerable recesses of the company -- are themselves insecure. Indeed, it's the ultimate inside threat.


It seems that all is not well in the security software world. This week, AVG said it is changing a component of its antivirus software called LinkScanner. The update is included in the firm's Anti-Virus Free Edition 8.0 and as a patch for paid versions. The problem is that an element of LinkScanner call Search-Shield visits sites repeatedly, using bandwidth that sites pay for. The visits also skew Web analytics programs to report too many visitors.


Still another issue recently was reported. Channel Register reports that Trend Micro is withdrawing its software from Virus Bulletin 100 tests. The tests, the story says, assess how well antivirus software packages work by gauging the level at which they detect viruses on the WildList, a listing of circulating viruses. Certification depends on detecting the viruses without false positives. Trend Micro, however, says that the tests are antiquated because they don't account for newer behavior-based antivirus procedures and don't react quickly to changing conditions. The second half of the story provides interesting give-and-take between Trend Micro and the Virus Bulletin.


n.runs AG's research, AVG's tweak and Trend Micros decision all focus on issues with legitimate security software. This post at Bill Mullins' Weblog - Tech Thoughts deals with another issue: Phony security software. Mullins offers a well written and fairly frightening explanation of this class of malware. A free version of the software gets into the machine via the Zlob Trojan, browser exploits or when it is downloaded from criminals or adult sites. The software does a fake scan, reports the presence of malware, and asks the user if he or she wants to download the full version of MalwareProtector 2008 to handle the problem.


That download doesn't delete the false warnings and, in addition, unleashes a torrent of desktop shortcuts, icons and other elements, all of which gum up the computer. Rejecting the download option launches a screen saver with the image of cockroaches eating the screen.


It is impossible, of course, to definitively say whether the noise in this sector is a sign that the category is under siege. There is some good news, however: What Brian Krebs at The Washington Post says is a complentary approach to antivirus protection has been introduced by a company called Bit9.


Instead of identifying the malicious programs, the software, which was developed under a grant from the National Institute of Standards & Technology (NIST), compares programs its finds against 28 antivirus engines and puts the "clean" ones on an approved list. Krebs says that if the code being inspected comes up on one engine as dangerous, the user is warned. If it comes up on two or more, he or she must manually override a setting that keeps it from running.