Why antivirus is fighting a losing battle in your office
Posted on 23 Mar 2012 at 09:30
Antivirus software is hamstrung by poorly coded business apps and daft users, says Steve Cassidy
Whenever I’m called upon to deal with a virus infection inside a business network, I find myself having to swim desperately against a gigantic wave of sheer user incredulity.
Occasionally, I wonder whether I encounter this effect so often because I manage to explain myself more clearly in writing than I do face to face (despite always going into such meetings equipped with the most sophisticated visual aids, such as my Cross fountain pen and a sheet of A4 paper). So here is a handy summary of what happens to your business PC when a virus comes to call, and how this differs from what happens when a similar misfortune befalls your home PC.
Badly behaved business apps want all their users to have admin rights to their local PC, and require all sorts of hacking about
The first and most obviously incredulous reaction I encounter is always “we have antivirus, so that isn’t possible”. I shudder to imagine how many businesses are sitting there wide open as a result of accepting this fallacy (and as for home users, I refuse to imagine at all). If our antivirus program didn’t put up an alert, they say, then there can’t have been a virus attack.
I suspect that where my explanations really run onto the rocks is when I’m groping around for real-world metaphors to illustrate this appalling error of logic, which deludes so many management minds. That old joke about a guy falling off a skyscraper and exclaiming “so far, so good!” to the people he passes on each floor implies a suitable specific degree of complicity in the situation, but clashes with other observations about the nature of infectious processes.
Talking about biological infections doesn’t work very well either, because animals have immune systems and computers don’t, and whoever first thought of deploying such a metaphor clearly didn’t understand much about the nature of the immune response, the crucial role of pain and inflammation, and so on. If I make reference to Carl Zimmer’s utterly fantastic book Parasite Rex – which provides an in-depth look at a vast area of biology that actually makes a better metaphor – then people tend to look a bit uncomfortable and freaked out. “Parasites! Yuck! Guinea worms! Liver flukes! Ewww!”
The devils you know
So let’s go bare and brutally literal about this subject. Certainly your antivirus software knows about existing viruses, and it knows how to prevent certain types of virus infection that arise from files downloaded via your browser, or from traffic over your LAN, or from attachments to emails. There may be a few other types of presentation or infection that various different antivirus products manage to catch too, but I’m sorry to have to tell you that the products most favoured by businesses tend to be rather less all-encompassing with the protection they offer. I’m not intending to blacken the reputation of any particular antivirus software company by saying this, since quite apart from any other factors, the “rule of rubbish applications” trumps all other cards inside a business network.
That’s the rule that says businesses have to put up with incredibly badly coded applications, which would send home users running for a refund. Generally speaking, the more general purpose a piece of software is, the better coded it is likely to be. When did you last hear of an incompatibility or a crash in a zip compression utility? But how about the application that runs your business’ accounts, or operates your stock control system, or the parts-ordering interface to your supplier or manufacturer?
Those are all more specialist applications, so they tend not to suffer many competitors in their sectors, which means they’re insulated from the bracing forces of natural selection, and tend not to evolve very far or fast. One common consequence of this overall flakiness and indifference to progress is that these accursed programs are inclined to ignore all the layers of OS-level user security that Windows has been adding for the last half a dozen revisions.
Badly behaved business apps want all their users to have admin rights to their local PC, and require all sorts of hacking about – time-consuming, annoying and often repetitive hacking about – if this level of access is denied to them. This design decision (although it’s stretching a point to dignify it with the name “decision” at all) is so widespread and so continually rediscovered, because it’s useful and saves coding effort. But unfortunately, it wipes away swathes of sensible and elegant anti-infection measures, and puts antivirus software writers (who by contrast are intensely competitive, massively technical, and by definition must occupy the cutting-edge of their business) at a huge disadvantage.
In the home PC sector they can rely on the presence of fairly basic but highly effective OS-level precautions, but in the business arena these features are sometimes bypassed by various workarounds. Okay, let’s upgrade that “sometimes” to an “almost always”.
This notion, that badly behaved software can be fixed by granting admin rights to everybody, has attained the status of Professional Sacred Cow in the world of corporate IT, and I’m sorry to have to report that nowadays, I find people doing it almost as a reflex action, part of a body of false knowledge that shouldn’t be applied in such an unquestioning way.
The crucial ability that having admin rights confers, the one that fixes so many flaky applications, is the ability to write to directories in the Program Files folder tree. If only this single right were to be conferred, instead of the whole great package of other permissions that go with full “administrator” status, life would become much less tough for the antivirus software that has to keep out the bad guys.
The reason that business software is not a polished as consumer applications is simply that far less money is spent on it. Merely achieving the required level of functionality is a challenge, and working with Windows half baked security model is a challenge customers are not prepared to pay for. The main problem is that there is no sensible solution for sharing data between users. Microsoft need to take the blame for this, as they have failed to take into account the reality of business software.
Steve also implies that anti-virus software simply doesn't work, which I have to say largely matches my experience. Our McAfee installation has missed more infections than it has found, and simply stopping auto run on flash drives would have been more effective.
By tirons1 on 23 Mar 2012
I'm calling BS on the half baked security model causing more work.
I've been developing corporate Windows applications since 1987. When NT came along, we took notice and started writing apps which worked inside the security model.
Where I currently work, they wrote an ERP system which has a Linux back-end and originally had a Linux front-end. At some point, they needed to switch to Windows due to customer pressure. Again, because the programmers come from a background of working within a security model, it works on Windows without requiring admin rights.
On my desktop machine, I have normal user rights and I have to enter the administrator username and password, if I need to do some admin tasks.
With the exception of Siemens telephone exchange management software, none of the business software I use needs admin rights.
It is perfectly possible to write software which doesn't require admin rights. And MS has allowed sharing of data between users for decades, so I'm not sure what you are on about here; maybe an example would help.
By big_D on 23 Mar 2012
Steve is implying that a large number of business applications require admin rights, so I guess I am not alone.
For programmers who are not used to working within the security model some of the solutions are not obvious. The all users application data directory for example does not allow a user to change another's data. This is somewhat counter intuitive, and a work around is to grant the rights during the installation. Googling a solution points to using a service to provide shared access, at which point many programmers will give up.
By tirons1 on 23 Mar 2012
I should also mention all those ancient barely maintained apps written years ago in VB6. The time devoted to updating these if often just a few hours here and there. Such applications could be replaced at great expense, but as they work companies are reluctant to spend the money.
By tirons1 on 23 Mar 2012
Many of the apps I wrote were in VB6 as well, were multiple user - well, in fact were distributed in 46 countries for maintaining a central database for feeding into an OLAP reporting system.
One of the biggest problems is, that developers are lazy and assign themselves admin rights on their development and test machines, instead of doing things "properly".
It is sloppy habits and sloppy programming. It has nothing to do with the tools.
By big_D on 23 Mar 2012
Doing things properly is all well and good if someone is willing to pay for it, but all too often the customer wants and a quick and dirty solution. You get what you pay for and there is a segment of the market that pays very little.
One man's lazy is another man's expedient.
This is the reality that Steve is referring to, and Microsoft needs to address this security hole which clearly does exist.
By tirons1 on 24 Mar 2012
It doesn't cost any more to do it properly! You just have to KNOW how to program for Windows.
It isn't as if you HAVE to write sloppy code, which ignores the security structure of Windows, then go back and clean it up, if you have time.
You just write it properly to begin with, it doesn't take ANY additional time.
You just have to know what you are doing and ensure that your development and test environments are set up properly - i.e. no Admin rights.
By big_D on 25 Mar 2012
I acknowledge that you knew how to deal with the Windows security structure in the 1990s, but virtually no one else did. Hence there are still many business apps that require administrator rights, and no one is going to pay to change this. You may blame the programmers, but that will not fix the problem.
Anti-virus programs should find viruses, and Microsoft needs to work around what is according to Steve a significant problem. Allowing a specific program administrator rights should not compromise the system as whole.
If you want to see some truly horrible security vulnerabilities, look at old industrial OPC systems. I didn't write/configure any of them, but can understand why they are as they are, and why they will remain a security vulnerability for years to come.
By tirons1 on 25 Mar 2012
I agree with the last half of your reply. We have a problem and we need to deal with it.
My point is, there is no excuse, apart from laziness and not knowing what they were doing, for the situation we find outselves in.
Microsoft produced a lot of documentation when Windows came out and the changes for Windows NT, to write code which ran under restricted accounts, were clearly defined well in advance of the introduction of NT and if anything the situation has improved over the years.
The problem is, we had a lot of programmers who didn't give a hoot.
Those coming from DOS carried on writing code, generally, oblivious to security requirements - often using the "home" version of Windows, where security wasn't implemented. They didn't take the time to learn how to program properly (which doesn't take long), just treating Windows as a graphical version of MS-DOS.
Those programmers coming from the Mainframe, mini and UNIX arenas were used to writing code in restricted contexts and could adapt to writing code for Windows, which conformed to MS's recommendations for user context software.
By big_D on 26 Mar 2012
The infection at my previous place of work was caused by someone clicking on an attachment in an email 'from' themselves which they knew they had not sent. "I just wanted to see what was in it," they said.
If I had been in charge, I would have fired them for being a moron at that point, but sadly (and unsurprisingly) I was not.
At least it stopped people complaining about the cost of a proper backup strategy.
By iwatters on 29 Mar 2012
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?
- The best Android antivirus apps for 2014
- Headings vs headers: how to use both in Word
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Cut out the broadband jargon? What jargon?
- Microsoft slashes custom XP support price
- Ubuntu LTS Server 14.04 extends cloud support
- Intel: PC sales are "encouraging"
- Google to rank encrypted pages higher
- Heartbleed: the race to reissue security certificates
- Dropbox boosts app line-up with Carousel and Mailbox for Android
- BlackBerry CEO says not selling off phones "any time soon"
- Microsoft halts business downloads of Windows 8.1 Update
- Raspberry Pi targets business with Compute Module
- Microsoft releases final patches for Windows XP