Anatomy of a Desktop Security Product

Now, we all heard about detection, prevention, cleaning, behaviour blocker, firewall, Antivirus, Anti malware, detection tests, antivirus tests…it can be confusing… What is what and and more importantly what do I need as a consumer!

I will try to explain whats involved in desktop security products and hopefully will arm you with more knowledge about what to expect from them in an interview like style, hope you like it.

First of all: What the hell is Virus, spyware, trojan etc?

Well, you know when you click on an application to run… well it just that… a malware (which is a general name used for all the bad stuff like virus, spyware, trojan, rootkit and so on) is an application. Just bunch of code that you send to your CPU (Central Processing Unit) for execution. For example you send an a code (an instruction) to your CPU to turn a specific Pixel on your monitor to a specific colour… Malware sends instructions to your CPU to do nasty stuff… thats the only difference between a good application and malware.

Now that we get what malware is…which security product do I need? What is anti virus? why do i need Firewall and million other questions in my head as the consumer.

Lets get to the basics…the security products can be classified into 3 areas

1)Prevention: Eg it prevents stuff from coming into your computer in the first place
2)Detection: it detects when stuff enters your computer
3)Cleaning: You are toast, cos you are infected so need a decent product to clean up the mess.

So lets start by talking about AVs (Anti Virus)

A good analogy to Anti Virus would be a policeman who has a Photo Fit of a murderer and trying to find/detect that criminal amongst the people/files. So is Anti virus 1, 2 or 3?

Wow… good job…you guessed right… its 2! It can’t stop someone becoming a criminal but can detect them. So an Anti Virus product could never prevent a new Virus it doesn’t know about from infecting your machine. Just like a policemen can’t arrest a future murderer cos they haven’t committed the crime yet. Anti Virus products were invented in the late 1980’s as “Cleaning” products. Those days infections were at the speed of how fast you could exchange a floppy disk with your friends :slight_smile: But nowadays the number of malware is increasing drastically and the speed in which the infections occur is increasing in speed thanks to internet. So can your Anti Virus company give you a guarantee that you will not be infected because they can’t possibly know the next Virus? Of course not, that’s why using Detection only mechanism as your sole protection will leave you as secured as a little lamb in the African desert surrounded by hungry lions!

What is Anti Spyware then?

Same as above… there are few different nasties and they have been classified as virus, spyware, adware, rootkit etc etc… at the end of day they are all Bad Code written by bad people.

Ok what is Anti Rootkit then?
Same as above… they are all baddies… just different names cos they way they operate is slightly different…at the end of the day they are all instructions sent to your CPU to do nasty stuff, from deleting files, to stealing your confidential information, to stealing your CPU power and internet connection. Same goes to Anti trojan, anti this and anti that… same stuff…

What is a firewall then?

Firewall has 2 tasks really…one to stop people from getting access to your pc from internet…its like your internet door… (but don’t be fooled cos everytime you browse some website you are opening this internet door to that website…just having firewall doesn’t mean you are secure). And the other task is for detecting if anyone is making a call home from your PC. Go to your local Clothes shop and try to steal something…the alarm you will hear, as you try to get out of the door while 2 big guys are running towards you, is because the garment is tagged, so anything leaving the premises will raise alarm. Well thats firewall for your computer. It will raise alarm bells if someone is trying to make a connection from your computer to the outside world. (Btw, I hope you didn’t go and steal Clothes… resale value is not there…try electronic goods :slight_smile: )(just joking…). So Firewall falls into both Prevention and Detection category…

So what can clean my computer if i get infected?

Now thats an important question… Cleaning infection is not as simple as deleting a file on your hard disk. Some of these nasties hide themselves well and bring themselves back to life even after your Anti Virus deletes them at every start up of the operating system. Depending on what kind of nasty has infected you the choice of the cleaner (Anti Virus) product could be determined.

So how do I prevent these nasties coming into my computer in the first place?

Well, you have to know how they get in and pull the rug under them!

They get in utilising latest vulnerabilities in your system. So its important for you to keep your system uptodate…but i guess you heard that before! One of the nastiest ways is the Silent infection called BO… and no its not Bad Odour… even though when that happens it does leave bad taste… its Buffer Overflow attack. Its as simple as you going to a web site and you get infected… yup… as simple as that…

So what does infection mean again pls?

Remember its just a piece of code that sends your CPU instructions to get your CPU to do nasty stuff like giving out confidential information etc.

Oh yeah…remembered…

So how do I stop these coming into my computer in the first place?

Excellent question!

There are new breed of security products called HIPS (Host Intrusion Prevention Systems). These products will not let any application/executable (piece of code that we talked about before) unless they are authorised.

well, that sounds good doesn’t it?

Yes it does! I use one of these (Comodo Internet Security).

These products literally block any code/instruction going into the CPU unless they are authorised… its like a doorman at the night club saying: Sorry, your name is not down, you are not coming in. It denies the access to the CPU to any unknown and unauthorized piece of code (application). So why isn’t everyone using these?

The only potential issue is they can be chatty and asking too many questions to the user if it hasn’t got a big list of authorised list of applications. I mean you don’t want to be disturbed everytime you run an application. Luckily with products like CIS (Comodo Internet Security) the number of times you need to get involved to answer a question is minimised.

You see the bottom line is: You should prevent any malware coming to your system if you have a clean PC. Cos you want to keep it clean. For that you need to use Prevention based products.

If you have an infected computer than you need to use Cleaning Product. An Anti Virus in main is a cleaning product. So you need an Anti Virus product to detect and hopefully clean the infection. Some people use Anti Virus only to protect themselves. Yep you guessed right, they are the perfect guinea pigs for virus authors! I mean come on… what do you think Virus Authors do when they create their Viruses? Of course they check to see if any of the major Anti Virus products detect it or not! Only when they don’t, they go ahead and release their creation to these guinea pig population of people who think they are secure cos they are using Anti Virus products. Of course there are also other kind of Virus Authors who release their viruses even though Anti Virus products detect them right off the bat… They are the stupid ones! We like them that way though :slight_smile:

But how about Anti Virus testing? doesn’t this tell us how good security is?


What do you mean no?

Its a No to your question! What part of the No do you not get?

Let me explain you how these tests are done: First of all, these tests do not and CANNOT test if these Anti Virus products will stop new viruses or not. These testers only have some limited access to some limited amount of malware. Basically, they put all these malware into a Computer into a hard disk and run the Anti Virus scanning to see if these Anti Viruses detect them or not. So it only checks detection capability of an anti virus product and ONLY for the subset of viruses that the tester have. I mean what tester might have nothing to do with whats out there and so on. In reality no Anti Virus vendor have access to 100% of all malware out there either! No AV company can! Which means they will always be playing catch up and cannot prevent malware that they don’t know of or don’t detect from infecting your computer.

This is why came up with good guidelines about how to test a security product. But as of now there is noone who can provide this. I hope some will provide it soon.

So how about Email scanning, IM scanning and web scanning? There are products who do these isn’t it important?

Ok, lets remember what a malware was… piece of instruction designed to do bad stuff. You see, these instructions must come from somewhere to the CPU… now for a computer these things can only live in 2 places… Hard Disks or RAM (it could also be like USB storage etc but you get the gist). What you see on email is either on hard disk or RAM… what you see on the web is either on your hard disk or RAM… what you see on your IM is either on your hard disk or RAM, period… Marketing people will try to make you think that they are stopping bad stuff from coming into your computer before it hits your computer but thats misleading. All these emails, web, IM and so on are already in your Hard disk or RAM. As long as you check the hard disk and RAM and use prevention based technology, then you know that those baddies can’t get in and cause damage.

So in summary…a security product can provide you


and you need to prevent the bad stuff coming in to your computer in the first place. For that you need prevention based technologies.


PS: Feel free to ask any questions you may have.

(edit by eXPerience : to get the conversation a bit clearer, I used some colors)

Thanks for your time writing such useful post. Bookmarked for future reference :-TU

One question if you have time and wish to answer. How one can protect important financial information from leaking by browser based malware (Javascript and Flash based ?): аs i understand correctly this kind of malware can use browser’s executable to steal important information silently as browser is allowed to access internet, keybord, screen ?

In case of host-based screenloggers and keyloggers all is clear: keylogger’s executable tries to log logins and passwords, then it tries to send this info to remote host and being caught by either of two attempts.

But i cant figure out what happens in case of Javascript-/Flash-based malware and how to prevent it…
Besides some security solutions advertize different kinds of “on-line banking security” (or similar wording): looks similar to a trick with IM, E-Mail:

hi SS26

is there a specific malware or scenario in mind you had pls? This would help me with my answer.


Well, nothing special, just what i found in Google (search #1, search #2). And I’m not aware of exact step-by-step scenarious and Javascript malicious code.

For example to web page (with login forms) vulnerable to XSS (Cross Site Scripting) is attached malicious Javascript code (e.g. Javascript keylogger).

…As i understood correctly information from following pages: 1 2 3 4.

Seems like XSS, malicious Javascript code have nothing to do with HIPS, AV and resident Firewall, haven`t they?
Should XSS + malicious Javascript code be treated separately from malware despite they can steal logins and passwords?

Not sure if this can help but Firefox has that NoScript addon. As far as I remember by default Noscript usually blocks any website from executing scripts unless you specify otherwise and in the event that website pay be vulnerable to clickjacking then I think even if you did allow that site permission to execute scripts that in a clickjacking attempt NScript would block this action. I mean from what you say it seems to me that if you are on a site that is vulnerable to this and you enter your login details and then click login then there is a chance you just sent your login details elsewhere and chances are if you have NoScripts then it would alert you and block it (well for the most part it should).

I’m no expert though but this is just my assumption.