Why disable antivirus?

A work IT department that wants the ability to disable AV?
All the ones I know of want it to be impossible for users to disable AV.

Seems to me the Ignore facility is much safer than turning off AV entirely.
What am I missing?

John

We’re not an “IT” department… we do computer forensics (and security), and frequently have to export “live” files from within a body of digital evidence in a manner that maintains all OS and File metadata. If we have “real-time” AV scan engine running (even if it were to “ignore” the results), this would still modify the OS metadata (ie, timestamp).

Thus, we need the ability to completely disable the on-access scanner. Our “users” (non-analysts) would not have the ability, due to domain logon credentials. At present, it’s still somewhat of a moot point, as CIS is not available with CESM (it’s still utilizing CFPv3); but I’m preparing for the future… :wink:

LM

My business likewise does computer security and forensics.
Scanning of target environments is strictly read only, not altering them in any way.
How are you different?
~John
p.s. None of the analysis machines is on a network, and none run Windows.

We’re not talking about an on-demand scan of a target drive to check for malware (such as in a sheep-dip to protect our lab). Scenario is that quite frequently in forensics, we have to export files from an image set for review by attorneys, document production, etc.

If we were to do this (and yes, we’re running Windows because that’s the platform we use for the majority of our work) with real-time AV active (ie, NOT disabled), the real-time/on-access AV would scan those files as they were being exported/extracted from the image set. This act of scanning would alter the timestamp of the files (last accessed). This in turn would modify the hash value of the files, and create a scenario wherein their evidenciary value could be questioned in court.

With the ability to disable the on-access aspect of the AV, we are able to forensically extract files as needed - no alteration of file path, timestamps, or any other metadata features. We’re not too concerned with our machines becoming infected or passing on infections - they’re air-gapped during processing, and periodically the HDs are replaced with a new baseline set.

LM

I must still be missing something, because it seems to me that “exported/extracted” is going to have the same effect on the access time stamp. I can’t see anything AV scanning would do that would be different. So again, what am I missing? And if you’re not running AV, how is this an issue at all?

I’d also be interested to know on what this issue of evidentiary value is based (specific cases and/or court rules), since everything can (and should) be preserved easily, even under Windows. I’ve taught computer forensics for California Continuing Education of the Bar, and no such issue has ever come up.

John

I’ll try to explain in more detail. Within an image set (ie, not a “live” dataset) - whether they be .dd, .E01, etc, there exists data in an encapsulated form. These images can be mounted for various types of processing, analysis, etc through the use of other tools and applications. In some legal cases (especially things like employment law), documents are items of interest. Especially important in these cases are the Ownership, Last Accessed - OS and File metadata.

The methodology used to extract these files so that attorneys can review live, or EDD firms can process for relevance, privilege and load into Summation, Concordance, etc, is specifically designed so as to maintain all of that metadata. This is the key to digital forensics - maintaining/preserving evidence integrity. If that metadata were to be altered, that would bring our practices into question in the courtroom; not something we desire.

By disabling the AV’s real-time scan, we avoid that scenario.

LM

As someone who only shares an interest in forensics, I was not aware virus scans would change anything on a file (unless infected).
Is this normal with most AV’s out there?

You’ve not provided supportive cases or rules, so I assume this is just a matter of your own methodology (the way you’ve chosen to work). My own methodology (and the methodology I teach) is different:

  • True read-only access of source materials doesn’t change anything.
  • Faithful, authenticated copies on closed recordable DVD cannot be altered, preserving everything.
  • Work product need not be totally faithful to the original, and usually isn’t (extract or summary).

Anti-virus isn’t used on forensic machines in any event.
John

Depending on operating system*, files may have time stamps for:

  • Created
  • Modified (last modification)
  • Accessed (last access)

Any access to a file (including any AV scanning) will change the access time stamp on read-write media, but the issue is easily avoided by making the media read-only.
~John

  • In the case of Microsoft Windows, see SetFileTime Function. These values can be easily changed, and so aren’t necessarily authentic.

Source media (whether original or pristine evidence) is write-blocked. However, destination media when extracting files from within the source media, cannot be write-blocked (or else the files thus extracted could not be written to it). That is the point of it, and thus the need to disable AV - it’s not about the source, it’s about the traversal to the destination.

If the extracted files on the destination media do not have the same metadata, they won’t hash the same. If they don’t hash the same, they can’t be authenticated back to the original evidence. Files DO sometimes have to be extracted, they cannot always simply remain in the original evidence or image set. When they are extracted, documentation of the process is only a part of their authentication. This is something that lawyers are only very slowly coming to realize and accept; it’s one of the reasons they are turning to forensic firms for analysis instead of just stomping all over the evidence themselves (as is their normal wont). Whether or not it’s accepted by the Court/jury is something the lawyers have to argue about; our job is to do our job with absolutely impeccable methods in accordance with forensic best practices, and stand ready to testify to that.

If AV is not ever used on forensic workstations, one will never know if the system has become contaminated from evidence, and likely never know if deliverable media becomes infected in the same fashion. It’s a risk we are not willing to take - everything is scanned in and out of the lab, our workstations are scanned before and after cases, and a new standard image laid down at regular intervals. But DURING processing/analysis, AV is disabled; I’d like that to be as easy to do as possible.

As for the ability to surreptitiously modify the timestamps of files, this can be detected. There are, among other things, tools that will check various facets of the OS involved, and report the discrepancies that are bound to exist. A completely “invisible” modification of timestamps would be a very difficult, if not impossible, thing to do. We’ve had a number of cases dealing with that exact issue, and it’s been quite interesting to delve into.

LM

I respectfully disagree (for reasons already stated).
~John

If you know what you are doing disable the AV for a while should not pose a threat.

But disable the AV as a computer rookie could be dangerous, thats what I think. :stuck_out_tongue:

I respectfully disagree.
I think it’s a bit like saying, “If you drive carefully, it’s not necessary to wear a seatbelt.”
~John

I like your analogy. But it seems that you are saying we should not let the user release the seat belt! :o
The “driver is permanently strapped into the car” if we do not provide an option to turn off the realtime protection.
I agree that we should protect the user, but I would like the ability to turn the AV on/off by the try icon.

I posted a possible compromise here. The default could be “off” so that the antivirus options in the tray icon would be greyed out. But Power uses should be able to change this in the settings window to make the option available.

Another compromise is a pop up that says “Your computer is vulnerable to malicious programs when realtime protection is turned off. Do you really want to turn it off?” There could also be an option to turn off this notification so it does not become annoying for users who want this functionality.

JNavas, I definitely see your point and think it is a good one…after all, comodo is about protection. Maybe this can be worked into a scheme where the program has a “Basic” interface (set it and forget it) in which the dangerous options would be greyed out, and an "advanced " interface in which these options are available. When installing CIS, the user could choose their level of expertise. Somewhere in the program there would be the option to switch between modes.

An easy example of a relevant case is the one in Australia nearly a year ago now. Individual was subject to a traffic violation based on camera. They fought and won. Basically, they asked the question (in essence), “Can you validate the authenticity of the video as being the same as the original?” The prosecution was not prepared to answer the question (no expert witness to testify about md5 hash, evidence handling, etc), so bye-bye case!

This shows that those who work with digital evidence must use methods to preserve the integrity of (even) extracted data, and provide testimony to that effect when required. I’m sure you will agree that if a file is hashed within a mounted image set, then extracted to be able to provide to the court, the extracted file must hash identically to the one hashed within the image set. Or else, if the glove doesn’t fit, you must acquit… :wink:

LM

PS: Not trying to make this a forum for digital forensics - Forensic Focus is more the place for that.

What I’m actually saying is that you should never drive anywhere without being belted in. It may seem unnecessary for a short trip to the store, but the majority of accidents actually occur close to home. AV is no different IMHO.

Greying things out is a techie paradigm – average users tend to think things should work if they are at all visible, and get frustrated when they can’t select them (calling me in the middle of the night to complain about broken software) – I don’t want Advanced Options to be at all visible in Basic Mode.

I’m not even comfortable with a menu option in Advanced Mode because it’s all too easy to select the wrong menu item by mistake. I think it should always take a bit of effort to turn off protection.

Bottom line is that I like the current system and don’t think it should be changed. If there is to be a pop-up menu item, then I absolutely want a confirmation dialog (which wouldn’t be much faster than the current system).

What’s the big issue with starting the GUI?!

My US$0.02,
John

It will be tough making all users happy with the CIS interface. But, I am sure Comodo will take all these comments/suggestions into account and come up with something stellar. I am certainly glad we have these forums to voice our thoughts…I think all the comments help make Comodo’s products stonger. The people who post may not agree on all the issues, but I bet we can agree on this:
:comodorocks:

Whoop

You can easily disable D+ and Firewall by right clicking, why not AV?
I see why somewhat, the normal-user has a less risk to disable the AV by accident and I agree somewhat the GUI is not that bothersome, those who need to disable the AV know how to check the GUI and is not the normal user.
I think adding unnecessary shortcuts can make things less safe for ordinary people.

Maby the comodo logo at bottom right should get red or something when for instance the D+ or firewall module is set to OFF (even if set to that manually), reminding the user that some of his protection is off?

Something like this was suggested here (check out the 3rd picture in the post). Comodo is considering modifications to the GUI and user interface…so all these suggestions are being taken into account.

As my signature below states: “The best way to have a good idea is to have a lot of ideas.” - Linus Pauling
If we keep the ideas coming…Comodo will only get better.

Whoop-dee-doo

!ot!
You usability guys does a good job! (:HUG)

Nice design too. :-TU