Antivirus will not protect you

As everybody knows antiviruses are kind of programs that prevents to run unwanted software on your computer. I will talk only about bad unwanted software that can harm you one way or another. I will not talk about software that installs unwanted software or run some parts when you don’t want to.

Previously only viruses were kind of unwanted bad software but now there viruses probably small part of it and viruses are usually used just to breach defenses and then they run something else on your computer. It could be crypto currency mining, hackers can use your computer to hack other computers, sending spam and many other bad things that you obviously don’t want.

Someone could say: “I installed best antivirus XXX and I’m protected”. And that someone will be 100% wrong. Let me explain why.

Firstly, there is no antivirus that protects you from 100% viruses. And you need only one virus to get infected. Moreover, quite often that virus will damage defenses and you can get second one or even third one.

Secondly, antiviruses are quite bad to detect unknown viruses. Most of them have heuristic algorithms but probability of detection is not even close to known viruses. This is because antivirus try to execute “suspected” code in sandbox and to see if it is doing anything suspicious. And there is memory and time limitations. Because code is executed in sandbox it executes much slower. Antivirus cannot spend 30 minutes checking single suspicious file and allocating 10GB of memory because it will harm or even stop normal work of user. As result amount of work that antivirus can do is quite limited. As result after some check, antivirus allows program to run but continue to monitor it. But again, there are few factors that will not allow antivirus to succeed:

  1. Monitoring cannot considerably slowdown program execution because it will frustrate users as they cannot do their work.
  2. Modern viruses are quite big and analyzing them fast are extremely hard.
  3. There are so many ways to do the same (and with every change in operating system adds more) and hackers are quite inventive in their job and antivirus must know them all to prevent infection. Again, one thing missed, and your computer is infected.
  4. People who develop viruses can install antiviruses and test their virus non-stop until they find combination that is not detected. Then they will release virus.
  5. False positives should be very limited because it will frustrate users because they cannot run their application due to antivirus treating it as virus.

So as result antiviruses will only be able to catch up and never can be ahead of hackers.

Reader may say: But if everything that bad what should I do? That is simple, it called software hygiene. Antivirus should be treated as last resort. If it failed, then your computer will be infected. And you should do everything to prevent virus to even coming to antivirus. Let me explain this.

You should never download software from unknown sites. Specially software that are two tempting to run. Like cheat software, software that promise to hack some game you are playing on your phone. The same applies to cracked games or sites that allow you to download videos, music etc. Basically, if it is too good then with very high chance that it will have something bad in it. And even you friend told you that he did it and everything is fine you should not do it. Running that software will not lead to instant explosion of your computer. Something will silently run, and you will not even know about it until it is too late.

But even you downloaded something from looks like trusted source, you should do double check. Remember even biggest companies got hacked and hackers can replace or infect software that users are downloading from their web site. To prevent this all software companies do sign their software. Right click on downloaded file, select Properties and see if it has “Digital Signatures” tab. If there is no such tab, I would not personally run this thing unless I really know what I’m doing. Here is example of application without Signatures tab:

If you see such tab then you should go there, select it and click Details. And new window should display “This digital signature is OK”. Here is example:

If there is something else, I would definitely do not run this file, because it means that file is changed from its original signed version.Here is example:

Next, you should not ever run downloaded software from elevated environment, and you should never disable UAC. And UAC will give you one more chance to review stuff you are running.It will look like this:

Again, it should display “Verified publisher”. If on this stage, you got warning from your AV then I would research this in internet. It could be false positive, but in most cases it is real virus. Check for antivirus update. Also, you can use https://www.virustotal.com/#/home/upload to upload file and check it with other antiviruses. One or two reds usually ok to run. If there is more then you should do more research.

Imaging when you are in unknown city and would like to eat, you will not go to cheapest place, and you don’t go to place that looks dirty or where cook is dirty. You know you have all immunizations and health insurance but will not risk with your health. The same applies to software. Resist temptation of downloading from unknown sources, or at least check that it is signed. Unsigned software is really bad sign. It is or very small developer or virus. Certificate for signature cost about $200-$500 per year and most developers can afford. Hackers will not do it because certificate will be almost immediately revoked, and you have to provide your real details to get. So, they do not risk it.

Stay safe and I hope it will help someone.