CIOs and IT managers care a very great deal about keeping the computer systems on their networks free of viruses. Most don’t concern themselves with the details of antivirus strategy. Very understandably, they prefer to leave the inner-workings of virus-scanning to the software vendors. No one wants to second-guess their vendor.
But maybe you should.
Earlier this month, I discussed a remarkable blog post appearing on the Avast blog (Avast is a major antivirus software vendor). While explaining a new exploit using PDF, the post (and the comments that followed) revealed that Avast doesn’t bother to understand the type of files it’s scanning. Instead, it seems that the software simply looks for known patterns that have proven to be malicious without understanding how to actually read the PDF file format.
Does your antivirus software process common file-formats such as PDF?
There are two significant consequences arising from this revelation.
- Avast is (unwittingly) announcing their strategy to virus writers. The message: Simply hide your nasties inside an otherwise legitimate data-structure (such as a PDF), and the chances of it being found drop substantially.
- To the extent that the antivirus industry as a whole fails to properly process PDF and other common file types encountered on a daily basis merely guarantees a steady drip-drip-drip of PDF exploits.
Neither circumstance benefits the consumer.
The answer is obvious. CIOs and IT managers should INSIST that the antivirus solutions they buy include the ability to process common file-types using the file’s own data-structures. Since it would be examining the actual file rather than treating everything as a mere stream of bytes, such software would doubtless run substantially slower than otherwise. That is, unavoidably, the price of doing it right.
PDF is hardly rocket-science. There are literally hundreds of separate implementations of the PDF specification. Given the enormous popularity of PDF, there’s no reason at all for antivirus developers to ignore this format any more than they should ignore Word or Excel files.
To make things crystal-clear for interested developers and technically savvy IT managers, Appligent’s CTO Mark Gavin, has written a pair of articles that detail the problem at a technical level. See:
PDF Viruses Part 1; This is not a glitch, and
PDF Viruses Part 2; Why is this a surprise
by Duff Johnson