3

Recently when I was trying to install a software which didn't happen to be from reputed sources, my anti-virus popped up a warning saying:

XYZ-antivirus blocked you from visiting an infected webpage

My question here- am I being too paranoid thinking that I could have been infected even though my anti-virus says it blocked me from visiting the infected webpage?

Or in more generic terms- can an end-user, who may not be a techie, just be happy by trusting his anti-virus solution assuming he uses a decent one and keeps it updated?

Does he need to be bothered about "am I infected?", "should I nuke it from orbit?" when he sees such occasional messages about a virus or a trojan detected in his USB stick or the one that I got above?

p.s.: I could very well share the name of the anti-virus I use, but I thought of keeping it a more generic question.

pnp
  • 1,818
  • 2
  • 26
  • 42
  • No. (No antiviruns is able to predict malware. There will always be a vulnerability window during which your computer is at risk.) – fubra Dec 14 '12 at 12:59

4 Answers4

5

There are two distinct cases you should consider:

  • Your AV software blocks malware.
  • Your AV software removes or cleans malware.

The first one means that it was able to remove the threat before it executed, e.g. it detected malicious code in a file you were in the process of downloading. As such, your system should be safe. No malicious code actually executed on your machine.

The second one means that the malware executed on your machine, but was later removed. At this point, malicious code has executed on your machine, so there's a chance it could still be infected (e.g. with a kernel-mode rootkit that your AV software can't detect). At that point it's probably time to nuke it from orbit.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
5

You are probably too paranoid. @Polynomial is on the right track, IMHO. I think he has the right analytical framework, but I think he stops short of answering the question.

With all due respect to my Baysean friends, if the AV detected the attack, it probably blocked it. It is possible that the AV misidentified the attack, or that the attack strategy has advanced since the AV was configured. I suspect that you could consult VERIS to calculate the probability that AV can detect but cannot block. But my gut instinct tells me that the probability is low.

Having said that, I'd still switch AV product because they didn't provide you enough information to verify/check. Ideally the AV should have said "Blocked Attack X attack against CVE-010-2011" - then you could verify the assertion.

MCW
  • 2,572
  • 2
  • 16
  • 26
  • 'Ideally the AV should have said "Blocked Attack X attack against CVE-010-2011" - then you could verify the assertion...' That was a good input. +1, Thanks. – pnp Dec 12 '12 at 11:42
  • 2
    Which AV do you use that provides you the CVE number of an attack against you? I'm not sure that I have ever encountered one that provides such information. –  Dec 12 '12 at 12:45
  • *Ideally* that is what I'd want. Simply stating "attack blocked" is not ideal. I can't remember what my AV displays when it triggers (it is the last line in a defense in depth strategy). – MCW Dec 12 '12 at 13:23
  • Concerning the title of this thread: Is there any absolute guarantee that the AV on one's computer isn't itself a manipulated one (through malware attack or having a backdoor introduced by an unfaithful employee of its producer, etc. etc.)? I presume the answer is no. – Mok-Kong Shen Dec 12 '12 at 13:31
  • 1
    @Mok-KongShen no, certainly not, infact when playing in CTF and red team/blue team wargames the security system is often a fun and common attack vector. Also Peiter C. Zatko (Mudge) in the keynotes for Shmoocon, Blackhat USA and Defcon conferences in 2011 went into his work at DARPA into how the biggest attack area is the thousands of lines of code in the massive IDS and firewall systems used in military information networks. – ewanm89 Dec 12 '12 at 18:26
  • @ewanm89: This link may be of some interest: http://www.networkworld.com/community/blog/darpa-program-aims-find-shut-backdoor-malware-holes-commercial-it-devices – Mok-Kong Shen Dec 12 '12 at 20:18
  • @TerryChia FYI - I remember seeing Symantec on one of my work systems providing CVE of the attack it blocked... – pnp Dec 13 '12 at 04:42
2

Because of its' nature, AV-softwares always behind malwares, so the anser is no, you can't trust in your AV 100% blindly.

When you see a message like above, your AV intercepted malware and you are in safe. But. When a new malware hits internet there is a smaller or bigger timeframe while defensive techniques will react on it.

If you want to be nearly sure that your infrastructure is in safe, check security news day by day and apply workarounds and patches when they are available. Of course, don't forget to test them before applying them - on an industrial infrastructure, they can cause malfunction or out of order.

sh4d0w
  • 325
  • 1
  • 5
1

Anti virus isnt full proof. There will be a period that upon a zero day attack been release. And Anti virus has no virus definition has no new information about it.

what is most important is good education on good security practice. Do not open weird email attachments and stuff.

Len
  • 139
  • 5