By: ThreatLabz

Antivirus: Can't Live With It, Can't Live Without It

AntiVirus

Like you and many other responsible Internet users, I run antivirus software on my desktop. Even leaving the performance issues out of it, I find it very frustrating to configure and use. I get that it's complicated behind the scenes, but how many knobs do you really need to say that you'd like your computer protected from lurking evil? As a security geek, I'd like a few more knobs than most people, and a little more explanation, but somehow what I want isn't available and what I don't want is slathered all over my screen in popups and screen after screen of nigh-useless configuration options. Here's my take on what antivirus software does:
 

  • Detect viruses (and spyware or whatever else)
  • Respond to viruses
  • Update detection functionality


That's it. Anything else is just variations on a theme, or possibly a smoke screen of some sort.

Detect viruses

Though you wouldn't know it to look at any AV I've tried, this should be simple to configure. There are only 3 questions:

 

  • When to look? E.g. continuously [starting in 10 minutes], once right now, regularly in the future
  • Where to look? E.g. in memory, on disk, in traffic coming from outside (email, removable media, downloads)
  • What to look for? E.g. viruses, spyware, tracking cookies, root kits


For some reason AV vendors seem to scatter these questions over multiple screens with no rhyme or reason (at least from the user's point of view) . In the AV I'm running on one of my machines, where to look is configured differently depending on when to look, so if you scan continuously, you can white-list a directory, but if you scan regularly, no white-list applies. Of course it's not all organized by when to look; there's one section organized purely by where to look, located in parallel to the when to look sections.

Respond to viruses

Sooner or later, your software will find a virus. If you want your users to think, "wow! good thing I'm protected" rather than "yecch! I must run straight to my blog and post about how awful AV software is", help your users respond to the situation constructively. Here are their likely questions:

What's going on?

Hopefully, your users are reasonably cautious and therefore don't see your "I found a virus" dialog regularly. Certainly last week was the first time I've seen this dialog in the course of my regular-user computing (I've seen it plenty when it involves my valiant attempts to protect my malware cache). Most such dialogs try to answer this question with a link to more information, which seems like a fine idea to me.

Ladies and gentlemen, such a link had better work. At the moment your user sees this link, he has been startled out of his task to respond to what he is likely to see as an emergency. He is likely to have a negative emotional response to being startled, the delay in his work, the nature of the emergency (a virus? ewww), et cetera. Even if your target user won't understand anything technical you might have to say about the virus, this is the moment you need to convince your wary and probably already irritated user that there is something bad going on, but you, the AV vendor, know all about it. In my case, it took me to a generic search page on my vendor's web site (don't do this), which claimed it didn't know of such a virus when I used the exact name shown on the dialog (good grief, people). When I tried again with a substring of the name given in the dialog,
it found an entry with the exact same title it claimed it couldn't find only seconds previously (don't do this). This essentially blank entry contained no information whatsoever about when the virus was discovered, its typical effects, how it spreads, related viruses, how to get rid of an infection, or anything else I (or a normal user) might want to know. In short, information in this entry was thin enough that even non-security folks would be wondering whether this was real. Which brings us to the next question.

Are you sure?

It's possible that if your users are not security geeks, and you handled the previous question well enough, you wouldn't need to face this question. Perhaps some kind of certainty meter would be enough in some cases (but keep it hooked up to something real, please).

My first instinct was to hand a copy of this supposed virus off to our in-house equivalent of Virus Total for a second (and following) opinion. Unfortunately, the AV was now making the files in question very difficult to access (it's supposed to, after all), and after an hour or so, I decided it didn't matter if it were a false positive, because there was no way I was going to be able to use or copy the files anyway, unless I switched AV (which was tempting at that point). As an AV vendor, if you are confident in your diagnosis, I suggest you provide a button to consult Virus Total or similar. I'd certainly trust you more, and your less-informed users probably would too.

What can I do about it?

Users are hoping for options like "remove", "repair damage" or possibly "quarantine". If you present options that will not work (e.g. for consistency so the same options always show up), grey them out and provide some kind of indicator why they won't work, hopefully including a way to make it work. In my case, both remove and the equivalent of "remove as superuser" landed me in an endless loop of dialog boxes involving UAC and the AV software (but not, interestingly, ever actually attempting to become Administrator as one would expect). The equivalent of "quarantine" also failed. In the end, I had to empty the quarantine area of an old copy of my previously quarantined-against-my-will malware stash, from before I moved it to a machine with a decent OS, quarantine, and then empty quarantine again. This solution required a fair amount of hunting around and more information about how AV usually works than was readily apparent from the dialogs. I don't think most AV users would be able to do it, e.g. an acquaintance whose AV (a different brand) kept alerting about viruses but wouldn't let her get rid of them, who ended up having to send her machine in for service last month.

Another option I'd like to see is "submit for re-analysis" or similar. Users could do this if they think it is a false positive. With an automated service to see the results from files that have already been re-analyzed, this could add an option like "ignore" to the available options (better put the file on a white list so you don't bother the user again, though).

Update detection functionality

Trust me, the user does not want to hear about this in real-time. By all means, log plenty and request assistance from the user if something you can't fix automatically goes wrong with your attempt. I used to use some AV that assured me it was updating successfully even though my network was quiescent and the only file changed on disk was the log file -- quiet failure of protective equipment is never desirable. But as soon as it's going right again, shut up and go away! Do not make your innocent user click through dialog after dialog if she happens to disconnect from the net for a week.

When to look, and maybe where to look if there are choices, is the only thing you need to configure. Snag information about proxy settings and the like from the OS; don't make us configure them again.

Yes, there are some other aspects of operation some of us might want to control. But chances are good that from the user's perspective, most of them are about one of the above functions, so do your users a favor and make them accessible from the same place as the related settings. Your users' lives would be better if they could configure your software to do what they want, and organizing settings in a way that makes sense to the user is a good starting point.

--Brenda

 

Learn more about Zscaler.