System architecture and the role of antivirus software in different platforms

Antivirus software is essential to safeguarding the computing needs of every person from the perspective of keeping browsing activities on the Internet safe from privy eyes, to the prevention of hacking of personal files such as photos, documents and drawings.

 

While there are multiple providers of antivirus software for various platforms ranging from Windows, Mac OS, Android, Windows Phone, Linus (various distros) to iOS, they vary in their philosophy, concept and mode of protection, which translates into different levels of security for end users. In general, all operating systems are secure, but since they differ in their system architecture, differing levels of security exist between operating systems.

 

For example, the most popular desktop and laptop operating system, Windows, differs significantly from the most widely used mobile operating system, Android. Specifically, Android offers compartmentalization between apps through a system architecture known as sandbox, where communication links between apps is restricted for safety purposes. However, a single malware infected app with access to multiple communication channels such as the WiFi, Bluetooth, or the Near Field Communication (NFC) port could open up the Android operating system to hacker’s attack.

 

On the other hand, Windows is organized in a different way such that a single infected program is usually unable to gain total control of the computer from the kernel level (i.e., core operating system) to the application layer where the programs sit. Hence, variation in operating system structure meant that different operating systems need to be protected in different ways, where the designated antivirus solution integrates, ideally, with the operating system under rules specified by the permissions system of the operating system. Typically, a good antivirus solution would need to gain control of all ports of the operating system. Gaining control of the communication ports is the first step to protecting the device given the ability of the antivirus solution to provide additional layers of barrier for guarding against unauthorized access.

 

Despite publicized vulnerabilities in different software systems, all operating systems, whether desktop, laptop or mobile, requires antivirus software protection in the current era of highly connected devices through multiple ports such as WiFi, 3G or 4G. Protecting these myriad ports of different security architecture requires an antivirus software solution capable of not only securing the all important file system and application layer, but also protecting the various antennas such as WiFi, Bluetooth, 3G and 4G from electronic eavesdropping by hackers capable of carrying out authentication and deauthentication style attacks. Briefly, mild cases of such attacks release the content of the internet and voice traffic between the phone and the WiFi router, or between the phone and the cell phone tower. In more serious cases, malware already present on the phone or tablet allows the hacker to gain access to the entire phone (inclusive of the application layer, personal files, antennas and core kernel) through entering the high bandwidth WiFi port or 3G and 4G antennas.

 

For laptop and desktops running various versions of the Windows operating system, Windows Defender, the embedded antivirus and malware removal solution is a good antivirus program from the standpoint of seamless integration and availability of high levels of security. Why? Antivirus programs are typically third party software from companies that do not develop the operating system on which the antivirus program overlay; thus, possibility exists that such antivirus solutions could not cover all ports of the operating system and less well known features. Hence, coming from the company that develops the operating system, Windows Defender may be better able to protect the underlying operating system from attack. Featuring a Windows Firewall, Windows Defender uses a passive approach in thwarting attacks, which is supplemented by an antivirus scan engine continuously updated by daily virus definition updates. Beyond updating Windows Defender, keeping the operating system up to date with security and software patches is a must, and this applies to third party software downloaded from the Internet. An up to date operating system will significantly reduce the chances of an infection from malware, as well as thwart a botnet or hacker attack.

 

In contrast to less well known antivirus programs, those from major antivirus solution providers are typically capable of good integration with various versions of Windows, given the significant amount of time spent working with Microsoft engineers in troubleshooting areas of application conflict and lack of access to more secure parts of the application layer and kernel of the operating system. Using antivirus programs from third party providers is increasingly a must since the myriad ways in which an amateur hacker could conduct wireless attacks on vulnerable WiFi, Bluetooth, NFC, 3G and 4G ports meant that strong firewalls is a requirement for basic protection.

 

With infected computers and mobile devices increasingly connected to botnets used for various criminal activities such as serving as staging points for distributed denial of service attacks (DDOS), having an antivirus solution beyond the basic protection provided by Windows Defender is essential to safeguard an individual’s digital privacy and computing freedom. Typically, a good antivirus solution for computers provide the following functions: (i) a personal firewall, (ii) malware scanner, and (iii) virus scanner.

 

Mobile operating systems such as Android, on the other hand, are typically characterized in the popular media as highly vulnerable to attacks on various ports of the operating system. Specifically, it is widely reported that Android has the most number of potent malware and viruses available for use by hackers to gain control of an individual’s phone or tablet. Hence, how should an average user protect an Android device?

 

The most important security measure would be the continuous update of all apps through the Google Play Store as well as downloading the latest security patches for the operating system through a secure channel provided by the device manufacturer. Additionally, download and installation of apps from third party app store outside of the Google Play Store is not advisable given the presence of significant number of malware apps on these unofficial stores.

 

Finally, similar to the case for computers, mobile devices also require antivirus solutions for protecting the critical vulnerability in the Android operating system: the direct path between apps in the application layer and the core kernel guarded by a permission system. Specifically, Android utilizes partition (or sandboxes) to restrict flow of information between apps; thereby, constraining access to critical operating system components such as the file system as well as channels to the communication ports such as WiFi, Bluetooth, NFC, 3G and 4G. Even with sandboxes, a single malware app with high level access to various communication ports on the device could open a path for an attacker to take complete control of the equipment, leading to the profiling of all sensitive personal information such as credit card number for in-app purchases, emails, photos, and documents stored in the flash memory drive of most modern smartphones and tablets.

 

Hence, an antivirus solution for mobile operating systems such as the Linux-based Android and iOS help close critical and vulnerable pathway access points to the application and core kernel by controlling all communication ports of the device, as well as providing a firewall to continuously survey all incoming and outgoing traffic, both voice and data. Upon probing by an attacker, for example, through the high bandwidth WiFi port, the firewall accompanying most mobile antivirus solutions would close the port to prevent further intrusion by the attacker’s software. Special configurations of firewall can, on occasions, detect the Internet Protocol (IP) address of a server that acts as the final connection point between the attacker and a target device. Obtaining the IP address is an important first step to identifying the chain or network of servers responsible for initiating the hacking attempt.

 

Tracing the digital trail to the initiator of an attack is usually difficult and arduous, but, detecting a malware infected server, which is an initiator of a wireless attack across a public WiFi hotspot, for example, is a concrete step in removing one more server from the attacker’s armamentarium. Contemporary design philosophy of antivirus solutions, both mobile and desktop, include a security incident update feature that uploads virus samples and any probing attempts to a central server at the antivirus company, which is used, in a timely manner, to update virus definitions for download by users around the world. Therefore, enabling such a Live Update feature on your antivirus program is one way to help reduce wireless and powerline attacks around the world.

 

Collectively, antivirus solution is essential to all desktop and mobile operating systems, whether Linux (Android, iOS and Debian) or Windows based. Featuring common features such as a firewall, antivirus scan engine, and malware detector, most antivirus programs and apps act as sentinels passively detecting any signs of intrusion to a computer system or mobile device. But with ever sophisticated hacking tools and tactics, the best antivirus programs could not keep pace with the evolving threats posed by the many viruses and malware around the world, without continuous (at least daily) update of virus definitions and periodic update of program components, the latter for augmenting the repertoire of capabilities necessary for countering the constant threat of malware attack.

 

At the most basic level, protecting one’s digital privacy include taking essential and concrete steps at updating apps and operating system patches. Doing so helps ameliorate, significantly, threats posed by operating systems and apps’ loopholes that could be used by hackers to probe and gain entry into one’s device. However, there remains as yet undiscovered vulnerabilities in program coding (known as exploits), both at the app and operating system level, that could be used for launching pernicious attacks against a target’s computer or device, with the end result being complete control or induction of significant damage to the system. Hence, how should we protect ourselves against exploits? Are antivirus solutions useful for this purpose?

 

The answer is nebulous and not definitive. It depends, critically, on the computer security environment surrounding the usage of a device. If the operating environment of the user is presented with significant hacking threats, possibility does exist for sophisticated hackers using complex tactics for gaining access and control of a device. On the other hand, most antivirus programs utilize the philosophy of controlling all communication ports of a computing system for protecting traffic through these channels as well as using them as conduits for detecting probing and hacking attempts. Every attack requires the establishment of a firm and secure communication channel between the hacker’s device (e.g., smartphone, tablet, or WiFi router) with a target computer or mobile device, which is done through a wireless communication port like WiFi or 4G. Hence, exploit or not, a hacking attempt can be stopped at the communication port level by having an antivirus solution that judiciously profile against malicious probing attempts. Such an approach is not 100% foolproof, but is effective in countering many hacking attempts at the hardware level by utilizing communication settings and wireless encryption protocols for protecting a computing device, mobile or desktop.

 

At the end of the day, and at the philosophical level, should we be so aware of hacking that we do not go online to learn and communicate with others digitally given the multitude of online threats and malware that the digital world presents? No, definitely. By exercising diligence in updating one’s devices and apps, as well as caution in downloading and installing less well known programs, significant reduction in threats to one’s computing from being monitored and affected can be achieved. Of course, having an effective and efficient antivirus solution with low system footprint could go a long way in providing further protection against more sophisticated threats where control of all communication ports and a passive firewall help survey for malicious online traffic requests and probing attempts.

 

Acknowledgement: Ng Wenfa thank Seah Kwi Shan for suggesting this topic and co-authoring this blog.

 

Category: computer security,

Tags: sandbox, antivirus software, application layer, core kernel, rootkit, root access, Windows, Linux, Android, iOS, encryption,

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s