Anti-virus and network ports?

Question

I think that anti-virus would be able to determine the virus even before it gets into the OS (Windows/Linux) by filtering at the network interface port itself. Right?

But, how do viruses escape that filtering too?

Thanks in advance,
Karthik Balaguru

score 2 · Accepted Answer · answered Feb 13 '10 at 10:31

It's certainly possible yes, some desktop machines have/had BIOS-based AV but doing it 'in-NIC' would require quite a lot more logic in the NIC, thus costing more, plus a mechanism for them to hold the, usually quite large, virus-definitions on-chip too. Oh and this system wouldn't necessarily be any more secure or faster than doing it 'in-cpu' but would almost certainly slow down the NIC. What many if not all AV products can do is look at traffic coming in via the IP-stack and search for viruses - this is quick and easy to update the defs as it's AV-product specific rather than AV-product-AND-NIC specific.

Hopefully I've clarified why NIC-based AV would be quite a poor idea and why if implemented it would be quite easy for newer viruses to not be spotted by out-of-date NIC-based defs.

By the way, this sounds like a homework question - if it is can you come back to us with the mark you get ;)

There's a few perimiter-defense systems for HTTP which will watch incoming data for known AV signatures. Of course this doesn't help when someone brings it in on a USB stick, or in their pirated version of Mass Effect. — Mark Henderson, Feb 13 '10 at 11:20

John Gardeniers · Answer 2 · 2010-02-15T00:41:15.440

While it may be possible to detect some viruses entering the system at the port it would really only be possible with a signature system. That means that it would be very easy to avoid detection. It might be useful as an adjunct to other detection methods but quite useless as the sole detection method.

As an example, watching the port traffic would not detect a virus embedded in an encrypted file, which is a method used to great success many times (from the point of view of those spreading the virus). The entire file must be brought in and decrypted before detection can have a hope of succeeding.

score 0 · Answer 3 · answered Feb 13 '10 at 10:44

0

Malware can control the very core of your system. Its called a rootkit and they can be used to hide files, network traffic and running processes.

answered Feb 13 '10 at 10:44

Rook

2,655
6
27
35

score 0 · Answer 4 · answered Feb 15 '10 at 01:25

Ultimately, The problem lies in Alan Newell's famed proof that it is ultimately impossible to differentiate between what is malicious and what is benign in a true Turing system. (Partly due to the ambiguity of what is 'good' data and what is 'bad' data).

But indeed, numerous systems already exist that do this - Antivirus scanners frequently run at your ISP's SMTP relay. IPS/IDS systems contain many malicious signatures which can notify the admin.

Anti-virus and network ports?

4 Answers4