Posted by Javi Guerrero, April 7th, 2010

It’s a known fact that security software in general, and antivirus software in particular is always a couple of steps behind cyber-crooks. That is, the most usual thing is for malware creators to find new ways to attack computers and for security companies to update their products to be able to combat the new threat.
So, operating systems and applications must fix their vulnerabilities and antivirus solutions keep their databases up-to-date to be able to detect the new malware that

If you consider the huge amount of threats that appear every day, it is easy to realize the huge effort that must be invested to keep up the fight against malware. Along these lines, Panda’s innovative developments such as TruPrevent technologies or the recent Cloud AV (the first antivirus in the world to put the concept of cloud-based protection into practice) have proved to be extremely effective when it comes to detecting malware. However, the fight goes on and will continue indefinitely.

Yet, there is an aspect of antivirus software development that clearly shows the disadvantageous situation it is in: the requirement to respect the operating system and other installed applications, in terms of stability, performance and functionality.

What does this mean? Well, just as I explained in my previous article Antivirus, performance and security, security solutions must protect the system without affecting performance beyond what is reasonable. They must also avoid affecting the way other applications or the operating system work, in order not to cause instability, crashes or incompatibility conflicts. This is sometimes very difficult to guarantee, due to the peculiarities of the way an antivirus product works.

Getting back to the topic of this post, here is an example of a disadvantageous situation:  Any antivirus software in general, and especially some of its components (such as the “on-access” detection layer) must fulfill certain conditions and good practice recommendations set out by Microsoft in order to ensure the product’s reliability and quality, and obtain compatibility certificates, etc. These rules include, among other things, to avoid using undocumented system functions, as they can change from one Windows version to another, or even among various service packs, and generate an incompatibility conflict that might cause the problems above.

However, malware evidently does not have to follow any of these rules or try to ‘respect’ the system and its applications, or at least not beyond what is strictly necessary to achieve its goals, as it is not a legitimate application.

The antivirus, however, must abide by those rules and is at a clear disadvantage when it comes to detecting and neutralizing threats. Sometimes, this makes security developers feel as if they were fighting with one hand tied behind their backs… Actually this is very similar to real life: whereas criminals break the law as they like, law enforcement agencies must abide by a series of rules and laws in the process of stopping them.

If you take all these circumstances into consideration, it is really worth admiring the effort put in by security software developers to try and keep ever-increasing threats at bay.