Windows backup as malware?
Or has the AV software just got it horribly wrong.
Written By: David Norfolk
Published: 2nd August, 2012
Content Copyright © 2012 Bloor. All Rights Reserved.
We're all told that hard disks fail and that we must always backup everything - but is system backup actually a security threat?
Well, at one level, it is, of course; if I wanted to put malware into a system, an old trick is to get at the backups (often not well-protected), insert my corrupted software and then engineer a production crash. The recovery neatly moves my malware code into production.
But I don't think this is quite what Kaspersky tech support meant when it told me: "You will not be able to back up files on the C drive if Kaspersky is running. Kaspersky has self defense - this function prevents any access and changes to its files."
I had found that my Windows 7 auto backup (which I had thought might be a 'read only' operation, although it probably updates attributes) stopped working after I installed Kaspersky AV. It took me some time to blame Kaspersky because the (Windows) error message was misleading - "can't create Zip file", with the suggestion that space isn't available somewhere (perhaps it's trying to create its working file on the small recovery partition, was a Microsoft knowledgebase suggestion). Then I switched off Kaspersky - and backup worked again.
This is not a very satisfactory workaround really - instead of automatic backup, I have to remember to switch off Internet access, switch off Kaspersky, run a manual backup and then switch Kaspersky and Internet back on. Some real opportunities for "user error" here; and I bet I don't do as many backups with this process!
However, the response of Kaspersky's technicians seems to be, not that I've found a problem with its software but that I've simply noticed a security feature! Perhaps I can claim a lack of useful error messages, at least.
I've been using antivirus (AV) software since the days of Alan Solomon and I even remember the release of the "Concept" word macro virus on a commercial software CD-ROM (although any discussion of this seems to have disappeared from the web). AV has always annoyed me as a user, partly because of its system overheads (which lead a lot of people to switch it off).
AV software really shouldn't be necessary; and if Windows had been designed like OS/400 (for the AS400, now iSeries), it probably wouldn't be. Also, even leaving aside some of the AV people I suspected of writing viruses in the early days, many legitimate AV companies played it, in effect, as a game, chasing lab-built viruses that built up a real virus-writing expertise in the "enemy" - until it stopped being a game and started being criminal activity, with a real enemy.
Even today, many AV vendors compete on the numbers of viruses they can detect, even though some of these are never found "in the wild"; and they gloss over the problem of "false positives" - the more viruses you detect and the less tolerant your heuristics, the more likely you are to detect legitimate software as a "virus". A false positive can be as, or more, destructive to the business than a real virus if it stops something important running (and it is very hard to show that you've eliminated a threat that isn't really there, so work is disrupted for a long time while you try to do this).
I think I have to run AV software - but I got an infection last year that 2 lots of AV software couldn't cope with and I only got rid of by corrupting and rebuilding Windows - which at least got rid of a "free" (but apparently legitimate) AV component that was proving as hard to uninstall as any virus.
Now I have a paid-for Kaspersky installation, which is OEM'd in the engine behind many AV products and has quite rich functionality and a decent UI. I'm wondering if my marriage swill survive installing it on my wife's laptop. And then its tech support tells me that I need to stop running automated backups with a Windows 7 utility and instigate an onerous and error prone manual backup process, in order to protect my oh-so-important AV software!
Yet AV is only a small part of security as a whole and not having proper backups is probably a bigger risk than corruption of my AV engine. Surely Kaspersky could, and should, recognise and harden itself against anything a standard Windows 7 utility can legitimately do - and, if it is stopping backups running, it should generate useful error messages explaining what it is doing and why (and explain this feature to potential purchasers, so they can buy something else) before people waste time looking for other issues. Or perhaps Kaspersky Tech Support just told it wrong...
Am I alone in thinking that an AV engine discouraging regular backups is a joke in rather poor taste? Probably not, and as I don't think that's the only problem with AV software by a long way, I asked around about better approaches to end-point security. For instance, "there are many AV programs that annoy their users and cause enormous performance issues", says Fran Howarth, one of the security specialists at Bloor Research. "So, there's a move towards virtual desktop software, primarily developed because of the BYOD phenomenon, that means users do not have to have security software installed on their device, but instead connect to a secured environment where the controls are policed. And cloud-based solutions might be another way to go. They use global threat feeds and more advanced detection techniques than software-based tools, thus leaving a smaller footprint on the device so that performance issues are minimised, as well as interference with other programs that are running".
Since I've told Kaspersky I'm blogging this, I await its response with interest. Back in the old days, some 30 years ago, when I started in IT, after first explaining that "it's not a bug, its a feature, dammit", the next reaction of tech support was often "well, it's a wonderful system, working exactly as designed; shame about the users". I wonder if things have changed?
Post a comment?
We welcome constructive criticism on all of our published content. Your name will be published against this comment after it has been moderated. We reserve the right to contact you by email if needed.