Why antivirus scanning might not find the bad code

by sabitha 2010-11-22 18:26:42

The first idea that occurs to many webmasters is to do an AV scan on the site, but in many cases that will not find the problem. The next sections explain why.
A) Scanning your website files on the server

Scanning your server with an antivirus program will only work if the site is actually hosting the virus, which it often isn't.

More likely, the virus itself is hosted on another computer. Your pages have been injected with iframe or JavaScript code that refers indirectly (with src=) to the virus on the other website. Thus, the AV program on your server sees only iframes and JavaScript which don't trigger virus alerts because they aren't viruses.

The remote viruses aren't pulled in until the page is loaded into a visitor's browser. Then their browser fetches the code referred to by the src= property, and then they get a virus alert.

If you scan your site with an antivirus program and it finds no viruses, that does not mean the site is clean.
B) Downloading your site files to your PC and scanning them there

Using a tool like FTP, Wget, or cURL to download the source code of your pages to your local PC and AV-scanning them there is also unlikely to find the virus, for the same reason given above: the actual virus is probably not on the pages.

Wget in "recursive download" mode can retrieve all linked files, including ones from remote sites, but if some of them are viruses, you will be taking the unnecessary risk of downloading them directly to your PC.
C) Risky - browse your pages with an antivirus program running on your PC

If you are determined to use the facilities of an AV program to scan your site, you can browse the site as if you were an ordinary visitor. This is risky because an increasing number of viruses are "polymorphic". Their code changes so frequently (every day or every time they are served) that antivirus programs can't keep up, and they do a poor job of detecting them:

1. Make sure your PC is fully patched with all the latest security updates. On a Windows PC, while logged into an account with Administrator privileges (it doesn't have to be your hidden Administrator account), go to Windows Update. (or IE7 > Tools > Windows Update).
2. Make sure your antivirus software is up to date with the latest definitions. Do a manual update even if you normally get automatic ones.
3. Set all your browser security settings to their highest levels, including turning JavaScript (or "active scripting") OFF.
4. Go to each of your site's pages with your browser.
5. Remember that if you are attacked by malware, the precautions you took in steps 1-3 are the only things protecting you. Otherwise, you are as vulnerable as any other visitor.
6. If your AV pops up an alert, that's a good sign you've found the problem.
7. If your AV doesn't pop up an alert, that doesn't mean the site is clean. As mentioned, AV programs might not detect these viruses. The viruses might be encrypted, and your AV might not detect them until they are decrypted, which requires JavaScript. But if you enable JavaScript, you might discover the virus by getting infected with it.

In summary, antivirus scanning is not definitive. If it finds a problem, that's useful. If it doesn't find a problem, it means nothing because the virus might be on a different website, or might be encrypted and polymorphic, or your website's problem might not be a virus at all. It might be a malicious redirect in the .htaccess file that selectively only occurs for users coming from search engine results, or it might be a bad outlink on one or more of your pages.

So the most thorough way to examine the site is to learn what to look for and then inspect your source files manually.

Tagged in:


You must LOGIN to add comments