First published: 01st January 1995
By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP MHKCS, Head of F-PROT Technical Support, Yui Kee Co. Ltd.
Anti-virus tools come in many forms, one whole group uses a hardware card as part or all of the method, do these methods have benefits over wholly software methods? Hardware solutions provide an important benefit for the producer, they virtually eliminate piracy, and this, more than anything, accounts for their popularity in Mainland China. What advantages do they provide for the consumer?
Hardware has a fundamental advantage over software, it cannot be modified by software. A computer's RAM forms a battleground that viruses and AV software fight over, anything one piece of software can do, another can also do. The outcome of the battle depends on two things: The deviousness and complexity of the techniques, and, Who got there first. The first program to run has the most freedom and can restrict the actions of later programs, and even modify them before they have any control (this is why manuals often advise installing AV software early in the AUTOEXEC.BAT, or even in CONFIG.SYS).
A hardware card that expands the function of the computer's ROM BIOS has complete protection against this (and it can add access control features too, which is useful in some situations). It can get control before the first program is run, it can be perfectly safe against modification, so why is it not more widely used? The fundamental problem is that it is possible to write a virus for any general-purpose computer, and if you modify the PC architecture enough that all possible virus attacks are prevented, it ceases to be useful as a computer.
Of course, a hardware card takes up one slot in a PC. This makes it impossible to use in a laptop computer. Very often, it will be as difficult to install as a LAN card, not something for beginners to do, and something the support staff in a large organisation would rather avoid. There may be incompatibilities, one such card cannot be used with SCSI disks, among others. In a large organisation, the cost of buying cards for every machine could be prohibitive, but most software has very favourable terms for large licenses.
One type of card can monitor the PC for dangerous behaviour, such as modifying the boot sector of disks or modifying executable files. This falls into the trap of all behaviour monitors, there are innocent reasons to perform such actions (for example, installing a new operating system or updating software), so the card will warn the user of the attempt, and ask if it should be allowed to proceed. The user then has to use his/her own knowledge of computers to decide and answer. If the user is a novice, he/she will be confused and uncertain, if the user is an expert updating many machines, the repeated messages will be a constant annoyance.
Another approach is to take a software anti-virus program, such as a scanner, and encapsulate it on the card. As the software is written in ROM, a virus cannot modify it, and it can start operation at the earliest stage when the PC is booted, before any disk has been accessed. The immutability of the software now becomes a problem, scanners recognise known viruses and need constant updating if they are not to become obsolete. One solution to this is to write the scanning engine on ROM, and to store the virus scan strings on flash-memory (or something similar), so they may be periodically updated. With about 5 new viruses being found a day, how big should the flash memory be made? Occasionally, a new virus appears that requires a radically different scanning technique. A virus could be designed to fool the card into accepting a false update, effectively wiping the signatures so the card found nothing. In all of these cases the card would then be obsolete, and replacement would be expensive.
Software, then, is more flexible and economic, and the next update, with modifications countering the latest attack, can be quickly installed. The fixed nature of a card turns out to be far more of a disadvantage than an advantage. I would not advise using a hardware card as the only line of defense.