Security

CORRECTED October 15, 2009, 11:45 a.m.: The default search choice is not changed, as was mistakenly reported earlier. Also, it's not the user's home page that gets changed, but the new tab page. I've clarified the nonmandatory nature of the LinkScanner toolbar, and added information on the identity theft feature in the toolbar.

After giving its paying customers a few weeks to upgrade to version 9, AVG has announced its update for AVG Free 9.

For those unfamiliar with the popular freeware security tool, it provides only the bare necessities for protecting your PC, but that should be enough for savvy Windows users. AVG Free 9 introduces few new features, with improvements focused on performance, including claims of faster scan and boot times. AVG is claiming that scans are 50 percent faster compared with AVG 8.

AVG comes with a combined antivirus and antimalware engine, the proprietary LinkScanner for Web browsing safety, and e-mail scanning. Developed independently and bought by AVG in 2007, the LinkScanner tech performs two functions. It protects you from third-party code exploits before they load in your browser and it ranks search results.

Annoyingly, the optional AVG LinkScanner toolbar commandeers your new tab page, decidedly inappropriate behavior that a security vendor should really know better than to do. LinkScanner can be downloaded separately from AVG, too. The scheduler is robust, automating both scans and updates with multiple options.

One new feature in the new version is the the Identity Theft Recovery Unit. Only for users in the United States, ITRU is a business partnership with Identity Guard which provides "consumer identity theft solutions." Accessible only from the browser toolbar, which only works in Firefox or Internet Explorer, the service provides "a dedicated identity theft recovery unit with fraud experts," to assist handling, getting and analysing a credit report, enrolling in credit file monitoring, and offering report-filing support.

The interface in AVG Free 9 remains nearly untouched from the last version, and generally it's easy to use. From the main window, though, you must double-click to get further information on any feature, whether virus scanning, LinkScanner settings, or updating. Streamlining this to one click would be helpful.

When starting a scan, a slider makes it easy to jump between Slow, Automatic, and Fast scans: the faster the scan, the less comprehensive it is, so it's a good idea to take the program's advice and optimize your scans when you install. This will make that first scan faster. A slow scan took nearly 2 hours, while the fast scan completed in under an hour. A progress meter for these regular scans would've been useful, though. Should a virus create serious problems, AVG creates a rescue disk to scan your computer in MS-DOS mode.

Besides the LinkScanner problem, there are some other concerns with AVG. It doesn't tax your system in an obvious way when scanning or when running in the background, although CNET Labs determined that it will significantly slow down your system's boot time and will slightly delay shutting down. AVG detected some image files as threats, when two other security programs decided they weren't--these were fairly obvious false positives. There is an advertisement to upgrade at the bottom of the program window, but it can be easily hidden using the Hide Notification button.

AVG might not be the fastest or the most effective free security option, but it still gets the job done and you're better off with it.

URL shorteners may be handy for your tweets on Twitter. But they're also known security holes since they don't display the actual address of your destination. A free tool from security vendor AVG may provide a solution.

AVG has updated its free LinkScanner tool to detect malicious pages hiding behind shortened URLs. The company said the tool checks the actual destination of each URL link to make sure the page is legitimate.

More than a dozen URL-shortening services abound on the Net, including TinyURL and Bitly. With its 140-character limit, Twitter automatically shortens URLs in each tweet via Bitly. Other services like WordPress also include a built-in URL shortener.

But Web browsers don't display the true address of a shortened URL, so you have no idea whether or not the destination page is safe. Hackers have easily been able to use the obscure nature of shortened URLs to conceal hazardous Web pages behind them.

"The problem with shortened links is that they usually don't bear any resemblance to the original URLs, which means that users don't always know what they're clicking," said Roger Thompson, chief research officer at AVG Technologies. "People click with the intention of going to a specific site, but the link can be easily hacked to send people to a site containing Trojans, spyware, rootkits, and other malware instead."

AVG, formerly known as Grisoft, bought LinkScanner in late 2007 as part of a larger acquisition. The tool has already proven helpful to Web surfers by analyzing Web pages behind each link that is either clicked on or typed into the browser.

Other solutions do exist to reveal the truth behind a short URL. The Web site LongURL can display the long version of a short URL. A Firefox plug-in called LongURL Mobile Expander can also translate from short to long.

But according to AVG, LinkScanner is now the only security tool on the market that can find poisoned Web pages behind a short URL. The company says it does not rely on blacklists and instead checks each link in real time.

The feature-rich versions of popular security program AVG have been updated, with AVG Technologies claiming faster scan times, faster boot times, and other under-the-hood improvements. While version 8 introduced a consolidated product line, making those features work better together takes the attention of AVG Internet Security 9 and AVG Anti-Virus 9.

AVG is making some bold claims for these updates. The company is touting scan times that are "up to 50 percent" faster, based on marking files safe until their file structure changes, and boot times that are "10 to 15 percent" faster. Memory usage is also expected to be "10 to 15 percent" better, as well. The built-in firewall, available only in the Internet Security version, uses a new database for automatically determining if certain programs are safe to access the Internet without user input. This trusted database, called TrustedDB by AVG, should be less intrusive by querying for user input 50 percent less often than in the previous version, says AVG. Also, the installation process has been shortened from 22 screens to 11.

There are few wholly new features available in version 9, but an interesting one is the Identity Theft Recovery Unit. Included in AVG Anti-Virus and AVG Free, but only for users in the United States, ITRU is a business partnership with Identity Guard which provides "consumer identity theft solutions." Accessible only from the browser toolbar, which only works in Firefox or Internet Explorer, the service provides "a dedicated identity theft recovery unit with fraud experts," to assist handling, getting and analysing a credit report, enrolling in credit file monitoring, and offering report-filing support.

In hands-on testing last week, I found AVG to be relatively easy to navigate around, although the interface could be simpler. When you click on one of the items in the main window, you must double-click on one of the features to access more information on it. A single click, or even a mouse-over pop-up, would make the experience faster. Before I even ran my first scan, AVG detected icons associated with Pidgin as threats.

Double-checking them against Avira and McAfee revealed those detections as false positives, and when I finally ran the Fast Scan it took longer than 20 minutes. That doesn't compare favorably to competitors, some of which can complete a first Fast Scan in around 60 seconds. I was also surprised to find that Mozilla Thunderbird was not automatically approved to go through the firewall, despite the new firewall trusted database. While the installation process offers to install the browser toolbar for you, it doesn't seem possible to opt out during the installation and then install it later from the AVG interface, a strange oversight.

AVG Internet Security 9 is available for $49.99, and AVG Anti-Virus costs $34.99. Both come with a one-year license and a 30-day trial, although AVG Anti-Virus lacks the firewall, identity protection, antispam, and system tools that come in AVG Internet Security. Fans of the free version of AVG 9 will have to wait a bit longer, as AVG always delays the release of Free until after the full suites have been made public.

AVG's free antivirus product temporarily blocked users from getting to iTunes late last week, detecting it as a Trojan, the company said on Monday.

For about five hours on Friday starting around 4 p.m. PDT, AVG users couldn't access iTunes because of the false alarm.

"AVG discovered the false alarm in the virus signature engine relating to some localization components of iTunes (so not iTunes as a virus but rather some localization components of iTunes) and it was fixed within 5 hours," AVG spokesperson Siobhan MacDermott said in a statement. "AVG would like to apologize for any inconvenience to our users/customers."

AVG was alerted to the problem by customers, who were posting to the AVG and iTunes forums.

While irregular, false positives do happen. Last year, AVG flagged ZoneAlarm as malware and a Windows system file as a Trojan. And earlier this month, Computer Associates' antivirus software mistakenly identified a Windows XP systems file as a virus.

LinkScanner is once again available as an independent plug-in for Windows-based Firefox and Internet Explorer, following more than a year spent as a feature of AVG Technologies' AVG security suite. Still available as part of AVG, users can now once again download LinkScanner independently of AVG's antivirus software, and for free.

The new LinkScanner works much the same as the original one did. Once you've installed the EXE, AVG's "Search Shield" returns search results from both Google and Yahoo with flags next to them. Green flags on Google indicate a result is safe to click through to, while Yahoo safe results display no flags. Links that are unsafe on both search engines will return red flags.

Hovering over a flag will pop open a window that provides further details about the link. Green flags will show you the IP address, the amount of time the scan took, and the date and time of the most recent scan. Red flags highlight the same information, as well as the risk category and the site name. Attempting to click through to a red-flagged page will take you to a warning screen that repeats most of the red-flag information--AVG calls this the "Active Surf-Shield".

A small link at the bottom of the red-blocked screen will let you click through, although it cautions users that it will continue to block potentially harmful content. When I tried to click through to warez.com, for example, LinkScanner would only show me the CSS code for the page.

In addition to the clear messages behind the green and red flags, LinkScanner also offers two "slow down" warnings. The first is yellow with one exclamation point in it, while the second is orange and has two exclamation points. I found it nearly impossible to locate search results with a yellow or orange flag, but the meaning is clear: we can't tell what this is, but it looks sketchy so be careful.

It's worth noting, too, that both green flag and red flag boxes (and, presumably, the yellow and orange warning boxes) include a link at the bottom to an AVG product comparison page.

Before Grisoft, now AVG Technologies, bought LinkScanner, many users appreciated that both the free version and the paid LinkScanner upgrade provided smooth integration with your daily Web browsing habits. There are some similar services, such as McAfee's SiteAdvisor, that have interfered with performance for some users--an instant turn-off. After trying LinkScanner out for half the day, though, I was pleased to see that the once-again independently available add-on continues to function as well as it did in the past.

AVG on Monday will begin offering a free version of its LinkScanner software, which offers real-time scanning of Web pages while surfing or doing Web searches.

LinkScanner, which is currently part of the AVG Free Edition suite, scans a Web page before a surfer visits the page and warns if the page appears to be unsafe.

AVG LinkScanner also offers safety rankings for all organic search results on Google, Yahoo, and MSN. Safe pages in searches will have green check marks next to them and unsafe ones will have red "X"es and pop up windows offer more explanation.

AVG LinkScanner scans bookmarks as well as links in e-mails and instant messages before they are opened. Individual pages are scanned separately, so that if one page on a site like Facebook are spreading malware that page will prompt a warning and other pages on the site won't.

There is other software that flags malicious sites in searches. McAfee SiteAdvisor works with Yahoo search results and more than 20 other search engines and Symantec offers ratings on Ask while Google serves up its own warnings in its search results.

The news will be announced at the RSA 2009 security conference which starts on Monday.

It could be argued that security vendors are losing the battle with online scammers whose programs sneak onto computers and drop malicious programs, opening the computers up to remote attacks and turning them into zombies in botnet armies.

The problem is that most computers today rely on antivirus software that blocks malware by checking the code in a file against a database of signatures of known viruses. With thousands of new viruses arriving each day, many of them encrypted in part or otherwise disguised with modification, the signature lists require frequent updates and many new viruses slip through undetected.

As a result, security providers are turning their attention to behavior-based approaches for identifying new viruses, with software that focuses on watching for suspicious behavior, such as a program trying to write data to an executable program. Two security companies are set to make announcements on Monday that follow this trend.

Antivirus provider AVG is introducing AVG Identity Protection, software that analyzes the behavior and characteristics of programs running on a computer and shuts down activity that looks suspicious. The software is based on technology the firm acquired when it bought identity theft specialist Sana Security in January.

"The antivirus companies are flooded with malware to add to signature databases," with 20,000 to 30,000 new unique samples coming out every day, said Roger Thompson, chief research officer at AVG. "It's time to do something different."

Meanwhile, Damballa is releasing its Failsafe 3.0 appliance that is designed to discover botnet malware on computers by listening for communications between compromised systems and command-and-control nodes controlled by attackers on the Internet.

As much as 5 percent of computers in a corporation are compromised with targeted attack type of bot malware, even with up-to-date antivirus and intrusion detection software in use, said Bill Guerry, vice president of product management and marketing at Damballa.

Of a sample of more than 200,000 malware samples scanned by a leading antivirus tool over six months, the average gap between the release of the virus and its detection was 54 days, with almost half going undetected on the day received and 15 percent still undetected after 180 days, according to a Damballa study.

Another company, Triumfant, announced behavior-based software last week that protects companies against zero-day attacks that arise from exploits of security vulnerabilities in software that has not yet been patched.

Triumfant Resolution Manager looks for changes in attributes of the computer, such as registry keys, security and port settings, and performance statistics, and removes code that is suspicious.

Antivirus provider AVG Technologies on Tuesday announced that it is acquiring Sana Security, which sells identity fraud prevention software.

Under the deal, whose financial terms were not disclosed, the Redwood City, Calif., headquarters of Sana will serve as Amsterdam-based AVG's first office in Silicon Valley.

Sana's products use behavioral technology to block attackers from stealing sensitive information. The software analyzes normal application behavior and recognizes abnormal behavior caused by malware infections, user configuration errors, and software bugs.

Did your brother-in-law really send you a singing holiday card? Did a long-lost friend from college really include you on this year's list?

One inexpensive way to send holiday cheer may be to send e-cards, but security vendor AVG warned on Tuesday that online criminals are taking advantage of the fact most people don't know the difference between a legitimate e-card and one hosting malware.

Last week security vendors warned of a Trojan horse masquerading as holiday-themed e-cards from McDonald's, Coca-Cola, and Hallmark.

To better educate the public, AVG has launched a site, "Slam the Holiday Scam,", co-sponsored with CyberStreetSmart.org and i-Safeworking, and is working to team with various online safety organizations such as the National Crime Prevention Council, the FTC's Bureau of Consumer Protection, CyberStreetSmart.org, i-Safe, the National Cyber Security Alliance, and Consumers Union, and Protection from Brand Infection.

The tips, which should be familiar to most online users, include:

• Don't open attachments because most legitimate e-cards include links to the company's Web site that allow you to go directly to your card.
  
• If something looks a little strange or "phishy" just delete the card.
  
• Use security software on your desktop.
  
• Watch out for misspelled words or names, a disguised name (such as Your Friend, A Secret Admirer), or an odd URL.
  
• Always read the fine print before accepting any terms.
  

Also on the site is a free 90-day trial of AVG Internet Security, which includes antivirus, antispyware, and antirootkit protection plus a personal firewall and Linkscanner protection against malicious Web sites.