X64 System - Does native 64 bit AV matter??

[Scotteq]

The topic came up on another forum, and I hadn't had much of an answer. Thought I'd try here:

From a purely functional POV, does native support for X64 really matter for your Anti-Virus? Or more gently - is there some aspect of a 64 bit OS that prevents, or hinders a 32 bit AV from performing it's job? Is there some inability inherent in a 32 bit app preventing it from doing it's job effectively when it's running on a 64 bit OS instead of a 32 bit one?

Obviously a native 64 bit app would be the choice for a 64 bit OS because theoretically it should run best. (I say 'theoretically' and 'should' because well written 32 bit code is always going to be better than garbage dumped into a 64 bit compiler)

Anyways - I would simply like to better understand if there's some 'hole' if a given user is running a 32 bit Anti Virus suite on their 64 bit system.



Oh - Running ESET Smart Suite (NOD)

 

[degibson]

Originally posted by: Scotteq
(... well written 32 bit code is always going to be better than garbage dumped into a 64 bit compiler)

I beg to differ. I find the ability to wield 64-bit numbers greatly enhances my life, and asking a 32-bit machine to do it is just plain pathetic. But I digress...

Originally posted by: Scotteq
The topic came up on another forum, and I hadn't had much of an answer. Thought I'd try here:

From a purely functional POV, does native support for X64 really matter for your Anti-Virus? Or more gently - is there some aspect of a 64 bit OS that prevents, or hinders a 32 bit AV from performing it's job? Is there some inability inherent in a 32 bit app preventing it from doing it's job effectively when it's running on a 64 bit OS instead of a 32 bit one?
...
Anyways - I would simply like to better understand if there's some 'hole' if a given user is running a 32 bit Anti Virus suite on their 64 bit system.

In theory, a 32-bit AV can be just as effective as a 64-bit one, provided it is rewritten, from scratch, looking for 64-bit viruses using 64-bit exploits. There will not be an AV solution redesigned in this manner, so the practical answer is 'no'.

Here's the problem: AMD's 64-bit extensions extend what can be expressed at the machine level. This nearly always yields entirely new security holes, usually (but not always) because of buggy 64-bit software.

A 32-bit AV could, in theory, look for these 64-bit vulnerabilities (after all, 32-bit binaries will run just fine on 64-bit platforms, most of the time). But in order to do so, the AV has to be significantly extended to understand what all these new 64-bit sized operations mean. Its unlikely (but not impossible) that a 32-bit distribution of an AV will be released that understands how to scan 64-bit application spaces.

Now that my rant is over, I'd like to add that there is a chance that attempting a 32-bit install on a 64-bit OS might cause the AV to complain... a responsible AV would complain, anyway.

 

[Scotteq]

Thanks for the reply!

This, of course, leads me to the next question: Running Vista x64 (very well and stably I might add), and it appears that most anti virus suites are still 32 bit - A quick look in the system tray... etc etc etc...

Anecdotal evidence says that Kapersky, Sophos, NOD32/ESET, AVAST, AVG, etc etc etc, are all 32 bit apps which have simply been tested/updated to run on Vista 64. Certainly the ESET suite shows up on my own computer as *32. A casual search off of Google shows only BitDefender make an actual x64 application. Now, as to what exactly has been done to extend those 32 bit apps for an x64 environment??? I haven't found any details.

Hmmm.. Has me rethinking my choice of protection. Though the very limited "supply" of 64 bit malware, the limited adoption of Vista 64, and the fact that I don't do Warez/BitTorrent/online Pr0n takes some of the edge off of my sense of urgency...


As far as installing - I've yet to find a 32 bit application of recent vintage that does *not* install/run on Vista 64. But to my limited knowledge that's because V64 contains the necessary DLLs, and not really because of any/much retesting and recertification.


Anyways - Might make a decent article, sometime.

 

[degibson]

Originally posted by: Scotteq
Thanks for the reply!

This, of course, leads me to the next question: Running Vista x64 (very well and stably I might add), and it appears that most anti virus suites are still 32 bit - A quick look in the system tray... etc etc etc...

Anecdotal evidence says that Kapersky, Sophos, NOD32/ESET, AVAST, AVG, etc etc etc, are all 32 bit apps which have simply been tested/updated to run on Vista 64. Certainly the ESET suite shows up on my own computer as *32. A casual search off of Google shows only BitDefender make an actual x64 application. Now, as to what exactly has been done to extend those 32 bit apps for an x64 environment??? I haven't found any details.

Hmmm.. Has me rethinking my choice of protection. Though the very limited "supply" of 64 bit malware, the limited adoption of Vista 64, and the fact that I don't do Warez/BitTorrent/online Pr0n takes some of the edge off of my sense of urgency...

For now, I would stick with a well-respected 32-bit AV. As with the entire AV-community, 64-bit solutions will come along after 64-bit attacks start to become widespread. Admittedly, my virus protection is VMWare -- not perfect, but at least recovery is fast.

As an aside, 64-bit attacks may never become popular, since viruses generally want to be small and maximally compatible, hence they tend to use very old parts of x86.

As far as installing - I've yet to find a 32 bit application of recent vintage that does *not* install/run on Vista 64. But to my limited knowledge that's because V64 contains the necessary DLLs, and not really because of any/much retesting and recertification.

True, true. Back-compatibility to 32-bit is of paramount importance to HW designers and moderate importance to M$, so most programs will still work without changes. What I was concerned about would be if the AV software itself notices its on a 64-bit platform and humbly refuses to install because it might not be able to adequately cover all cases. It would require a very honest AV, I suppose .