The most common question regarding virus on Pocket PC seems to be “Do I need protection when using a Pocket PC?”
It looks like the Pocket PC world is not yet the target of malware developers, unlike the Symbian OS used in some smartphones, but the possibility can not be discarded.
It is important to define different types of malware. For example, a virus is a self-replicating program that incorporates its code to other programs and is propagated when a user copies this program to another computer. This type of malware was very common with MS-DOS because the programs on that OS were generally small files, fitting in a single floppy disk, therefore easy to be copied between computers. Also, note that the virus would attach its code to other programs.
A worm uses the host computer to propagate itself as attachments through e-mails or Instant Messaging (IM) clients, but does not necessarily infect code, although they may drop some executables into key folders and create startup entries so that the worm is executed every time a computer starts. In general they need the users to execute the malware by purporting to be from a friend or someone known to the user, so that an automatic script is executed when a message is open.
A trojan is a program installed on a computer without the owner’s consent, allowing for someone to remote control and access information on that computer.
The experience Symbian users have shows us that most malware targeting mobile devices are a combination of worm and Trojan. Developers have created software that can detect other similar devices (in certain cases via Bluetooth, but it could be via wireless LAN) and send a copy of is own code to this other handheld. The user must accept and install the program – which puts responsibility on users to stop this kind of threat going around.
Although the Windows Mobile OS seems to be safe, proof of concepts show that a program can be installed on a Pocket PC and immediately open a port to receive commands from a remote computer (see First backdoor trojan found for Windows Mobile Pocket PC). Users could just download an infected installer and have this program copied to the Pocket PC, alongside with a valid application.
A few months back we posted a review of Symantec’s AntiVirus for Handhelds. This time we look at 67227 Airscanner Mobile Antivirus for Pocket PC, also available as 143827 Airscanner Mobile Antivirus for Smartphone.
The Airscanner Mobile AntiVirus was a free product, but the company behind it is moving to a subscription-based model. Users can purchase the software with 1 or 2 years subscription of updates and new releases.
Unlike the Symantec offering which had an ActiveSync conduit to transfer updated virus definitions, the Aiscanner Mobile Antivirus is completely based on the Pocket PC, and all updates are downloaded directly into the device.
The program is much more than an Antivirus. It offers a series of tools, including Virus Scanner, String Finder, System Information, Process Manager, Registry Viewer, and On-line Update.
The Antivirus Mobile Scanner is exactly what the name says. It can scan an entire Pocket PC or selected folders, looking for all files or select file types only. Scans seem to take considerably longer on SD cards than on main memory, as expected.
If a malware is found (like in this example where I planted the eicar.exe program on my Pocket PC), it will be reported and the user is given the option of Quarantine or Delete the file.
The String Finder is a very handy tool if you have a large number of files with text and need to quickly find something in one or more files. It will also search through selected folders and file types.
System Information, Process Manager and Registry Viewer are tools that report the current system status. The System Information tool provides basic information as memory usage for application and storage, plus battery status, CPU and OS version. If you want this information, there is no need to install another program since this will be already available on Airscanner (this information is also available through the Settings panel on your Pocket PC).
System Information: memory
System Information: hardware
The Process Manager lists the process in execution on the Pocket PC, with options to kill a process and bring its windows to the foreground, making it active (if the process has a window of course).
The Registry Viewer is probably the weakest tool. It is very handy to find keys and information that might have been modified by a program, but it does not give the ability to actually modify the registry. Well the name says it clearly it is only a viewer.
The On-line Update tool is very nicely done. It connects to Airscanner servers and downloads any pending updates, asking for confirmation before installing them. It must be run manually, but it lists a complete change log with everything that was updated in each version.
On-line update tool
The program also comes with AirScanner ActiveGuard, a real-time scanner that protects the Pocket PC at all times. ActiveGuard has its own set of tools, including another Device Information dialog that constantly refreshes the system status, and a very interesting I/O Log. Note that some of these tools are actually handy for power users who debug applications and need to know of any changes in the system during tests.
The I/O Log File Browser monitors any file activity on the Pocket PC, recording every time a file is open, created, modified, or deleted. Modifications include file size and date changes, which may indicate a malware in the system. The ActiveGuard has options to notify the user on any I/O activity and to export this I/O log to a text file.
ActiveGuard System Information
The Airscanner ActiveGuard can be configured to start when the Pocket PC is soft reset, and it will live in the status bar, just a tap away.
The program seems to work well, without slowing down the Pocket PC. I think it could include a list of known malware, perhaps with some definitions and characteristics, but overall it causes a good impression.
Airscanner also develops other security products for Windows Mobile devices, including the 98720 Mobile Encrypter and 139846 Mobile Firewall. We will review these products in the future.
Lots of tools for the Power User, not only Antivirus
Active real-time scan
Easy on-line updates while in the cradle (ActiveSync) or wireless
I would have the Registry Viewer changed to be a full registry editor
Perhaps add a scheduler to check for updates on intervals