Most vendors, who create embedded devices – especially medical devices such as medical X-Ray connected machines, connected Labs and other equipment – are smart, and understand the need of securing them against external threats such as malware. Such devices often run a common operating system such as Windows Embedded, or Linux and are susceptible to many kinds of malware threats as their non-embedded threats. Thus, protection against malware is important consideration when securing such devices.

1. Paper
Is Using Off-the-shelf Antimalware
Product to Secure Your Medical Device a
Good Idea?
Or Eight Questions You Should Ask Yourself before doing that.

2. 2
Most vendors, who create embedded devices – especially medical devices such
as medical X-Ray connected machines, connected Labs and other equipment –
are smart, and understand the need of securing them against external threats
such as malware. Such devices often run a common operating system such as
Windows Embedded, or Linux and are susceptible to many kinds of malware threats
as their non-embedded threats. Thus, protection against malware is important
consideration when securing such devices.
A possible approach for securing those devices is to install an off-the-shelf
antivirus product. The advocates of this approach typically come up with convincing
arguments such as:
• This antivirus is being used successfully by millions of users, so there should
be no issues running it on your devices;
• Your engineers are familiar with the antivirus installation and maintenance;
• The installation is quick – your device would be secured in a couple minutes of
time, no integration needed;
• It is very cheap – in some cases it could be even free!
Sounds like a plan? It does at first glance. But if you think it is a good idea, please
read on. There is a number of questions you need to ask yourself before making
such decisions, and this article will help you.

3. Paper
3
Question 1: Would the product UI confuse my users?
Imagine your X-Ray connected machine got infected. Maybe someone plugged in a USB stick
with malware, and opened an image file which triggered a vulnerability in a parser. Maybe one
of Windows services running on it had a remote code execution vulnerability, and got attacked
through the network. The antivirus detected the threat, and…
… and popped up the message on the screen!
Now a typical desktop user, who installed Bitdefender antivirus, would obviously understand
what’s going on. However the technician operating the X-Ray machine might have never heard of
Bitdefender, or (unlikely but possible) not even know about the antivirus software at all. So they
might not know what to do with this. They might even click on “More details” (assuming your
interface supports it in the first place!), and get even more confused. Most likely this will result in
their typical workflow being interrupted, and your support being called. At this moment the local
IT department might get involved, and hopefully would fix it.
Rule: a security solution running on a medical device should be able to report infections to an
appropriate department, and do so without workflow interruption.
There is absolutely no need for the technician to even see this message. The infection should be
automatically blocked, but because it was present, it is not enough. The IT department must be
notified so they can find out how it got there, and possibly clean other infected machines around.
In case of a hospital it should be their IT department, but if you offering support, it should be
YOUR IT department. And this should not confuse the operators and break the workflow.
Another issue is changing the product settings remotely. One option is to install remote
management software on each device, and modify the settings manually. The issue here is that
you can only do it during non-business hours, or otherwise the people would freak out seeing the
mysterious dialogs popping up on the X-Ray control panel. And if your business is good and you
have sold not just one machine, but 1000s – there’s a lot of work to do. Until next week someone
finds out one of the settings were set incorrectly, and you’re up to repeating this again.
Solution: when you license the anti-malware technology as Software Development Kit SDK, there
is no UI at all. You’re in complete control of the whole business logic, you decide what to do when
infections are detected, where they are reported and how. And you tell the SDK which settings
should be used. The settings could be stored on your server and your solution might download
them and apply them to all machines simultaneously, ensuring the best protection and the best
user experience for your valuable customers.

4. 4
Question 2: Can I exclude the useless components?
A security product typically includes a lot of features. Those related to malware detection are
useful for you, but the other features might not be so useful. For example, the antivirus product
could include the anti-spam module, which makes no sense on the X-Ray machine control panel.
There could be built-in ad blocker, password manager, parental control, online banking protection,
and another zillion of features making no sense for your use case. Those features are quite useful
for desktop users, but they make no sense in your environment.
Rule: a security solution running on a medical device should only contain the necessary
components, and no more than that.
You might think it is not really a big deal. What issue is if there are extra features which nobody
would use? But please consider the following issues:
• Each of those features consumes some disk space, CPU, memory and (sometime) network.
Those are valuable resources which could be used for your application to perform faster,
do more processing or offer more features.
• Each of those features might have bugs, for which the product update would be issued.
This means you would have to update the antivirus much more frequently than if those
features were excluded. The product might only fix issues in the antispam module, but
since few vendors are so specific in the release notes, you are likely to be forced to install
every single product update.
• Some of those features might actually create issues. For example, there may be an

5. Paper
5
automatic “system optimization component” which reconfigures the system for the “best
user experience”, and changes the screen resolution which breaks your application layout.
Or there may be a “disk space cleanup” feature which deletes the temporary files of your
application as “unused” right where it was about to start processing them.
• And some features may be outright dangerous. For example, the antivirus might include
automatic remote backup, which uploads all the documents to a remote location
automatically. This may lead to leakage of the documents containing medical information,
and such act might be against the laws of your country – such as HIPAA in the USA –
exposing your company to a lawsuit. Some products may include device tracking and
remote wipe features, which could be abused remotely if misconfigured.
Solution: when you license the anti-malware technology as SDK, you only license the components
which you need. You don’t pay extra for the components you won’t use, and you don’t include
components such as “system optimizer” which have no place in your professional solution.
Question 3: Can I control the Antivirus use of Internet?
A medical facility often has a restrictive Internet access policy, and for the good reason. However
the antivirus products need to be updated frequently, or their ability to cope with new threats
would be reduced. And some antivirus products require Internet connection to be available even
for basic functionality, such as malware scanning, and will not work at all without one. This
may create issues, because many medical devices are portable, and are constantly transferred
between wards within the hospital the units – and even if it is not, a unit may be installed in a
place where the network connection is not available at all.
Rule #3: a security solution running on a medical device should work with limited Internet usage,
and should be fully-functional if network connection is interrupted.
Can you configure the antivirus to download its updates – including the product updates – from
an internal server? Note that this is not a typical home user configuration, so your product will not
have it built-in – you might need some extra software for that. Can you get it, and under which
terms?
And can your antivirus function without Internet connection, and if yes, how much of functionality
would be missing? Most modern products just print the “Internet connection required” on their
box, and almost nobody explains in the documentation, which components and functionality
depends on the Internet, what speed and throughput is required, and how much traffic a product
would consume daily. for what the connection is required, what is the required throughput, and
what functionality depends on it.
Solution: when you license the anti-malware technology as SDK, this information is always
available to you. More, an experienced vendor such as Bitdefender would be able to offer different
SDKs based on your needs, which would differ in their requirements of Internet connectivity. Also
the situation with firewalled networks, is common among technology partners, so you will get
access to the supported solution which performs the update mirroring, and will let hospitals to
set up their own secure update servers.

6. 6
Question 4: Can Antivirus Work with my device security
measures?
You might create a very secure device, using the read-only file system to store executable
binaries, and use snapshots for the document areas – including registry – and restore it upon
reboot. This way any changes made to the configuration by one doctor on your device could be
easily reverted when another doctor gets on duty.
But does the antivirus support it? This is certainly not a typical end-user configuration, even in
corporate environments, so don’t be surprised if it does not. For example: it might rely internally
on binary patching, and break when the binaries are located in the read-only file system. It can
store the current update version in the registry branch which is not properly saved, and find out
the updates are reversed upon reboot and do not match the registry anymore.
Rule: a security solution running on a device with unique requirements should be explicitly
cleared by the vendor to support those requirements.
Moreover, even if the current version you tested works in this environment, there is no guarantee
the next version will work too. This is certainly not the use case the vendor tests the product on –
so your luck here is, indeed, just pure luck. But do you want to gamble with security?
Solution: when you license the anti-malware technology as SDK, you are in complete control of
which files are stored, and where they are stored. You can integrate the antivirus update process
with your read-only protection mechanism so you can allow write access for some components
for only specific time, which will allow the security solution to function properly while maintaining
the higher degree of security for your device than your competitors.

7. Paper
7
Question 5: Can I use the antivirus built-in extra
functionality?
Most antivirus products do a good job protecting themselves from malware. A typical malware –
even possessing administrative privileges on Windows – cannot delete the antivirus files, kill its
process or write to its memory. However, an off-the-shelf product – including enterprise products
– typically products do not offer additional self-protection features to incorporate into your
application.
Rule: a security solution running on a medical device should protect not just themselves, but the
medical application too.
The protection functionality offered by the underlying technology is very powerful – you can
prevent modification of files, registry keys, and process memory. In some cases you can even
prevent reading the process memory – even if the attacker possesses the administrator rights!
This provides a higher degree of security, and is very useful in securing your device against
internal attackers.
Solution: many experienced technology licensing vendors such as Bitdefender offer this
functionality as part of some of the SDKs, so when you need it, you’re covered.

8. 8
Question 6: Does antivirus leak any data which would
get me in trouble?
Many antivirus products see their main job as protecting the consumer, including the consumer
privacy. But they protect it only from the “bad guys”. They might not be protecting it from the
“good guys”, and certainly not from themselves. Your security product – even an enterprise
product – might be sending a lot of information back to the vendor, such as diagnostic
information, some scanned files, some visited URLs and so on. This might not be applicable for a
medical device, and might even be considered violation of the patient information protection laws,
such as HIPAA in the USA.
Rule: a security solution running on a medical device should send out no protected or identifiable
information – even back to the vendor.
In case you’re using a free product, the situation is typically even worse. The vendors offering free
products need to make money to stay in business, so they typically collect a lot of information,
which could be then shared for profit. Remember the old saying, “if you’re not paying for the
product, you are the product”. The problem here is that even if you are paying for the product,
the vendor might still “subsidize” the lower product price with the information sharing. And the
transparency differs among vendors – while some vendors are very open about this, some bury it
in legaleze on page 268 of their privacy policy, where it is unlikely to be ever discovered.
Another possibility is that the antivirus vendor itself is using one or more 3rd
party technologies
internally, and those technologies share your data internally. This makes it much more difficult to
find out which information is shared and how it is used, since you might even not know about the
existence of a 3rd
party vendor (those partnerships are typically not public information). And even
if you’re aware of this issue, what happens if the technology vendor is changed, or acquired, or
changes their privacy policy tomorrow?
Solution: when you license the anti-malware technology as a SDK, it typically does not share
anything at all. You can enable sharing of specific information which would gain you certain
benefits (for example, if you want certain files to be re-analyzed manually for being malicious, you
would have to share them). But this sharing is always happening consciously, you’re always in
control of what you want to share, and can stop the sharing anytime, or per-customer based. Also
you can always ask the vendor to clarify if any 3rd
party technology is used, and act accordingly.

9. Paper
9
Question 7: Is my operating system supported?
Does the antivirus documentation says it supports the operating system you’re running it on, such
as Windows 7 Embedded? Or it doesn’t but you called the sales department and they assured
you “did I just hear ‘Windows’? Yeah, it surely works on Windows!” Or – even worse – one of your
engineers bought the antivirus in a store, installed on your device, popped up the UI, played with it
for 15 minutes and wrote a report “it works”?
Rule: if the antivirus specification does not say the OS is supported, it is not.
You can think it is easy to ignore this rule – after all you just need to test the antivirus yourself on
the OS, right? Nope. First, this is not easy – you need to spend some major effort to ensure the
antivirus works properly on this OS. This would require a complete test of it, and the complexity
of this task is obvious once you understand it is not enough just to install it there, click on the UI
popup, perform a scan and mark it as “checked”.
What if antivirus affects some functionality of your device hardware? This may be obvious, as
when the antivirus disabled a touch screen because of driver conflict. But it might be not so
obvious, when you find out that when your X-Ray tries to upload the shots to a central server, this
connection is blocked as suspicious. Or after your software has been run for two weeks, it makes
the antivirus behavior analysis module think it is malware, and it gets deleted? Just to find things
like that would require long-running test of your whole application functionality together with this
antivirus.
There also could be upgrades – OS upgrades, your application upgrades, product upgrades. An
OS got a security update, and the antivirus driver did not mark it as valid for this OS. It didn’t
check this before this update, but now it does, and the antivirus does not work anymore, or
crashes the OS on boot. Or the antivirus vendor made some changes to make it Windows 2020
compatible – and those exact changes broke the compatibility with your OS.
With all those issues you’re completely at mercy of the security vendor. Maybe they’d listen to
your pleas and restore the functionality – after accepting a fat check, no doubts – but even then
the result is not guaranteed, especially the urgent result.
Solution: when you license the anti-malware technology for your operating system, it is
guaranteed to be supported for the duration of the contract. The experienced vendor will also
help you to test your product to ensure there is no incompatibility between your product and their
code, and will promptly fix the issues if there is any. With the SLAs at your back you’ll feel much
more comfortable facing your demanding customers.

10. 10
Question 8: Will the antivirus vendor support my use
cases?
What happens if antivirus decides that your product update executable is malware? After all, it
downloads executable files from Internet, and then overwrites existing executable files with them
– this is how a lot of malware acts, so this is certainly possible. What would you do in this case?
Rule: if you purchase off-the-shelf product, expect off-the-shelf support.
Most likely you’ll call the product support. With the off-the-shelf product it would probably take a
while to reach out to someone who can actually understand the issue, and it will take even longer
to find out someone who’s capable to take some action on your behalf. Even if you purchased
the enterprise version, and reached the enterprise support, they still might not be familiar with
the nuances of your product – after all it does not resemble anything like typical enterprise
environment!
In any case, expect to submit your product for analysis (the antivirus vendor needs to make sure
it is indeed a clean product and not malware), and this analysis might take some time too. Note
that since there is no NDA between you and the antivirus vendor – and since it is you who’re
experiencing the issue, not them, they might not be willing to sign one – your product binaries
might be shared with third parties.
Of course, when the next version of your product update is finally downloaded, you may be up to
the same procedure again – because it is a different binary now, and the antivirus vendor has no
way to know about it or test against it.
Solution: when you license the anti-malware technology, as part of the deal you are receiving
access to the completely different level of support – sometime you can even communicate
directly with engineers and researchers. This means your problems are fixed fast, and most of
them wouldn’t even happen – because the support would think ahead of this scenario, and ask
you to submit your new product binaries in advance, so the vendor can ensure it is not falsely
detected. And of course your submissions would be covered under the typical business NDA.

11. Paper
11
Conclusion
As you see, there are significant advantages of licensing the anti-malware technology from a
trusted vendor versus using the off-the-shelf product for securing your device. Even though these
products maybe the easiest to implement, Antimalware SDKs offer greater flexibility to avoid the
typical problems associated with off-the-shelf antivirus products.

12. All Rights Reserved. © 2016 Bitdefender.
All trademarks, trade names, and products referenced herein are property of their respective owners.
FOR MORE INFORMATION VISIT: bitdefender.com/oem/
18072016-Bitdefender-OEM-Papers-UseOffShelf-en_US
Bitdefender delivers security technology in more than 100 countries through a cutting-edge network of value-added alliances, distributors and reseller
partners. Since 2001, Bitdefender has consistently produced market-leading technologies for businesses and consumers and is one of the top security
providers in virtualization and cloud technologies. Bitdefender has matched its award-winning technologies with sales alliances and partnerships and has
strengthened its global market position through strategic alliances with some of the world’s leading virtualization and cloud technology providers.