In Depth
The Future of Antivirus
As signatures proliferate, antivirus vendors must ramp up other techniques for spotting and squashing malware
By Michael Fitzgerald
Lambert says McAfee is probably furthest along in using HIPS among the big antivirus makers, having had more time than its rivals to new features added via corporate acquisitions.
The downside to these technologies is that none are as simple and alluring as the old signature-based antivirus, which she called a "set it and forget it" technology. She notes that HIPS technologies are difficult to manage and will never be as simple as the old model, though she expects they will get easier over time.
Neohapsis's Shipley says none of these techniques are really new⬠he notes that it's been more than four years since McAfee purchased Entercept, for instance. But "what role does it play and what percentage of things does it stop? I have no visibility into that." Shipley says he plans to bring in Bit9 to look at whether it could really replace his current antivirus software.
Antivirus firms agree that they are becoming something different.
Sophos, for instance, uses several additions to signature-based AV. Sophos examines program behavior⬠the modifications a program makes to things like system configuration and files as the program runs. The company has also built in a preexecution algorithm, a kind of crystal ball to simulate what unfamiliar code looks likely to do. Richard Wang, manager of Sophos Labs in the U.S., says that while signatures are easy to create, things like preexecution code are harder and thus take more time. But the payoff is that it can work against multiple strains of malicious software. He said that for the Storm worm, Sophos generated only one signature but has been able to recognize all the variants. Wang describes this type of technique as "almost like a broad-spectrum antibiotic."
Child's Play?
Interestingly, the OLPC XO (from the One Laptop Per Child Foundation) is another place to look at new AV techniques. The XO uses the Bitfrost specification, developed expressly for this simple computer. OLPC claims that the system "is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market."
The OLPC XO ships in a default mode that is basically locked down but simple for the user to open up. The Bitfrost specification uses a series of built-in protections, including sandboxes or program jails for applications and system-level protections that prevent alterations from code that could do something harmful.
Whether Bitfrost would work in a corporate environment or will be commercialized outside the OLPC project is unclear. But Avien's Harley, for one, thinks that there are psychological reasons why antivirus software is unlikely to go away.
virus
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
