• United States



by Robin Bloor

The Direction of Antivirus Software

Oct 05, 20054 mins
Data and Information SecurityViruses

Viruses, worms, spyware; they are all unauthorized software. They are the worst kind, because of the damage they can do, and they are not the only species of unauthorized software by any means. If left to their own devices, many PC users will happily load applications that the IT Department thoughtlessly failed to provide them with. And laptop users will sometimes discover that their teenage children have seen fit to enrich their laptop with a computer game or two. All of this unauthorized software can be stopped, should be stopped and could have been stopped a long time ago if the IT industry had looked at the problem in the right way.

Its not about recognizing the bad software, its about authorizing the genuine applications and ensuring that they are the only software that can run. Not only is this a sensible approach, but once you become familiar with it, you begin to wonder whether anti-virus software is necessary at all.

There are two IT security products Im aware of that employ this approach and both are relatively new. They are; Sanctuary from Securewave and Bit9 Parity from Bit9. Both work in roughly the same way. They fingerprint all authorized software and whenever an application is launched, they check to see if it is on the list of authorized applications. If it is not on the list, it is put into quarantine or simply stopped. The fingerprint is a signature, just like the signature of a software virus. So if an application has been altered in any way, by a virus for example, the signature will change and it will show up as unauthorized. It will then be stopped or put into quarantine.

So what is quarantine? Well, it would be nice to stop all rogue software of any kind stone dead, but the PC environment is so complex and new software ideas appear so fast that it may not be practical or desirable to do that in some organizations or for some users. It may look like rogue software, but some one has to prove it first. So, if any software that does not have an authorized fingerprint tries to launch, it is important to quarantine it until it gets authorized or officially refused.

Both Sanctuary and Bit9 Parity provide different policy options on how to deal with unauthorized software. The choices available vary between products, but the idea is essentially the same. You can simply stop the unauthorized software cold, or let it run but ring-fence it so it cannot affect any other machines. You can vary the policy from one user to another, so that some users have more leeway than others. Similarly there are choices about how authorization occurs and policy can be defined on who can authorize what.

It is fairly obvious that this type of security product is a more effective anti-virus solution than traditional anti-virus software is. It can stop all desktop viruses and it instantly deals with new viruses – zero-day threats, as they are sometimes called. It also deals to some extent with other threats. For example, external hackers will have the same problems loading unauthorized software as internal users. The activities of rogue staff will quickly become visible.

The question naturally arises as to whether there is any value in antivirus software at all if you deploy this type of product. Well actually there is, but its marginal. Firstly, anti-virus protects the whole network and currently these products focus on the desktop and laptops. Secondly, the anti-virus signature is a useful identification of rogue software. If someone manages to fool an administrator into loading malware of some kind, the antivirus software will expose it, but these authorization products will not.

Nevertheless, if and when these products increase their scope and add malware detection to their capabilities, they will drive current anti-virus software into retirement.