Friday, July 15, 2005
The future of antivirus; expect more false alarms
Antivirus programs have two ways to detect malicious software. One way is to look inside a downloaded program to see if it matches a known virus, kind of like a police officer comparing a face against a Wanted list.
The other way is to watch what the downloaded program does and stop it if it does anything "suspicious", like a police officer detaining someone for acting strangely.
The first way requires you to download new antivirus signatures every time a new virus comes out. The second way is prone to false alarms: police officers and antivirus programs can make mistakes.
Virus writers over the last new months have started releasing new versions of their pests every few hours, each one slightly changed to avoid detection by antivirus software. A few hours later when the antivirus vendors catch up, the crooks make another change. If this keeps up then we may have to give up on looking at the bits inside a program to identify viruses.
If we can't count on catching a virus by recognizing its bits ("signature based detection") then we'll have to depend more on watching for virus-like activity ("behavioral analysis"). Innocent programs will be blocked by antivirus software occasionally, just like innocent people in bad neightborhoods sometimes get stopped and questioned by the police. (Yes, the Internet is a bad neighborhood).
Is there any hope for a long term cure? My personal opinion is that operating systems need to change how they assign permissions. HP Labs has done some fascinating research about this. If you have a technical friend you can point them to my unabashedly technical security newsletter for a discussion of what HP has.
|
The other way is to watch what the downloaded program does and stop it if it does anything "suspicious", like a police officer detaining someone for acting strangely.
The first way requires you to download new antivirus signatures every time a new virus comes out. The second way is prone to false alarms: police officers and antivirus programs can make mistakes.
Virus writers over the last new months have started releasing new versions of their pests every few hours, each one slightly changed to avoid detection by antivirus software. A few hours later when the antivirus vendors catch up, the crooks make another change. If this keeps up then we may have to give up on looking at the bits inside a program to identify viruses.
If we can't count on catching a virus by recognizing its bits ("signature based detection") then we'll have to depend more on watching for virus-like activity ("behavioral analysis"). Innocent programs will be blocked by antivirus software occasionally, just like innocent people in bad neightborhoods sometimes get stopped and questioned by the police. (Yes, the Internet is a bad neighborhood).
Is there any hope for a long term cure? My personal opinion is that operating systems need to change how they assign permissions. HP Labs has done some fascinating research about this. If you have a technical friend you can point them to my unabashedly technical security newsletter for a discussion of what HP has.
# posted by Frederick @ 1:40 PM Email to a friend:
Haloscan: they provide trackback