Daniel Wesemann at the Internet Storm Center posted an article about how virus defense technology has to change. He cites an (admittedly not new) example, which was given by an anti-virus firm, of a malware host which serves a different file for every computer that connects to it. Because anti-virus softwares requires signatures to flag any file as malicious, adding a detection for such malware may become difficult, since researchers may not be able to know exactly which parts of the file are going to change for every internet user.
The example was meant to demonstrate the need for behavior-based virus defenses, sometimes (wrongly, in my view) called HIPS. This technology is currently being added to most anti-virus programs. Symantec’s Norton has it, Sophos has it, and F-Secure has it as part of its DeepGuard protection. There are also programs coming from smaller companies, such as PrevX and Cyberhawk.
However, they’re not coming to replace traditional anti-virus software; instead, they want to be a complementary protection, pretty much like the new Norton AntiBot, which is a behavior based protection software with a very clear target. Wesemann also points this out: no matter what we do, some form of virus protection will still be needed. And I do not think the lack of innovation in this area has anything to do with the anti-virus companies’ protection racket. Malware is an ever-changing landscape, and as such updates will always be required. Even spam filters, which are able to “learn” what is spam by themselves, get tricked by new image and PDF spam tactics.
Besides behavior analysis, there are other promising technologies out there. We have LinkScanner, CWSandbox and Norman Sandbox, which automatically provide basic information and analysis by running malware in a controlled environment. There are also sandboxes that try to protect the user against certain attack vectors, such as GreenBorder’s (recently acquired by Google).
But no one will be able to install all of that and still have a machine they can actually use. As the 20-year-old protection model employed by traditional anti-virus solutions slowly shows more and more of its limitations, such technologies will keep getting more attention. Even so, no one is willing to replace the “old ways” yet, and it will take a while for all this technology to mature and become useful on its own.
The anti-virus is not dead and it will accompany those new technologies as they get better. But unless we completely change the way we think about virus protection, we will always need someone analyzing malicious code to provide some form of signatures. As Wesemann suggests, it’s already possible to do things different, at least a little, but some still act as if the problem was not there — as if the emperor still had his beautiful clothes on.