Wednesday, May 26, 2010

New antivirus software looks at behaviors, not signatures



The nature of the virus threat has changed significantly over the last few years. Alongside the "traditional" virus threat, there are now mass-mailers, Internet-aware worms, DDoS (distributed denial-of-service) attacks, backdoor Trojans, zombies, and the blended or hybrid threats that combine multiple attack mechanisms. This evolution of the virus threat has made the task of protecting users and corporate systems more complex, where companies with fewer resources for security are requiring more comprehensive solutions.


The problem is that most computers today rely on antivirus software that blocks malware by checking the code in a file against a database of signatures of known viruses. With thousands of new viruses arriving each day, many of them encrypted in part or otherwise disguised with modification, the signature lists require frequent updates and many new viruses slip through undetected.


"The antivirus companies are flooded with malware to add to signature databases," with 20,000 to 30,000 new unique samples coming out every day, said Roger Thompson, chief research officer at AVG. "It's time to do something different."


What is "Behavioral Analysis?"

Behavioral analysis or behavior blocking is not a new idea, and in fact, some security companies adopted the approach in the early 1990s in response to the sharp rise in number of viruses that threatened to overwhelm anti-virus researchers. It works from a set of established rules that define a program as either legitimate, or malicious - a virus, worm or Trojan. If the analyzed code breaks one of the legitimate rules or fits into a pre-defined profile established as "malicious," the code or application is flagged as a threat.

As traditional signature-based anti-virus scanning technology examines applications and code for a particular "signature" or pre-existing strain that has been discovered by anti-virus researchers, behavioral analysis technology monitors what an application or piece of code does and attempts to restrict its action. Examples of this might include applications trying to write to certain parts of a system registry, or writing to pre-defined folders. These and other actions would be blocked, with the actions notified to the user or administrator.

This fairly simple process can be further refined. It is possible, for example, to restrict the access of one application, like allowing Microsoft Internet Explorer read-only access to limited portions of the system registry while giving unrestricted access to other applications. Additionally, the actions of a downloaded application can be restricted on the local system and the application can be run in a protective "sandbox" to limit its destruction. The activity performed by the application can be checked against a set of rules in this environment, and depending on the policy set, the application's actions might be considered a violation of the policy, in which case they would be blocked.

In conclusion, which method is the best? All methods are good, there are pros and cons. So the best solution is to combine all these methods. Use antivirus that supports all these methods. But remember, for heuristic methods do not use the setting is too sensitive, to avoid false alarms. Let's fight the viruses.

In conclusion, which method is the best? All methods are good, there are pros and cons. So the best solution is to combine all these methods. Use antivirus that supports all these methods. But remember, for heuristic methods do not use the setting is too sensitive, to avoid false alarms. Let's fight the viruses.

No comments:

Post a Comment