Anti-virus—The Old-Fashioned Way Is Still Best

A PC Magazine review looks at unconventional anti-virus products. In the long term, the operating system should take on some of these functions. In the very long term, we may find the holy grail of affordable heuristic protection.

Many people have told me that the conventional approach to anti-virus protection is a hoax, or at least suboptimal. The answer, obvious to some people, is that protection should be generic to attack techniques, not specific to particular attacks. Its a great dream to have, and theres little arguing against it. We all know that when a new attack comes out, theres a window of time during which you have no available protection, no matter how conscientious you are about applying updates. Theres a window before that when nobody may even know about the attack.

There are two approaches to doing it the "right way," and I tested several products employing them for PC Magazine in their just-released Utilities guide. I get the impression that one day it will be practical for ordinary users to rely on non-signature-based scanning techniques, but were not there yet. This isnt to say that the products werent worthwhile, or at least some of them.

In fact, both approaches have some good products. The first, heuristics, is where a scanner does not look for specific patterns of bytes as a signature of a specific attack, as does a conventional antivirus scanner. Instead it analyzes the actual program code to look for behavior typical of attacks generally. The second approach is reactive: It uses a system monitor that looks for behavior, such as modifications of system files, that would be representative of attacks, and stops it in real time.

In the very long term, it seems to me that the second approach should be the function of the operating system. In fact, in some ways it already is and all modern operating systems do attempt it. Products such as Finjan SurfinGuard and OSSurance 3.0 go much further than the protection inherent in the operating system. They regard behaviors such as setting a program to run at startup as inherently suspicious. Its not clear how far in this direction the operating system can go out of concern for usability, but users who are interested in locking down PCs at the expense of usability should consider this approach.

Both the products I looked at had problems, and both have made improvements. A new version of SurfinGuard supposedly checks ZIP files. The bug I reported in OSSurance has purportedly been fixed. The company also tells me that they current Version 3.3 has several other advances: Theres no more need to mess with the Windows Recovery Console as part of the installation; the program can interact with the user better in context without the need for the OSMon program, the one that crashed repeatedly in my testing; and the program now comes with a Task Manager-style program for killing running processes that displays full path names for the processes. (Now, theres a good example of something Windows should do!) OSSurance also tells me that I neglected to mention their ability to watch for and block buffer overflow attempts.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Lots of companies pay lip service to heuristics, but the fundamental truth of them today is that they cannot function acceptably on a desktop computer in the background the way a conventional signature-based anti-virus program does. Weve always found this in the past when weve tested and things were no different this time.

To really do heuristics, you need to throw a data center at the problem, much like MessageLabs does. Even our GFI MailSecurity scanner, as well as it did, probably did so by casting too wide a net. Doing a really fine analysis of the code is a time-computing trade-off, and a mass-market server wont be able to do a lot of it in an acceptable amount of time.

As I say in the review, a lot of people think the anti-virus business is a vast conspiracy to keep good solutions away from us, but I think solutions like MessageLabs are just more evidence of how hard it is to do real heuristics. One day when we have 8-terahertz Pentium 11 processors with 128ZB RAM (thats 128 zillion bytes) on the average desktop, there may be enough spare CPU to do effective heuristic scanning of new code, but who knows what load the real applications will be doing then? Were stuck with signatures for a while I think.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page More from Larry Seltzer