IT has trouble keeping

By Paul F. Roberts  |  Posted 2005-10-17 Print this article Print

up"> It is no news to enterprise IT managers that anti-virus technologies are having trouble keeping up with the flood of new threats.

"The way I look at it, anti-virus is mainly a scanning and removal tool," said Praneeth Machettira, online technology director at the Office of Technology Management at Suffolk University Business School, in Boston.

Suffolk uses Symantecs corporate anti-virus products, but that didnt stop a recent variant of the Sobig worm from infecting about 50 machines on the schools network after an unpatched Windows server with access to the Internet was infected.

The machines were not patched because Suffolk was doing maintenance on them and Symantecs anti-virus product didnt stop the worm, even though Suffolk had a signature that could detect the worm within 5 hours of its appearance, Machettira said. "You could blame it on bad timing, but thats life," he said.

The new threats dont make anti-virus technology irrelevant, but they do change its role within enterprises, said Hogan of Symantec.

If anti-virus software isnt a reliable frontline defense against malicious code, it still has value, said John Pescatore, an analyst at Gartner Inc., of Stamford, Conn. "Signatures are always the most efficient way to block [threats] with the least false alarms and number of compute cycles required," Pescatore said.

Signature-based detection is still valuable for protecting e-mail and for detection at the network perimeter, but its value on the desktop is primarily for cleanup, said Pescatore. "Its a technology thats necessary but not sufficient," he said.

Windows 2000 exploits raise worm attack fears. Click here to read more. The accuracy that signature-based detection offers is also important for companies to be able to show compliance with data privacy regulations. However, anti-virus scanning technology will need to be joined with other data culled from vulnerability scans and threat analysis, said Ken Dunham, director of malicious code at iDefense Inc., of Reston, Va.

Many anti-virus companies have added or are planning to add technology to their core anti-virus software to boost detection capabilities.

Most major anti-virus vendors have long since added anti-spam detection capabilities to their products.

Anti-virus giants McAfee and Symantec have both added, or are adding, behavioral-based detection to their offerings. In August 2004, McAfee added components from its Entercept IPS (intrusion prevention system) technology that can spot buffer overflow attacks to VirusScan Enterprise Version 8.0.

Symantec recently acquired WholeSecurity Inc. and plans to use the companys behavioral detection technology to update both its Norton Internet Security desktop products and its enterprise product line, said Mark Obrecht, vice president of research at WholeSecurity, based in Austin, Texas.

Kaspersky Lab will have about 15 or 20 detection technologies bundled with the next version of its security suite early next year, Kaspersky said.

Those features include a script checker to detect malicious code running on Web pages; a behavior blocker; and integrated firewall, anti-phishing and anti-rootkit technologies.

The upgrade will be about 50 percent more complicated than the current product, Kaspersky said.

Sophos doesnt plan to add behavioral technology, which it feels is too prone to falsely detecting legitimate activity as malicious, said Graham Cluley, a senior technology consultant. However, the Abingdon, England, company is adding a client firewall to its standard desktop client within the next year to provide better defenses against malicious code that can otherwise sneak onto the desktops of mobile employees, said Cluley.

The blossoming of new features may be a sign that the desktop protection market is finally maturing, said Gartners Pescatore. "Instead of anti-virus for this, personal firewall for that, and waiting for desktop protection, you have one product that can block all the threats using different methods," he said.

At Suffolk, IT administrators are deploying behavioral-based detection technology from Sana Security Inc. to supplement Symantecs anti-virus technology and other security systems, Machettira said.

In the end, though, even layered detection technologies cant stop users who are bound and determined to open malicious e-mail attachments, visit nefarious Web sites or click on suspicious URLs, he said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel