Is AntiVirus Technology Headed For Obsolescence?

By Larry Seltzer  |  Posted 2003-06-26 Print this article Print

How many viruses can they really scan for efficiently? Is there a limit? Alternative detection methods leave much to be desired.

Many years ago in the course of testing antivirus software for PC Magazine, one of the vendors I spoke to said that their long-term radar indicated that conventional antivirus pattern scanning techniques were headed for a technological wall. The number of viruses that the product searched for was projected to grow by a third in the next year. Within a few years, scanning would simply take too long.

Other experienced antivirus pros tell me they have heard this sort of thing before, and quite a long time ago. Back in the early days, 500 viruses was supposed to be the practical limit, then 1000, and so on. Do these projections belong with others predicting IP address shortages and nuclear meltdowns on 1/1/2000? The answer is a definite "probably."

The argument against pattern-based scanning in the long term is an argument for heuristic scanning. Almost all antivirus scanning checks the contents of files and other content against a list of patterns, or definitions, supplied and kept up to date by the vendor. The technique involves simply comparing the contents, which can be done in any number of ways. Without getting into a dissertation comparing pattern-matching algorithms, suffice it to say that we know how to do this with absolute precision, and the only question is how to do it the fastest and least resource-intensive way.

Heuristics, on the other hand, attempt to do things that we dont all necessarily agree how to do. The idea of heuristic scanning is to look at a section of code and determine what it is doing, then to decide whether the behavior exhibited by the code is viral or otherwise malicious. This is not an easy decision to make. It involves modeling the behavior of code and comparing that abstract model to a rule set. This has to take more time and be more resource-intensive than pattern matching. Of course, the advantage of heuristics, at least of a theoretical efficient and accurate heuristic scanner, is that it can detect viruses that havent been written yet, and the problem of distribution of definitions goes away.

If youre a vendor selling that theoretical efficient and accurate heuristic scanner, please send it to me for a review. I havent seen one in action yet. In fact, Im skeptical of heuristic scanning partly because its next to impossible to test heuristic scanners in commercial antivirus products. Currently, you cant tell an antivirus product to scan only with heuristics — so you can only test them effectively if youre the vendor with access to the source code. Even then, you only have access to one product. I suspect nobody has ever done an effective comparison of heuristic scanning engines.

Continued on Next Page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel