Malware Detection Goes Hybrid

By Larry Seltzer  |  Posted 2008-11-07 Print this article Print

Wouldn't it be great if we could have a simple solution to the malware problem? It's easier, for now, to implement complicated ones. Symantec shows the way.

What do we do about malware? The long-term solution, at least for managed networks such as enterprises, may be whitelisting. But in the meantime, we're still drowning in new variants every day. In the 2009 generation of its products, Symantec is trying a new approach: file reputation. It's a little early to tell if it works well enough, but it seems to have potential.

The classic methods of malware scanning are generally agreed to be unsustainable. It's not feasible for anti-malware companies to have a signature for every new variant, and yet we should expect the products to work even the first time a file appears on a customer's system. For this reason heuristics are employed, but they have limits.

There are the behavior-blocking kind, where an IPS (intrusion prevention system) looks for potentially malicious behavior of running software and blocks it; this means that the malware is already running on the system, and even if your IPS blocks it, you have to be suspicious of what happened before that. Plus, IPSes have some potential for false positives.

True heuristics, where the file is scanned for potentially malicious characteristics before loading, are even more susceptible to false positives. There's a role for such analysis, but attempts to build heuristic products entirely without malware have been failures.

The Norton 2009 products use all of these techniques and more. The company has added a form of whitelisting; in addition to signatures of bad files, they have signatures of good files, ones known to be good and therefore do not need to be scanned for malware. The average Windows system has quite a few of these, including Windows system files and files from well-known and trusted applications such as Office. These files don't need to be scanned for malware, but they do need to be verified (Symantec uses an SHA256 hash) as being the files in the white list.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel