Wouldn't it be great if we could have a simple solution to the malware problem? It's easier, for now, to implement complicated ones. Symantec shows the way.
What do we do about malware? The long-term solution, at least for managed
networks such as enterprises, may
. But in the meantime, we're still drowning in new variants
every day. In the 2009 generation of its products, Symantec is trying a new
approach: file reputation. It's a little early to tell if it works well enough,
but it seems to have potential.
The classic methods of malware scanning are generally agreed to be
unsustainable. It's not feasible for anti-malware companies to have a signature
for every new variant, and yet we should expect the products to work even the
first time a file appears on a customer's system. For this reason heuristics
are employed, but they have limits.
There are the behavior-blocking kind, where an IPS
(intrusion prevention system) looks for potentially malicious behavior of
running software and blocks it; this means that the malware is already running
on the system, and even if your IPS blocks
it, you have to be suspicious of what happened before that. Plus, IPSes have
some potential for false positives.
True heuristics, where the file is scanned for potentially malicious
characteristics before loading, are even more susceptible to false positives.
There's a role for such analysis, but attempts to build heuristic products
entirely without malware have been failures.
The Norton 2009 products use all of these techniques and more. The company
has added a form of whitelisting; in addition to signatures of bad files, they
have signatures of good files, ones known to be good and therefore do not need
to be scanned for malware. The average Windows system has quite a few of these,
including Windows system files and files from well-known and trusted
applications such as Office. These files don't need to be scanned for malware,
but they do need to be verified (Symantec uses an SHA256 hash) as being the
files in the white list.