Malware Detection Goes Hybrid

Wouldn't it be great if we could have a simple solution to the malware problem? It's easier, for now, to implement complicated ones. Symantec shows the way.

What do we do about malware? The long-term solution, at least for managed networks such as enterprises, may be whitelisting. But in the meantime, we're still drowning in new variants every day. In the 2009 generation of its products, Symantec is trying a new approach: file reputation. It's a little early to tell if it works well enough, but it seems to have potential.

The classic methods of malware scanning are generally agreed to be unsustainable. It's not feasible for anti-malware companies to have a signature for every new variant, and yet we should expect the products to work even the first time a file appears on a customer's system. For this reason heuristics are employed, but they have limits.

eWEEK Labs looks at application whitelisting from Windows XP to Windows 7. Find out more here.

There are the behavior-blocking kind, where an IPS (intrusion prevention system) looks for potentially malicious behavior of running software and blocks it; this means that the malware is already running on the system, and even if your IPS blocks it, you have to be suspicious of what happened before that. Plus, IPSes have some potential for false positives.

True heuristics, where the file is scanned for potentially malicious characteristics before loading, are even more susceptible to false positives. There's a role for such analysis, but attempts to build heuristic products entirely without malware have been failures.

The Norton 2009 products use all of these techniques and more. The company has added a form of whitelisting; in addition to signatures of bad files, they have signatures of good files, ones known to be good and therefore do not need to be scanned for malware. The average Windows system has quite a few of these, including Windows system files and files from well-known and trusted applications such as Office. These files don't need to be scanned for malware, but they do need to be verified (Symantec uses an SHA256 hash) as being the files in the white list.