Signature Scanning: Im Not Dead Yet

Opinion: Signature-based scanning may not be exciting, but it's a fundamental and useful part of computer security.

Theres no question that conventional anti-virus protection has become boring, as well it should be. There should be nothing exciting about it. But I think it goes over the top to say that its "dead." "Commoditized" might be a better word.

Lets recall the arguments for why anti-virus protection is now inadequate. The main one is that it can only detect known attacks, those for which it has a pattern or signature in place. This isnt completely true; Good AV products do detect some generic attacks based on suspicious structures in files, and these are detections that happen in the real world.

But the main point about the need to detect unknown threats is a valid one and has been the marketing thrust of a variety of security products for years. These products are generally in the category of what is known as HIPS (Host Intrusion Prevention Systems). They monitor behavior in the system and look for actions by programs that are considered to be dangerous.

/zimages/7/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

These products, as I say, have been around for many years. One of the older ones, and one that has tested relatively well to my knowledge, is the Proventia line from ISS. And its not just stand-alone HIPS products that attempt to do this. HIPS techniques, also known as "behavior blocking," have been a staple of the live protection portion of anti-spyware products for years.

There is another static approach that products can take, namely to scan files heuristically for threats; this means modeling the behavior of a program based on live analysis of the code in it. Nowadays this would have to include modeling the behavior of programs when loading specific data files as well. Some vendors have also attempted to use VM technology to run programs speculatively before running them for real.

Over the years, and especially with Windows Vista, the operating system has taken on more of the security burden as well. Techniques like Address Space Layout Randomization and kernel patch protection should make it much harder for malicious programs to do their dirty work.

/zimages/7/28571.gifMicrosofts use of code-scrambling diversity to secure Windows Vista is getting crucial support from OEM partners. Click here to read more.

All of the better anti-virus products on the market have had HIPS capabilities of some kind for years. I believe it was three years ago that Symantec added generic worm protection to the Norton line of products. And it makes sense for the customer that all of this be in one program that can be managed in one place.

But just because the old threats seem mundane doesnt mean they have gone away. Sophos Top 10 list is a perpetual oldies list of threats that made headlines years ago. My own scanners still register hits for these attacks regularly. Just today Sophos reported on a new variant of Bagle, a worm that hasnt generated much fear in a couple of years.

And for the threats that signature-based scanning is capable of detecting, its the best way to detect them: Imagine you download a Trojan horse program with some spyware in it. Would you rather find out as its coming into the computer or as youre running it? Id rather find out earlier. Signature scanning keeps them out of my system and, in fact, off of my network because I scan at the perimeter. And these are redundant protections; you can have signature scanning and behavior blocking.

Signature scanning has another benefit that is underappreciated these days. Consider the recent rash of new Microsoft Word vulnerabilities. Threats such as these typically affect a very small number of users when they are detected. At that point the details of the exploits are shared with the anti-virus community, which can start scanning for them long before Microsoft issues the fix that prevents the exploit.

Anti-virus is better set up for this sort of quick reaction than is application patching. Patches to complex apps like Microsoft Word have to be tested extensively, lest they cause collateral damage to innocent users. But the worst thing to happen with anti-virus is a false positive on scanning certain files, which is rare and can be dealt with.

And even today there are far too many users not running anti-virus. Even if these users had capable HIPS protection they would still get into trouble, especially since they would likely find the products intrusive. Genuine anti-virus may be boring, but if everyone had it and used it properly, the threats it doesnt handle would be heavily marginalized.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.