Is AntiVirus Technology Headed For Obsolescence?

How many viruses can they really scan for efficiently? Is there a limit? Alternative detection methods leave much to be desired.

Many years ago in the course of testing antivirus software for PC Magazine, one of the vendors I spoke to said that their long-term radar indicated that conventional antivirus pattern scanning techniques were headed for a technological wall. The number of viruses that the product searched for was projected to grow by a third in the next year. Within a few years, scanning would simply take too long.

Other experienced antivirus pros tell me they have heard this sort of thing before, and quite a long time ago. Back in the early days, 500 viruses was supposed to be the practical limit, then 1000, and so on. Do these projections belong with others predicting IP address shortages and nuclear meltdowns on 1/1/2000? The answer is a definite "probably."

The argument against pattern-based scanning in the long term is an argument for heuristic scanning. Almost all antivirus scanning checks the contents of files and other content against a list of patterns, or definitions, supplied and kept up to date by the vendor. The technique involves simply comparing the contents, which can be done in any number of ways. Without getting into a dissertation comparing pattern-matching algorithms, suffice it to say that we know how to do this with absolute precision, and the only question is how to do it the fastest and least resource-intensive way.

Heuristics, on the other hand, attempt to do things that we dont all necessarily agree how to do. The idea of heuristic scanning is to look at a section of code and determine what it is doing, then to decide whether the behavior exhibited by the code is viral or otherwise malicious. This is not an easy decision to make. It involves modeling the behavior of code and comparing that abstract model to a rule set. This has to take more time and be more resource-intensive than pattern matching. Of course, the advantage of heuristics, at least of a theoretical efficient and accurate heuristic scanner, is that it can detect viruses that havent been written yet, and the problem of distribution of definitions goes away.

If youre a vendor selling that theoretical efficient and accurate heuristic scanner, please send it to me for a review. I havent seen one in action yet. In fact, Im skeptical of heuristic scanning partly because its next to impossible to test heuristic scanners in commercial antivirus products. Currently, you cant tell an antivirus product to scan only with heuristics — so you can only test them effectively if youre the vendor with access to the source code. Even then, you only have access to one product. I suspect nobody has ever done an effective comparison of heuristic scanning engines.

Continued on Next Page