New Anti-Virus Apps Fight Worms

Security vendors are introducing capabilities that up the ante for traditional anti-virus applications to help catch more viruses and rein in emerging threats.

Security vendors are introducing capabilities that up the ante for traditional anti-virus applications to help catch more viruses and rein in emerging threats, including memory- resident worms such as SQL Slammer and Code Red.

Network Associates Inc.s McAfee Security division and Computer Associates International Inc. this week will roll out their latest enterprise-class virus protection products, both of which have undergone significant overhauls. McAfee Security in particular has made several improvements to its VirusScan Enterprise 7.0, including the addition of a unique "worm-killing" feature.

The worm protection capability is something that the companys executives had been considering for some time but didnt think necessary until recently.

"It had been on our radar, but previous to [Code Red and Slammer], no one had thought of using this [attack] technique and not writing anything to disk," said Tim Smithson, solutions manager for McAfee Security, based in Santa Clara, Calif. "But once these worms came about, youd traditionally have to get a utility to clean your machine up. And that can take a lot of time."

The new technology is deceptively simple. During normal on-demand virus scans, the software actively scans all processes running in memory and identifies any malicious processes. It then isolates and kills those processes without disrupting the operation of the rest of the machine.

Typically, this action cannot be done in Windows Task Manager because the worm is often dependent on one or more subprocesses that might not be listed in the menu of active processes. In addition, because worms do not arrive in an e-mail with an easily identifiable malicious payload attached, traditional anti-virus techniques such as pattern matching and heuristics offer little protection.

VirusScan Enterprise 7.0 also adds the ability to automatically reconnect users to a server if they lose their connections while downloading an update or a new signature file. The application resumes where it left off, eliminating the need to restart the update.

For its part, CA has added two major features to Version 7 of its eTrust Antivirus. After years of maintaining separate code bases and separate lives for its two anti-virus products, InoculateIT and Vet, CA decided to combine them in this release as a way to offer increased protection against viruses that might slip past a single engine.

Even the most accurate and up-to-date anti-virus software tends to miss as much as 3 percent of viruses on a given machine, according to statistics from Meta Group Inc., of Stamford, Conn.

"We found that some of our more paranoid customers were still paying for other products to beef up their [anti-virus protection]," said Ian Hameroff, eTrust security strategist at CA, based in Islandia, N.Y.

The company has included a new technology called Roam About, which dynamically configures the software to deliver updates and signatures through the fastest available server. This can be especially important for users with laptops and PDAs, which often have slow connections.

"Weve tested it in our lab, and a lot of doctors have PDAs, so they want it, but we havent pushed it out yet," Chuck Slenker, systems engineer at Hartford Hospital, in Hartford, Conn., said of the Roam About capability. "It looks promising. I really like the ease of use and the Web [user interface] in this release, too."

Most Recent Security Stories:

Search for more stories by Dennis Fisher.
Find white papers on security.