The trouble with anti-virus

Analysis Traditional techniques aimed at stemming the flood of viruses and worms are failing to keep pace with the rise in malicious code.

Users have known this for years - at least intuitively. Even vendors admit - at least privately - that there's an issue. Now, for the first time, there's research to back up this gut instinct.

The research, carried out at Hewlett-Packard's research labs in Bristol, analysed the effectiveness of the signature update approach to virus detection and elimination against a computer model designed to mimic viral spread. The model showed that the signature update approach is fundamentally flawed, simply because worms can spread faster than anti-virus signature updates can be distributed.

Even if AV vendors produce an antidote to a virus as soon as it appears, the model breaks down because of the time it takes deliver a fix to desktops. Within this "window of vulnerability" a worm can take hold, HP researcher Matthew Williamson concludes.

Williamson's research (explained in more detail in this week's New Scientist) is due to be presented at AV industry's annual showpiece conference, Virus Bulletin, in Toronto later this month.

Immunity is illusory

For real-life validation of HP's research we need look further than the rapid spread of the Sobig-F and Blaster worms last month - to say nothing of the prolific Slammer worm earlier this year.

The value in HP's research lies in showing that people can get infected with fast-spreading viruses even when they regularly update signature-based anti-virus detection tools.

In fairness to AV vendors, they do say their software is only one part of a comprehensive security policy which (these days) should include filtering email at the enterprise gateway and keeping patches up to date.

But that's only part of the answer because such an approach still leaves home users exposed to fast-spreading worms. If a substantial minority of them get infected, the Internet gets swamped with useless traffic or flooded with viral email. And this viral email is a nuisance even for people using systems (Linux, Apple, OS/2 and Unix) immune to the original viral infection.

Who cares about improving product - when the share price is soaring?
So there's a problem - but one that the mainstream AV industry has no financial incentive to solve. Quite the opposite, in fact. The worse things become the rosier the financial future looks for AV vendors, at least in the short term.

A survey by market analysts IDC out this week predicts that anti-virus software market will grow from $2.2 billion last year to $4.4 billion in 2007.

IDC believes "increasing consumer knowledge regarding attacks" (read publicity regarding the Blaster, Nachi and Sobig worms) and the rise in monthly subscription renewals for virus protection are driving growth in the market.

AV gravy train heading for derailment?
But buried in IDC's report there's a sting in the tail for AV vendors.

The analyst notes that many organisations are adopting a "layered security" approach that combines technologies such as desktop anti-virus, server and gateway anti-virus, content filtering, and proactive techniques such as behaviour analysis and heuristics to combat viruses.

"IDC believes traditional signature-based anti-virus technologies and behaviour-based analysis technologies will increasingly be used together, allowing for a greater degree of accuracy in detecting known and unknown threats," it reports.

Change control

AV vendors are very good at bashing behaviour-blocking technologies, saying they generate false positives or are hard to implement, but they should be concerned. Behaviour-blocking technologies are being repositioned as intrusion prevention systems and have been backed by major players like Cisco and a raft of smaller start-ups.

Intrusion prevention vendors have learnt the lesson from user criticism about false positives from intrusion detection systems. And, unlike AV tools, intrusion prevention technology has the potential of blocking zero-day exploits.

The AV industry is profoundly conservative, which has suited it well in the past. But if major players don't alter their posture they could find their products relegated to disinfection tools with intrusion prevention technologies and managed services that scan email for infectious content occupying the front line against malicious code.

Firms, like Avecho, looking to develop alternatives to traditional scanning technology, are highly critical of traditional AV vendors.

Nick Scales, chief executive of Avecho, says: "Current AV does not protect against new items or worm/Trojans such as SQL Slammer or Blaster. They fundamentally are not designed to do this."

The company, which also runs the managed email services Avecho.com, has developed a technology called GlassWall that protects against malicious code without the need for signatures updates, essentially by parsing traffic through a system that removes viruses from Internet traffic.

Avecho GlassWall is available for license but traditional AV providers are not prepared to talk to Avecho, which Scales presents as evidence that they are deliberately failing to grasp to nettle and look for a better solution to the viral problem. He contrasts this stance with the more favourable response he has received from networking suppliers about the possibility of embedding Avecho's technology in silicon.

Revolution or evolution?
Firms like Avecho, MessageLabs and Cisco (which bought behaviour blocking firm Okena earlier this year) are calling for a fundamentally different approach to how we fight malicious code. However, there are those who believe evolution rather than revolution is the best way forward.

Peter Tippett, CTO at the ICSA Labs research division of TruSecure, which validates AV products at part of its security testing programme, argues that simple steps can make existing infrastructures far more secure.

"If companies apply file filtering to block infectious attachments and change Outlook so that it points at the restricted zone we reckon the risks of getting infected can be reduced by a factor of 20. We've advised this for years," he told The Register.

According to Tippett, the Sobig virus caused less disruption to businesses then the Lovebug, and Blaster was roughly equivalent to Code Red. However, overall, virus and worm infections have grown 11 per cent a year, according to TruSecure.

Some Reg readers had urged a change in the way email works as a comprehensive means of dealing with the viral scourge. Tippett, pointing out that the IETF moves at a glacial pace, is dismissive of this idea. He is also far more cautious than others we've spoken to about the potential of behaviour-blocking technologies. However, he readily concedes our point that AV products are as useful as a chocolate teapot in dealing with fast-spreading worms.

Tippett said: "You'll never catch zero-day exploits with AV and intrusion detection products by using more rapid updates. AV products don't deal with and never will deal with first day viruses."

"Ringing the bell after the torpedo hits doesn't make you more secure," he added. ®

Related stories

Why Sobig is bad for privacy and AV vendors
AV bigwigs weigh in on Sobig debate
Blaster rewrites Windows worm rules
US warns nuke plants of worm threat
Sobig second wave attack fails to strike
Sobig-F is fastest growing virus ever - official
Why spammers lurve the 'Microsoft support' worm (Sobig-A)
Virus writers outpace traditional AV
AV vendors sell 'blunt razor blades'
Is it a worm, a virus, or a trojan?
US Reps question anti-virus companies' integrity