By Dr. Seamus Phan
Devising effective antivirus techniques is tricky, given the unpredictable nature of viruses and malware that sprout in the wild. As such, system administrators usually have to play catch-up in the race to trap viruses.
Some, like me, have resorted to brute force. For instance, the sheer volume of viral activities I've experienced of late has forced me to simply block out all offending domains and senders, which I hate to do.
Brute force or not, it is critical that system administrators understand how their antivirus applications work, because only by knowing the nature of their tools will they be able to mitigate their risks. So what are the technologies available today, and in the near future?
Fingerprints and heuristics
Traditional antivirus software relies on fingerprinting, which matches incoming data against a database of digital fingerprints or signatures of viruses. Because it is based on historical data, fingerprinting-based antivirus software relies on an ongoing updating process to add to its database whenever new virus strains appear. Clearly, this is a reactive process and new virus strains may slip through periodically, especially if their signatures are different enough from the virus database.
Heuristics is another traditional antivirus technology. This basically scrutinizes a potential malware's instructions, program structure and data, and determine if the "intent" of the software is malicious. Heuristic-based antivirus software can therefore seek out malware even if fingerprinting does not, since heuristics look at logic rather than historical fingerprints.
No modern antivirus software is purely one form or another. It is usually a combination of fingerprinting and heuristics at play, with the added inclusion of a virtual CPU emulation (otherwise known as "sand box"). The CPU emulation allows the potential malware to reveal some of its logic in a limited virtual environment, and properly quarantined or deleted when diagnosed as malicious.
Another technology used is by examining the behavior of potential malware in relation to the actual computer. The concept is simple, given that most malware exhibit some consistent behavior such as deleting specific system files, modifying data files, erasing portions or the entire disk drive, modifying system settings, sending e-mail without consent, or running specific types of attack code.
With behavior tracking, antivirus software can be used to block worms and Trojans by examining typical worm and Trojan behavior, usually that of attempting to send e-mail over the network, turning drive sharing on, or running unknown networking protocols.
Using policies and rules in a tracking-tracking system, it is not unfeasible to map all known potential Trojan port numbers and ensure that these ports will result in a triggered condition during such an attack.
But tracking tracking cannot exist alone, since it must run the code in order to comprehend the code. Therefore, it must still exist in tandem with the likes of fingerprinting, and eradicate as much potential and known malware as possible.
Because it is policy-based, it is highly likely that legitimate operations may be summarily stopped, including legitimate calls to specific server services or ports. For example, some rudimentary protection systems provide a simplistic user button to turn on or off ActiveX or Java applet execution, which often means that any legitimate code cannot be run as well.
There are far fewer ActiveX and Java threats than there are Visual Basic (VB) and even scripting code vulnerabilities (such as Perl, PHP, and so on). To completely turn off all ActiveX and Java code may even mean that enterprise applications cannot be properly run or executed, especially for remote employees and branch offices.
So is there any requiem for the good guys? I say good will prevail, and that
malicious malware writers and their intentions can never be truly hidden.
[ BWW Society Home Page ]
© 2003 The BWW Society/The Institute for the Advancement of Positive Global Solutions