Why the anti-virus industry will need to change

October 7, 2007

Over the first six months of 2007, anti-virus applications market leader Symantec found a total of 212,101 new malware variants, an astonishing 185% increase over the second half of 2006, totaling an average of well over 1,100 unique samples arriving per day.1

With the volume of malware attacks growing so rapidly, the pressure on anti-virus research labs to find and defend against new threats to keep their products up to date and customers ahead of the curve has never been greater. Based on the sheer number of threats, and the sprawl of massive research operations such as Symantec's 40,000 sensor-strong Global Intelligence Network, some experts maintain that only a few of the largest labs will be able to compete in the long run.1

The sheer volume of new malicious programs arriving each day means that many anti-virus companies are simply unable to cope with the onslaught and are losing this "virus arms race". Today, malicious programs propagate so rapidly that anti-virus companies have to release updates as quickly as possible in order to minimize the amount of time that users will potentially be at risk. Unfortunately, many anti-virus companies are unable to do this - users often receive updates once they have already been infected. Anti-virus products are incapable of protecting against all available malicious programs.2

Although it is difficult to know with certainty the total amount of computer viruses and malware that exists at any given time, Anti-Virus Comparative's August 2007 report uses a sample of 808,344 different types of viruses, worms, backdoors, and trojans, in order to test 17 different anti-virus products, who in turn are able to successfully detect anything between 89.87% to 99.64% out of this collection of malware.3

Incidentally, five or ten years ago, it could honestly be said that an anti-virus solution didn't need to protect systems against every new virus and trojan, and 10 years ago most anti-virus users simply needed to update their virus signature files once a month in order to get effective coverage. After all, the majority of new malicious programs which were appearing at this time would never penetrate the user's computer. They were written by adolescent cyber vandals, who either wanted to show off their coding skills, or to satisfy their curiosity. Users only really needed protection against the few In The Wild viruses which managed to actually penetrate victim machines. However, the situation has now changed. Today the overwhelming majority of malicious programs are created by the criminal computer underground. We now see anti-virus vendors offering daily or even hourly updates to their products.2,4

To help keep up with this relentless onslaught, today's anti-virus software is also relying less on virus signatures, and increasingly more towards using heuristics to look for common behavioral patterns in malware (behavior blockers).5

One of the benefits of a signature-based scanner is that it detects all malicious code that it recognizes. But the downside is that it will fail to detect malicious code which it hasn't encountered before, and at today's quick pace of new virus releases, this has become a real problem. Another potential issue is the large size of anti-virus databases and the resources they consume. Behavior blockers on the other hand have the capability to detect even unknown malicious programs. But on the minus side is the possibility of false positives. The behavior of today's viruses and trojans is so diverse that devising a single set of rules which encompasses all possible behaviors is simply impossible. This means that the behavior blocker is certain to fail to detect some malicious programs, and will periodically prevent legitimate applications from functioning.2 Sophos which offers their Behavioral Genotype Protection engine in all their anti-virus products, validates their rule sets by running it against terabytes of legitimate code, in order to prevent false positives.6

Some anti-virus software is also moving away from blacklisting (allowing all programs to run and stopping any detected malware) towards whitelisting (only allowing specifically approved programs to run).5 This strategy is similar to the mentality used for firewalls, in which by default you deny all traffic, and only allow packets that you specify as being acceptable. Patchlink, AppSense, Bit9, SignaCert, and CA are among the security vendors that provide products based on whitelisting.7

Certain people believe that whitelisting is where the anti-virus industry will eventually move towards. In fact, the general manager of Symantec Canada, Michael Murphy has recently stated that they will "move towards a whitelist philosophy where only the good things will run on the computer."8

However with this approach, the challenge for anti-virus vendors would flip 180 degrees from detecting malware to detecting "goodware", which comes with its own set of challenges. According to Bit9 - the recognized experts on whitelists - the number of valid software "are several orders of magnitude larger and the growth rate at which valid software is growing far outstripped the growth rate of malware". This would also create a new dilemma in the computer industry, in terms of who gets to decide what type of software is allowed to run on a computer, not to mention what impact such an approach would have on small software developers, tool creators, and all the other ad hoc programs that find their way into niche markets based on specific needs.8

But for most home users who do not write their own code, and who do not feel the need to always run the "bleeding edge" version of the latest software, a whitelist-based anti-virus product is probably a more logical solution than having an anti-virus that needs to be updated every hour with the latest virus signature files yet is incapable of detecting most zero-day virus attacks. A whitelist-based solution would also prevent any illegal or unlicensed type of software from running on a computer. Something many large commercial software companies would be sure to appreciate.

1. "Malware Boom Puts Pressure on AV Labs", PC World, October 4, 2007

2. "The contemporary antivirus industry and its problems", Kaspersky Lab, November 1, 2005

3. "Anti-Virus Comparative August 2007 On-demand comparative", AV-comparatives.org, August 2007

4. "The WildList Organization International FAQ", The WildList Organization International, October 6, 2007

5. "Does antivirus have a future?", The Guardian, September 20, 2007

6. "HIPS:Behavioral Protection", Sophos, October 6, 2007

7. "The decline of antivirus and the rise of whitelisting", The Register, June 27, 2007

8. "Antivirus Whitelisting: The Bad and Good", About, September 25, 2007