One of the things that “everybody knows” about antivirus software is that it only detects known viruses. As is true so often, everyone is wrong. AV ven-dors have years of experience at detecting known viruses, and they do it very effectively and mostly accurately. However, as everyone also knows (this time more or less correctly), this purely reactive approach leaves a “window of vul-nerability,” a gap between the release of each virus and the availability of detection/protection.
Despite the temptation to stick with a model that guarantees a never-ending revenue stream, vendors have actually offered proactive approaches to virus/malware management. We’ll explore one approach (change/integrity detection) a little further when we discuss Tripwire. More popular and successful, at least in terms of detecting “real” viruses as opposed to
imple-menting other elements of integrity management, is a technique called heuristic analysis.
T
IPIntegrity detectionis a term generally used as a near-synonym for change detection, though it might suggest more sophisticated
approaches. Integrity managementis a more generalized concept and suggests a whole range of associated defensive techniques such as sound change management, strict access control, careful backup sys-tems, and patch management. Many of the tools described here can be described as integrity management tools, even though they aren’t considered change/integrity detection tools.
Heuristic analysis (in AV; spam management tools often use a similar methodology, though) is a term for a rule-based scoring system applied to code that doesn’t provide a definite match to known malware. Program
attributes that suggest possible malicious intent increase the score for that pro-gram.The term derives from a Greek root meaning to discover and has the more general meaning of a rule of thumb or an informed guess. Advanced heuristics use a variety of inspection and emulation techniques to assess the likelihood of a program’s being malicious, but there is a trade-off:The more aggressive the heuristic, the higher the risk of false positives (FPs). For this reason, commercial antivirus software often offers a choice of settings, from no heuristics (detection based on exact or near-exact identification) to mod-erate heuristics or advanced heuristics.
Antivirus vendors use other techniques to generalize detection. Generic signatures, for instance, use the fact that malicious programs and variants have a strong family resemblance—in fact, we actually talk about virus and bot families in this context—to detect groups of variants rather than using a single definition for each member of the group.This has an additional advantage:
There’s a good chance that a generic signature will also catch a brand-new variant of a known family, even before that particular variant has been ana-lyzed by the vendor.
T
IPFrom an operational point of view, you might find sites such as VirusTotal (www.virustotal.org), Virus.org (www.virus.org), or Jotti (http://virusscan.jotti.org/) useful for scanning suspicious files. These ser-vices run samples you submit to their Web sites against a number of products (far more than most organizations will have licensed copies of) and pass them on to antivirus companies. Of course, there are caveats. Inevitably, some malware will escape detection by all scanners:
a clean bill of health. Since such sites tend to be inconsistent in the way they handle configuration issues such as heuristic levels, they don’t always reflect the abilities of the scanners they use so are not a
dependable guide to overall scanning performance by individual prod-ucts. (It’s not a good idea to use them as a comparative testing tool.) And, of course, you need to be aware of the presence of a suspicious file in the first place.
Malware detection as it’s practiced by the antivirus industry is too com-plex a field to do it justice in this short section: Peter Szor’s The Art of Computer Virus Research and Defense(Symantec Press, 2005) is an excellent resource if you want to dig deeper into this fascinating area.The ins and outs of heuristic analysis are also considered in Heuristic Analysis: Detecting Unknown Viruses, by Lee Harley, at www.eset.com/download/whitepapers.php.
You might notice that we haven’t used either an open-source or commer-cial AV program to provide a detailed example here.There are two reasons for this:
■ There is a place for open source AV as a supplement to commercial antivirus, but we have concerns about the way its capabilities are so commonly exaggerated and its disadvantages ignored. No open-source scanner detects everything a commercial scanner does at present, and we don’t anticipate community projects catching up in the foreseeable future. We could, perhaps, have looked at an open-source project in more detail (ClamAV, for instance, one of the better community pro-jects in this area), but that would actually tell you less than you might think about the way professional AV is implemented. Free is not always bad, though, even in AV. Some vendors, like AVG and Avast,
offer free versions of their software that use the same basic detection engine and the same frequent updates but without interactive support and some of the bells and whistles of the commercial version. Note that these are normally intended for home use; for business use, you are required to pay a subscription. Others, such as ESET and Frisk, offer evaluation copies.These are usually time-restricted and might not have all the functionality of the paid-for version.
■ Commercial AV products vary widely in their facilities and interfaces, even comparing versions of a single product across platforms (and some of the major vendors have a very wide range of products).
Furthermore, the speed of development in this area means that two versions of the same product only a few months apart can look very different. We don’t feel that detailed information on implementing one or two packages would be very useful to you. It’s more impor-tant to understand the concepts behind the technology so that you can ask the right questions about specific products.