February 25, 2005
@ 09:37 AM
Comments [0]
AntiVirus and Malicious Code Detection

I was alerted this morning by an email from Trend Micro running on my file server.

Apparantly, a copy of iroffer I have on there is a virus.

I've always thought that the whole "antivirus" paradigm was flawed.  Just as we run into problems when the FBI or CIA decide to write a virus (Its not a virus anymore, right?) ... just because someone uses some code in a virus doesn't make all applications of the code bad.  In my case, the copy of iroffer was actually sitting there in an archive - I use it on a Linux box to send some software I wrote to people on IRC.  Obscure use, right?

Hardly.  As spyware becomes a more serious problem, I wonder how these "antivirus" vendors will react.  Add everything in sight into their signature databases, updated every minute?

The signature detection years are gone.  We need to throw those stupid signatures away and start using more intelligent detection methods.  Heuristic ones, perhaps, but definitely ones that analyze behaviour, given a certain expected profile for the machine.  Because malicious code to a developer may not be malicious code to a gamer.  And someone on a P2P network who needs certain packages (hah :-D) may find it very annoying that they can't run their program because Symantec has decided for them that whatever they run is not permitted.

I really like the "sandbox" detection idea used by the Finjan people.  Its definitely a paradigm that makes sense to me.  I had tried their client-side protection software some time ago, and I remember it causing more headaches than it was worth.  It was like antivirus software that kept asking me if I really wanted to open the file.  I should give the Surfingate a try sometime and see what they've done since.

An immediately addressable problem though, is the fact that client-based antivirus doesn't even seem to work.  Virus get exectued by the end user, say, by clicking on an infected file.  Out pops the message... but then it pops up again every 5 minutes telling you that its found something else!  It pops up again later, when you reboot the computer.  It seems to be purely reactive.

I was testing the "new" Microsoft antispyware (I say "new" 'cause they just repackaged the thing...) application the other day.  I downloaded a known, bad, "crack.exe".  And executed it.  About 15 seconds later, the popups from the application started.  "Blah blah blah is trying to make a change to your start page.  Are you sure?" and "so and so wants to install an IE toolbar"

*sigh*


 
Categories: IT

« Kingston & Microsoft ISA Server 2004 Ent... | Home | Exchange 2003 RPC over HTTPS with ISA 20... »