Why Sana? | Contact Us 
About Us|Products|Active MDT Center|Resources|Partners|Press Room|Support

News Story

Virus fighters expand choice of weapons
February 13, 2003
By Steve Tanner

The recent MyDoom computer virus attack, spread from desktop to desktop as an e-mail attachment, has opened debate on whether current antivirus technologies are adequate.

Differences abound, but most computer security experts believe a varied arsenal is the best approach.

At least one outspoken critic of the most widely used virus-blocking technology says the strategy is nearly obsolete. Companies such as Symantec Corp. and Network Associates Inc. depend on antivirus technology that profiles and blocks known viruses and worms.

"If you look at an attack like MyDoom, the traditional antivirus companies still are of some use; but when it comes to viruses that strike more quickly, these technologies will be totally useless," says Steven Hofmeyr, founder and chief scientist of San Mateo-based Sana Security Inc., which sells intrusion prevention software to enterprise clients.

The infection of MyDoom requires human users, so it spreads relatively slowly, but threats such as last summer's Blaster worm are more aggressive and require a much quicker response. Symantec and Network Associates update their databases as soon as a new virus or worm rears its ugly head. But first, the companies must identify the virus and create a "signature." Hofmeyr argues that the more quickly spreading worms do most of their damage before signature lists can be updated.

Computer security analyst Donovan Gow, however, disagrees with Hofmeyr's assessment of signature technology. While he agrees new technologies are needed, he says virus signatures are crucial in preventing repeat attacks.

"The approach so far has not worked that well, and we keep getting attacked," says Gow, an analyst with Greenwich, Conn.-based American Technology Research Inc. "But the truth is, I think these types of technologies will co-exist. Symantec and Network Associates both have added strong intrusion prevention components."

Representatives with Cupertino-based Symantec and Santa Clara-based Network Associates agree to a certain extent that more is needed than simply updating signature lists.

"We do need multiple ways of protecting," says Raj Dhingra, vice president of product management for Network Associates's McAfee division. "With a [signature]-based approach, by definition, you have to wait for a new signature. But with a combination of signature- and behavior-based approaches, you can effectively stop these threats."

Network Associates acquired intrusion-protection company Entercept last year. The software is installed on a company's server, "learns" what normal system behavior is over time and blocks anything out of the ordinary from entering the system, which may be malicious code.

Symantec has some similar tricks of its own.

The company's heuristic software is similar to Network Associates's Entercept product, in that it examines the logic of a company's system and tries to profile and then block any code that doesn't seem to belong. Symantec's behavior blocking software allows suspect code to run on the system but closely monitors its behavior for signs of malicious intent.

Symantec's chief researcher, Steve Trilling, describes how the behavior blocking software works in terms of tracking suspicious individuals.

"If their print doesn't match, you can examine them and see if they look like they may be up to something. Are they concealing something?" Trilling says. "If it appears to be doing something malicious, [the behavior blocking software] will block it on the fly."

He says Symantec is also working on newer behavior blocking technology, but that signature technology will continue to be the most important defense.

Bruce Schneier, founder and chief technology officer of Mountain View-based Counterpane Internet Security Inc., says consumers have very few security options besides using signature-based antivirus software. The real security problem, he believes, is a lack of integrity in Microsoft Corp.'s code.

"Microsoft shows no intention of making their software more secure," says Schneier. "Updating your signatures and backing up your data are the only things you really can do."

Computer attacks almost always go after Windows-based systems since they are used by more than 90 percent of all home computer users.

Sana's Hofmeyr, though, doesn't see the logic in requiring consumers to educate themselves too much about computer security.

"It's like expecting everyone who drives cars to know how to fix a car," Hofmeyr says. "A much better model, from the consumers' standpoint, is that you buy the software, install it, and never think about it again."

 

 


  Additional Information :
» See the Resources Section		  

» Privacy Policy © 2007 Sana Security, Inc. All Rights Reserved.