Redefining Anti-Virus Software
Microsoft Windows users have long been advised to shield their PCs from attacks by using anti-virus software, which principally relies on technology designed to quarantine or delete files that possess certain characteristics of known hostile programs.
But as the anti-virus firms continue to struggle to stand their ground amid a flood of new malicious programs being unleashed each day, a complementary approach to fighting malware is beginning to take root. This approach seeks to identify the universe of known good programs and treat the outliers with extreme prejudice.
Bit9, is on the forefront of this tactic. The Cambridge, Mass., firm was jump-started in 2003 by a grant from the National Institute of Standards & Technology to develop computer immune systems to protect PCs and networks from previously unknown attacks. The company has since indexed approximately 6.2 billion programs available online, scanning each against 28 different anti-virus engines to see if any of them detect the files as malicious. If one of the anti-virus vendors flags it, Bit9 informs customers that the file is suspicious. If two or more AV engines say it's suspect or malicious, Bit9 labels it as such and blocks the application from running, unless the customer overrides the decision.
"We hit a big inflection point in 2007, where for the first time ever more malware was produced than the amount of known good software," said Patrick Morley, Bit9's chief executive. "Users can see fantastic improvements in the time and resources it takes to scan a PC."
Bit9 markets its product mainly to businesses who may want to block all but a subset of known, safe applications from running on their employees' PCs. But this hybrid approach is gaining traction in the larger anti-virus industry, which is beginning to incorporate this same "whitelist" strategy into products sold to consumers.
In an interview with Symantec's vice president of consumer products last month that engendered a strong reaction from readers, Security Fix detailed how Big Yellow was working on a similar whitelist approach, noting that "Symantec engineers are experimenting with different approaches to reduce the time it takes Norton to scan files or hard disks. A big part of that effort seeks to harness Symantec's huge user base to learn which files have a high probability of being safe and therefore do not need to be repeatedly scanned."
Perhaps more telling than the whitelisting approach is the recent move by Russian anti-virus firm Kaspersky Lab, which says it plans to incorporate Bit9's technology in its 2009 family of products. While Kaspersky consistently scores rather high in detecting new malicious software, it is also considered by many to be among the most reliant of all anti-virus firms on signature-based technology.
It's true that Bit9's strategy for fighting malware is tied to the same "blacklist" technologies that have come to define the anti-malware industry to date. And while I don't expect this approach to revolutionize the anti-virus industry, it is refreshing to see at least a few of the heavy hitters acknowledging chinks in their armor, particularly given the dangerous window of vulnerability between the time malware authors ship their latest creations and when anti-virus firms issue new updates to detect these files as hostile.
June 10, 2008; 9:45 AM ET
Categories: From the Bunker , Safety Tips
Save & Share: Previous: Ransomware Encrypts Victim Files With 1,024-Bit Key
Next: Microsoft, Apple Issue Security Updates
The comments to this entry are closed.