New antivirus software looks at behaviors, not signatures

It could be argued that security vendors are losing the battle with online scammers whose programs sneak onto computers and drop malicious programs, opening the computers up to remote attacks and turning them into zombies in botnet armies.

(Credit: AVG)

The problem is that most computers today rely on antivirus software that blocks malware by checking the code in a file against a database of signatures of known viruses. With thousands of new viruses arriving each day, many of them encrypted in part or otherwise disguised with modification, the signature lists require frequent updates and many new viruses slip through undetected.

As a result, security providers are turning their attention to behavior-based approaches for identifying new viruses, with software that focuses on watching for suspicious behavior, such as a program trying to write data to an executable program. Two security companies are set to make announcements on Monday that follow this trend.

Antivirus provider AVG is introducing AVG Identity Protection, software that analyzes the behavior and characteristics of programs running on a computer and shuts down activity that looks suspicious. The software is based on technology the firm acquired when it bought identity theft specialist Sana Security in January.

"The antivirus companies are flooded with malware to add to signature databases," with 20,000 to 30,000 new unique samples coming out every day, said Roger Thompson, chief research officer at AVG. "It's time to do something different."

(Credit: Damballa)

Meanwhile, Damballa is releasing its Failsafe 3.0 appliance that is designed to discover botnet malware on computers by listening for communications between compromised systems and command-and-control nodes controlled by attackers on the Internet.

As much as 5 percent of computers in a corporation are compromised with targeted attack type of bot malware, even with up-to-date antivirus and intrusion detection software in use, said Bill Guerry, vice president of product management and marketing at Damballa.

Of a sample of more than 200,000 malware samples scanned by a leading antivirus tool over six months, the average gap between the release of the virus and its detection was 54 days, with almost half going undetected on the day received and 15 percent still undetected after 180 days, according to a Damballa study.

Another company, Triumfant, announced behavior-based software last week that protects companies against zero-day attacks that arise from exploits of security vulnerabilities in software that has not yet been patched.

Triumfant Resolution Manager looks for changes in attributes of the computer, such as registry keys, security and port settings, and performance statistics, and removes code that is suspicious.

[MadLyb]

Heuristics have been around for a very long time, but have been largely impotent because of the large amount of false positives and the significant negative impact they have on the user.

Consider me still skeptical.

[Sausagebiscuit]

One of the first steps is user education. Anti-whatever is useless with a clueless user behind the keyboard.

An old IT joke is that 90%+ of the problems with computers lies between the chair and the keyboard.

[ewelch]

Typical of "Nick the IT guy" claiming the problem is the user, when in fact, most often it's the IT department's lack of training of users, that is the real culprit. Until IT people get off their high horse and stop acting like some kind of priesthood with the keys to the mystical techno-kingdom (which they ain't sharing with anyone) this problem will faster in most corporate offices.

[TrioBrothers]

Well... you are right.

Ignore ewelch on its comment.

The problem is the user.

I got plenty of friends who feel protected after installing the tool called 'antivirus' and well, antispyware too.

Yet... They face miraculously lots of problems within weeks after clean reformat or after fixing stubborn malware problems. Why? They forgot even with the best, it is never the best. They forgot to update definition files, never performed full manual system scan periodically, computer always clogged up with memory reaching near maximum (because playing games and doing work at the same time, not forgetting the spywares running along...).. and WORST OF ALL, don't know how to handle commands when these anti-malware software pops up an alert (they simply press 'Ignore' and I was like what the???).

[c|net Reader]

@ewelch

It sounds like you're on a rather high horse, too. What about the users that continue to click on links in malicious e-mail despite education to the contrary? There are IT folks who look down on the rest and there are users who can't be bothered to learn anything new. Since most in the IT and user camps are not so extreme, try attacking less and being more constructive.

It may be that some users are so clueless that they should be fired or not granted access to normal networks, the internet, etc. It may be that there are some IT folks that should not deal with users under any circumstances (or should be fired). The point is that there are ways around these difficulties without needing to attack entire groups.

[lamego.pinto]

I remember there were anti-virus with heuristic scanning (IIRC it was F-Prot) before 2000, there is nothing new on this news, just a marketing headline.

[TrioBrothers]

I think heuristic was an old tech.

My old computer last time running Windows 98SE with Trend PC-Cillin has heuristic protection already, if I am not mistaken.

And I read somewhere all antivirus vendors uses heuristic to trap new malware. That's why we never failed to hear antivirus program accidentally deleting files when it suspects the files, mostly belongs to Windows core files, perform 'maliciously'. Heard of what Symantec and AVG done late last year?

[ComputerAce]

There is a big difference between generic heuristics (basically pattern matching) and full blown behavioral analysis. I applaud AVG for this much as I did for ThreatFire.

This is not a marketing ploy...look at the detection rates from the major vendors when they run tests with 15 day old definitions. They don't catch crap

[professionaladventurer]

PEBCK: Problem Exists Between Chair and Keyboard.

[c|net Reader]

That's close, but not right. PEBKAC is what you're looking for: Problem Exists Between Keyboard and Chair.

[TrioBrothers]

Well...

If you want to try and see effectiveness of behavior-based detection, PC Tool has it with Threat Fire.
I say so far it has been 100% effective.

Why?

It does what it says. Analyzing all behaviors of files and processes, it traps quite a few of programs that tries to perform maliciously, though some happen to be: So far, it traps a lot of programs trying to inject data on other files, change core system files (remember those XP to Vista/7 looks change, I installed and TF detects this software changing system files, good! Though... they weren't malicious in the first place, the changes only change startup boot skins...), install or uninstall (for some reason, it seems to have problems with lots of uninstaller, recording them as trying to delete program files), programs that sends out data over the Internet (set the protection to 5 and you will be alerted of this, though it's freaking annoying if you are trying to update your software or surf the Internet, so then, remain at level 3 and get a good firewall).. the list goes on.

It was so effective (from my experience) I will install it immediately after a clean reformat or helping my friends out. Even those thumbdrive viruses can't run away.

[ComputerAce]

ThreatFire and Sana technology (IDP) are the only true behavioral based detection on the market today. We should applaud this approach to detection as the definitions are the way of the past

[mendenevev]

it´s difficult to store large amounts of information about malware on the computer without penalizing performance. The big number of new samples of malware has meant that signature files have to store an increasing amount of information and this requires more space. This in turn leads to greater consumption of resources on users? computers, slowing them down.

One soultion could be "Cloud Computing" http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201228

[rpmyers1]

New? I worked on technology like this for a company several years ago, until they were bought by Symantec.

[subsider34]

How is this new? Eset Nod32 has been primarily using advanced heuristics for years.

[ferretboy88]

I feel a little bit safer dual booting windows and linux. just a bit.