The first defense involves new developments in basic antivirus software. Some antivirus products have new functionality for rootkit and spyware detection, outbound attack detection, and real-time checking against the cloud. Some of these advances have been included with basic antivirus for many years, but their effectiveness has been improving. The traditional signature-based antivirus detection has been bypassed by new and improved capabilities. One of the recent improvements is real-time checking against the cloud to determine if code about to execute is malware. This can be done by creating a hash of the file, sending the hash to the cloud, checking to see if the hash is known malicious code, suspicious code, or known good code, and then either blocking, asking the user, or allowing it to execute. The user responses are collected to score the file as malicious code or known good code. These features are now starting to gain more widespread acceptance by the security community and end users.
The other main defense that could be used to stop more sophisticated code is whitelisting. More advanced users or enterprises can use whitelists to limit only approved executables from running. While this tactic has potentially significant start-up costs and requires ongoing management to approve new software, it can stop malware from infecting a computer. Some new whitelisting software is like the previously mentioned software that checks malware against the cloud; new whilelisting software verifies in the cloud if executable code is approved and then lets it execute.
This was first published in December 2009