To read the press releases, the big developments in antivirus software these days are things like "behavior-based" scanning for viruses, peer-to-peer updates of antivirus signature lists and automated updates of virus signatures when users log onto the corporate network.
These are all important capabilities, and they all have their place. But when you look under the covers, they're not as new as they seem. The biggest news in antivirus (especially in light of the terror attacks of Sept. 11) can be summed up in two words: centralization and cooperation.
Centralization means creating a single console to manage multiple antivirus tools, even if those tools are sold by a competitor or protect different parts of the network infrastructure, such as e-mail gateways and servers, as well as desktops. Cooperation means antivirus tools that can share information with network security tools to catch new threats such as worms and denial-of-service attacks, which tie up servers with useless work.
Centralization is important because security managers now face plenty of new information security worries and need easier ways to do grunt work, like updating virus signatures. Merging antiviral tools with network security is vital because more and more threats (such as the Nimda "zombie") attack networks in multiple ways, seeping in as e-mail attachments or through a user?s Web browser. Stopping the virus at an e-mail gateway is far easier, and prevents more damage, than tracking down
and eliminating it at every workstation.
Vendors "are beginning to do things large companies have asked for, like better centralized control" of antiviral tools from multiple vendors, says Larry Bardwell, technology program manager for ICSA Labs in Carlisle, Pa., a division of TruSecure Corp., which certifies security tools. Using software such as ePolicy Orchestrator 2.5, from the McAfee division of Network Associates Inc., security managers "can update and manage the entire organization from a central location," he says. Early next year, Sophos Inc. plans to roll out Sophos Enterprise Manager, which will provide a fully automated download of security patches and virus identity files from the Web, says Sophos Senior Technology Consultant Graham Cluley.
At the same time, many antiviral vendors are adding capabilities to their tools to allow for scanning e-mail attachments at network gateways, not just on individual PCs or servers, as in the past. "All these companies are making great strides," says Bardwell, in producing products "that look at all areas of the company, from the desktop to the domain server to the network server, as well as e-mail gateways and proxy servers."
For example, Symantec Corp.'s Web Security, launched this summer, runs on firewalls, proxy and caching servers and scans not only for viruses, but unwanted files transmitted over the HTTP or FTP Web protocols. Like many tools, Web Security combines heuristic (or behavior-based) scanning for suspicious code with "list-based" scanning that compares incoming files with the signatures of known viruses. In another move towards unified tools, Web Security also allows managers to scan e-mail for inappropriate content, such as obscenities.
In perhaps the most explicit move to marry different product classes, last August McAfee announced it was teaming up with network security vendors Arbor Networks Inc., Aster Networks Inc. and Mazu Networks Inc., to create a more unified defense against DoS attacks. Sometime early next year, the companies plan to release products that use McAfee technology to scan for zombie viruses already on individual servers or workstations, while technology from the other vendors would scan the network for suspicious behavior.
Some vendors are extending their antiviral tools in other directions -- such as onto disk arrays. In October, storage vendor EMC Corp. announced the integration of antiviral tools from Computer Associates International Inc., McAfee, Symantec Corp. and Trend Micro Inc. with EMC's Celerra network-attached storage device. EMC claims this link will provide virus protection to network storage with less administrative work and system overhead than previous approaches.
Other tools try to catch viruses and other malicious code by watching application behavior. StormWatch from Okena Inc. sits alongside the operating system kernel, monitors calls from applications to file, network and registry resources and compares those calls to defined access control rules.
Even with all these new variations, "The fundamental approach to antivirus remains the same: using a scanner," says Cluley. He claims that "new" trends such as peer-to-peer updating of virus signatures, automatic updating of virus signatures and "behavior-based" checks of suspicious files aren't as new or as useful as they seem once you look under the surface.
But what is new and worthwhile is that antiviral vendors are realizing that customers need what Gartner Inc. calls a "grand unified theory of Internet security." That means antiviral tools that can be centrally managed and can work together -- across vendors, across platforms and across the network -- to screen out malicious code. Hackers look at the big picture of your systems when they plan their attacks; it's high time antiviral tools do the same.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.
This was first published in November 2001