Tip

Virus scanners being updated to fight worms



If I asked for a show of hands of who was affected by the Slammer or Code Red worms, a significant percentage of the hands in the room would go up. Why? Because these two worms are examples of a new breed of malicious code that has been released onto the world's network. The worst part of this is that most virus scanners to date are completely unable to prevent attacks of this measure, even when they have updated and current definition lists.

So what's the issue? Memory-resident only code. The Slammer worm and Code Red are two examples of malicious code that does not write itself to the hard drive of a compromised system. Instead, it installs itself as an active service or process. Most virus scanners are unable to stop this type of attack because they focus on scanning files stored on the hard drive. Those that are capable of detecting in-memory attacks were also rendered useless because the worms acted as system services, and the virus scanners did not have the ability to stop system services. Thus, these bad boys -- even if detected -- could have kept on playing cruelly with your system, right under the watchful eye of your electronic malicious code sentry.

However, numerous antivirus software vendors have learned from these recent outbreaks and have re-tooled their flagship products to erect a new barrier of protection against memory-resident only attacks. Basically, the new features include the ability to scan all active processes, whether initiated

    Requires Free Membership to View

by the user account or the system, including all system services, and look for malicious code or suspect activity. Once detected, these new scanners have been granted the ability to stop services that fail the innocence tests.

Before another round of debilitating worm attacks occurs, visit your antivirus vendor's Web site to see if they have improved their product with this new weapon. If they don't offer it, it's time to switch to a vendor that is more up-to-date with malicious code trends. After all, the integrity of your network is at stake -- why rely on a tool that doesn't have all the available features?

About the author
James Michael Stewart is a partner of ITinfo Pros, Inc., a technology-focused writing and training organization.


For more information, visit these resources:

This was first published in April 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.