Virus scanners being updated to fight worms

Virus scanners being updated to fight worms



If I asked for a show of hands of who was affected by the Slammer or Code Red worms, a significant percentage of the hands in the room would go up. Why? Because these two worms are examples of a new breed of malicious code that has been released onto the world's network. The worst part of this is that most virus scanners to date are completely unable to prevent attacks of this measure, even when they have updated and current definition lists.

So what's the issue? Memory-resident only code. The Slammer worm and Code Red are two examples of malicious code that does not write itself to the hard drive of a compromised system. Instead, it installs itself as an active service or process. Most virus scanners are unable to stop this type of attack because they focus on scanning files stored on the hard drive. Those that are capable of detecting in-memory attacks were also rendered useless because the worms acted as system services, and the virus scanners did not have the ability to stop system services. Thus, these bad boys -- even if detected -- could have kept on playing cruelly with your system, right under the watchful eye of your electronic malicious code sentry.

However, numerous antivirus software vendors have learned from these recent outbreaks and have re-tooled their flagship products to erect a new barrier of protection against memory-resident only attacks. Basically, the new features include the ability to scan all active processes, whether initiated

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

by the user account or the system, including all system services, and look for malicious code or suspect activity. Once detected, these new scanners have been granted the ability to stop services that fail the innocence tests.

Before another round of debilitating worm attacks occurs, visit your antivirus vendor's Web site to see if they have improved their product with this new weapon. If they don't offer it, it's time to switch to a vendor that is more up-to-date with malicious code trends. After all, the integrity of your network is at stake -- why rely on a tool that doesn't have all the available features?

About the author
James Michael Stewart is a partner of ITinfo Pros, Inc., a technology-focused writing and training organization.

For more information, visit these resources:

This was first published in April 2003

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top