Published: 01 Apr 2011
Security experts and executives at security vendors are in agreement that signature-based antivirus isn't able to keep up with the explosion of malware. For example, in 2009, Symantec says it wrote about 15,000 antivirus signatures a day; that number has increased to 25,000 antivirus signatures every day.
"Signatures have been dying for quite a while," says Mikko H. Hypponen, chief research officer of Finnish-based antivirus vendor, F-Secure. "The sheer number of malware samples we see every day completely overwhelms our ability to keep up with them."
Security vendors have responded by updating their products with additional capabilities, such as file reputation and heuristics-based engines. They're also making upgrades to keep up with the latest technology trends, such as virtualization and cloud computing.
New and constantly changing malware variants have forced antivirus vendors to respond, says Chris Christiansen, an industry analyst and program vice president for security products and services at IDC. He says reputation technologies provide a far more predictable way of enhancing security.
"Users we've been talking to have been complaining endlessly about how a variety of the signature-based technologies have been failing them," Christiansen saysid.
Hypponen says F-Secure takes the layered approach, using different scanning engines, including file reputation and heuristics engine, to attempt to detect nefarious activity, but he addsthat "no solution is 100 percent effective and no one claims to protect against everything." Application whitelisting, which was once seen as the answer to antivirus' failure to keep up, isn't a panacea, Hypponen said. The technology isn't effective against document exploits, including those that target Microsoft Word or Adobe Reader. "You can't whitelist all known good documents," he says.
Just prior to RSA Conference 2011, Symantec announced planned updates to its endpoint protection suites, which include support for VMware's API for virtualization. Like F-Secure, the security giant also added heuristics and reputation-based engines to monitor potentially malicious file behavior. Piero DePaoli, director of product marketing, calls the company's SONAR technology "advanced," and says the behavioral reputation engine (acquired by Symantec in 2005) can detect whether a file is acting suspicious. The feature helps block new exploits targeting zero-day flaws, he says..
The system is being tested on more than 100 machines at Temple University. Seth Shestack, associate director of information security at Temple, says the latest version seems to be detecting malware before any malware signatures are developed. The machines on average get a 12- to 36-hour lead time on detecting new malware variants over traditional detection methods, Shestack says.
Trend Micro CEO Eva Chen says signatures are going to continue to be needed to protect computer users, but new technologies can help bolster the effectiveness of signatures. "It needs to be a cocktail solution," she says.
Chen says Trend has long used reputation technology, offering a threat detection appliance Chen developed that supports antivirus by monitoring files on the network for anomalies and tracking the destination of the files to detect problems. The goal is to provide technology that is "content aware, context aware and location aware," Chen says.
"There's monitoring and risk management that you should put in place," Chen says. "If you get infected, we can tell you early that you've got strange activity going on in your network."
Trend Micro also is tackling the issue of what Chen calls "antivirus storm" with its newly configured protection of virtualization hypervisors. Traditional antivirus doesn't work in virtual environments, she says, because if one virtual machine performs a scan, all the other machines stop working.
"This scanning is very I/O intensive, because all the virtual machines are sharing the same I/O bus and the same memory ports," Chen says. "This is a big headache for the security and the virtualization people."
About six months ago, Trend added support for VMware's virtualization hypervisor API so the company doesn't have to load its agents on all the virtual machines. A smart agent embedded into the VMware API can do the scanning of all the machines, greatly reducing performance issues, Chen says.