In addition to the more traditional methods of searching for virus signatures, like virus ‘mask’ matching, there also exists a range of detection technologies capable of recognizing the latest, unknown, malicious programs. The quality of these new technologies helps to raise the overall security level provided by each individual product. Such proactive protection methods include heuristic technologies for detecting malicious code and also behavior blockers.
Now and again, manufacturers of antivirus programs try to invent some innovative piece of technology that would solve all of the problems discussed so far in one hit. They are seeking to develop a kind of panacea that could protect every computer from every type of malevolent attack, once and for all. They try to ‘proactively’ protect the user by seeking to be able to detect and delete viruses and other emergent malware, even before it is created and launched on an unsuspecting world.
Unfortunately, this well-intentioned quest remains unfulfilled. Universal solutions can only be applied to generic problems, and computer viruses just don’t play by the rules. They are not the product of some well-documented process, but originate in the often sophisticated mind of the hacker. Viruses follow constantly changing paths which are largely dependent upon the aims and desires of those that inhabit the darker side of the digital world.
Let’s look at how a behavior blocker differs in detection methodology from a more traditional signature-based antivirus solution. They use two very different approaches to virus detection with the intention of arriving at the same end. Signature detection compares a program’s code with the code of known viruses, looking for a positive match. A behavior blocker monitors the launch and operation of programs to ensure that they conform to expected rules and blocks them if they appear suspicious or obviously malicious. Both methods have their own advantages and disadvantages.
On the plus side, a signature scanner is guaranteed to trap any ‘beast’ that it recognizes. The minus being that it may well miss the ones that are not familiar to it. Staying on the minus side, there are innumerable antivirus databases and this can push up the use of system resources considerably. Behavior blockers are advantageous as they are able to detect malicious programs, even those that they are unfamiliar with. However, it can easily miss well-known variants of malware, as the behavior of modern viruses and Trojans is so unpredictable that no one set of rules can ever encompass everything. Another downside of behavior blockers is that every once in a while they can throw up false positives, as even legitimate programs can behave in unexpected ways. Thus occasionally a behavior blocker will miss a malicious program and block the operation of a legitimate one.
A behavior blocker has one more inherent drawback and that is its inability to get to grips with some of the newer viruses. Let’s take as an example Company X, which has developed a behavior-blocking program called AVX capable of trapping 100% of all current viruses. How would hackers react to this? Surely they would invent an altogether different way of infecting the system, invisible to AVX. The AVX antivirus will then need to update its behavior recognition rules. So Company X issues updates. Then more updates, and more again, as the hackers and virus-writers constantly find new ways around the updates. Finally we end up with a signature scanner again, where the signatures take the form of ‘behavior’ instead of ‘fragments of code’.
The above scenario also encompasses the heuristic analyzer, another proactive protection method aimed at monitoring a programs launch and operational behavior and stopping it if it appears malevolent. As soon as such anti-virus technologies start to seriously thwart the hackers, preventing them from attacking their victims, a new set of virus technologies emerge that are geared towards avoiding heuristic protection methodology. As soon as a product that features advanced heuristics and behavior-blocking technology becomes popular, they fail to be efficient.
Thus these newly-invented proactive technologies tend to have a very limited shelf-life. Whilst amateur hackers may take weeks or months to bypass new proactive technologies, the more experienced among them may find a way around it in hours or even minutes. As effective as it is, a behavior blocker or heuristic analyzer requires constant improvement and updating. It should be remembered that to add a new signature to an antivirus database takes just minutes, whereas finalization and testing of proactive protection technologies is much more time consuming. In actual fact, the speed with which virus signatures can be added to databases and released in the form of updates is often considerably faster than updated solutions can be issued for similar proactive technologies. This has proven to be the case in many email and network worm epidemics, as well and in relation to spyware and other criminal software.
All this does not mean of course that proactive protection methods are useless. They do their job and are capable of blocking a great deal of unsophisticated malware developed by relatively unskilled hackers. Therefore they can be considered as a worthwhile addition to traditional signature scanners, but should not be wholly relied upon in isolation.