Tuesday, September 22, 2009

The slow death of antivirus tools

I think by now everyone using a computer that is somehow connected to the Internet is using an antivirus/Internet security/Spyware/etc. solution. No matter which one you choose they all are based on signatures to recognize malicious code entering your system. Those signatures need to be updated on a regular basis, to keep up with the known malware out there. You wonder why "known"? An antivirus company needs to have a sample of the malicious code to produce a signature. Which means Zero-day malicious code cannot be recognized by the program. Also if you do not update the signatures, the antivirus tool might not catch the latest known malicious code (e.g a virus or a worm) since you are lacking the signature. Let's summarize this and take a closer look:

First of all the malicious code needs to be already known and identified as such before your software can do anything about it. Most vendors incorporate so called heuristic analysis routines into their programs but they are usually so sensitive that most users turn them off (some vendors even have them turned off by default!) or do not react at all. Fact is that the industry has failed to provide a reliable heuristic scan solution so far.

Second those programs do not reliably identify all the viruses they "know". There is not one program out there that has recognized 100% of all the malicious code that is out there in the wild, even having all signatures installed. This is quite disturbing but a reality.

I am sure everyone has complaint about his/her computer being slow or flaky. Ever thought that this might be because of the antivirus program you are running? Reality is that those programs have hooks into all kinds of system calls and are constantly checking memory and files for malicious code. All this costs performance and your time. Unfortunately the signature based checks can only work that way.

Which brings me to the third point, the number of signatures has increased so much that each year the antivirus vendors set a new record in pushing out new signatures.

So what is the point? The point is that all these malicious code programs are dieing a slow death, the death of too many signatures to check in the time available.

Some of the vendors have realized that and are already turning to solutions that utilize the "cloud" (see cloud posting in this blog) and that way recognize infected files that way. But what happens to the people that are offline for an extended time? I guess they might be out of luck.

Here is some further reading:
Antivirus tools compared August 2009

1SSA - Security Consulting, Training and Products