What does the future hold for signature-based antivirus? We've got some expert opinions on the subject.
The down side to the new antivirus technologies discussed above is that none are as simple and alluring as the old signature-based antivirus, which Natalie Lambert, an analyst at Forrester Research, called a 'set it and forget it' technology. She notes that HIPS technologies are difficult to manage and will never be as simple as the old model, although she expects they will get easier over time.
Grag Shipley, CTO at security consultant Neohapsis, says none of these techniques is really new. He notes that it's been more than four years since McAfee purchased Entercept, for instance. But "what role does it play and what percentage of things does it stop? I have no visibility into that". Shipley says he plans to bring in Bit9 to look at whether it could really replace his current antivirus software.
Antivirus firms agree that they are becoming something different.
Sophos, for instance, uses several additions to signature-based AV.
Sophos examines program behaviour - the modifications a program makes to things such as system configuration and files as the program runs. The company has also built in a preexecution algorithm, a kind of crystal ball to simulate what unfamiliar code looks likely to do.
Richard Wang, manager of Sophos Labs in the US, says that while signatures are easy to create, things such as preexecution code are harder and thus take more time. But the payoff is that it can work against multiple strains of malicious software.
He said that for the Storm worm, Sophos generated only one signature but has been able to recognise all the variants. Wang describes this type of technique as "almost like a broad-spectrum antibiotic".
Interestingly, the One Laptop Per Child Foundation's (OLPC) XO is another place to look at new AV techniques.
The XO uses the Bitfrost specification, developed expressly for this simple computer. OLPC claims that the system "is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market".
The OLPC XO ships in a default mode that is basically locked down but simple for the user to open up. The Bitfrost specification uses a series of built-in protections, including sandboxes or program jails for applications and system-level protections that prevent alterations from code that could do something harmful.
Whether Bitfrost would work in a corporate environment or will be commercialised outside the OLPC project is unclear. But Avien's Harley, for one, thinks that there are psychological reasons why antivirus software is unlikely to go away.
"The idea of a solution that stops real threats and doesn't hamper nonmalicious objects and processes is very attractive. People (at any rate, those who aren't security specialists) like the idea of threat-specific software as long it catches all incoming malware and doesn't generate any false positives, because then they can just install it and forget about it. Unfortunately, that's an unattainable ideal."
Note to Greg Shipley: don't hold your breath on getting rid of your antivirus software.
- Is signature-based software here to stay
- There's more to antivirus than whitelisting
- What the future of antivirus holds