What does the future hold for signature-based antivirus? We've got some expert opinions on the subject.

Antivirus software makes Greg Shipley so mad he has to laugh.

"The relationship between signature-based antivirus companies and the virus writers is almost comical. One releases something and then the other reacts, and they go back and forth. It's a silly little arms race that has no end."

Shipley, CTO at Neohapsis, a security consultancy in Chicago, says the worst part is that the arms race isn't helpful either to him or his clients.

"I want to get off of signature-based antivirus as rapidly as possible. I think it's a broken model and I think it's an incredible CPU hog."

The question is, where should he go? Antivirus as an industry has modeled itself on the human immune system, which slaps a label on things such as viruses so it knows to attack them when it sees that same label, or signature, again.

Signature-based antivirus has moved well beyond that simple type of signature usage (although at the beginning, it did look for specific lines of code). In its current, more sophisticated form, it dominates the market for security software, despite some obvious limitations.

You don't use signature-based AV to stop data leakage, for instance, although many kinds of malware are designed to siphon data out of companies.

The number of malware signatures tracked by security software company F-Secure doubled in 2007, and while you might cynically expect such a company to say there's more malware out there, 2007's total doubled the number of signatures F-Secure had built up over the previous 20 years.

Even before 2007, there were plenty of people besides Shipley arguing that antivirus was an industry in trouble. In fact, in 2006, Robin Bloor, an analyst at Hurwitz & Associates, penned a report titled 'Anti-virus is dead'.

He argued that malware exists only because antivirus software exists, and said that antivirus software was doomed to be replaced by new forms of software, which he calls application control, or software authentication tools. Such tools whitelist the software we use and won't run anything else without the user's explicit permission.

Antivirus firms think their death is greatly exaggerated, thank you very much, even those that aren't overly reliant on signatures, such as BitDefender, which says that signature-based techniques account for only 20 percent of the malware it catches, PC Tools and DriveSentry.

"Signatures aren't dead, you need them," says Bogdan Dumitru, chief technology officer of BitDefender, which uses behavioural targeting techniques to stop the remainder of attacks. Its main research focus is to develop an 'undo' feature that will let users hit by malware reverse its effects. BitDefender hopes to release this feature this year.

Meanwhile, Bit9, the application white-listing company highlighted in Bloor's report, uses antivirus software to help build its database - 22 kinds of antivirus software, in fact.

In November 2007, Bit9 announced a deal to give access to this database to security software maker Kaspersky Lab. Bit9 officials said that the database will help Kaspersky check new signatures to limit false positives.

It's also true that antivirus makers continue to sell billions of pounds worth of software, despite Bloor's proclamation. Bloor, though, says that "the technique of protecting PCs using virus signatures is now on the wane", and rattles off a list of whitelisting companies offering software authentication tools, not just Bit9, but also companies such as Lumension (formerly SecureWave), Savant Protection, Computer Associates and AppSense.

And he noted the Kaspersky deal and Apple's use of whitelisting to protect the iPhone.

NEXT PAGE: There's more to antivirus than whitelisting

  1. Is signature-based AV here to stay?
  2. There's more to antivirus than whitelisting
  3. What the future of antivirus holds

Visit Security Advisor for the latest internet threat news, and internet security product reviews

What does the future hold for signature-based antivirus? We've got some expert opinions on the subject.

Not just whitelisting

Traditional, signature-based antivirus software has its uses. If a system is actually infected by malware, it "may be the least painful way of removing it", says David Harley, administrator of Avien, the antivirus information exchange network, adding, "Whitelisting does seem to be advocated currently as the panacea du jour.

"I think this relentless search for The Answer, discarding one partially successful solution set for something else in the hope that it will eliminate the problem, is actually unprofessional."

Harley makes that argument because he doubts that any single technology approach will be a 100 percent solution when it comes to security. He wrote that whitelisting thus is likely a supplemental technology for fighting malware, making it one of a host of newer technologies that have been adopted, including heuristics, sandboxing and behaviour monitoring.

This layered approach is increasingly being espoused by major security software vendors, too.

And corporate CIOs certainly don't expect to find one answer to their problems. "If you rely on signatures for security, you're pretty much dead in the water," says Ken Pfeil, head of information security for the Americas Region of WestLB, a German bank.

Pfeil thinks signatures are useful and his firm uses them. But when new malware appears, he often finds it faster to try to break it down himself to understand its potential effects, rather than to wait for his vendor to give him an update. His firm has also adopted tools that use heuristics techniques and anomaly testing, to add oomph to its antivirus approach.

That kind of layered approach to software fits with where Natalie Lambert, an analyst at Forrester Research, thinks the market is going. She says that signature-based antivirus is 'table stakes' for security software, and techniques like heuristic information processing systems (HIPS), which looks for suspicious actions by software, like an application opening itself from the Temp folder.

Lambert says McAfee is probably furthest along in using HIPS among the big antivirus makers, having had more time than its rivals to use new features added via corporate acquisitions.

NEXT PAGE: What the future of antivirus holds

  1. Is signature-based AV here to stay?
  2. There's more to antivirus than whitelisting
  3. What the future of antivirus holds

Visit Security Advisor for the latest internet threat news, and internet security product reviews

What does the future hold for signature-based antivirus? We've got some expert opinions on the subject.

The future...

The down side to the new antivirus technologies discussed above is that none are as simple and alluring as the old signature-based antivirus, which Natalie Lambert, an analyst at Forrester Research, called a 'set it and forget it' technology. She notes that HIPS technologies are difficult to manage and will never be as simple as the old model, although she expects they will get easier over time.

Grag Shipley, CTO at security consultant Neohapsis, says none of these techniques is really new. He notes that it's been more than four years since McAfee purchased Entercept, for instance. But "what role does it play and what percentage of things does it stop? I have no visibility into that". Shipley says he plans to bring in Bit9 to look at whether it could really replace his current antivirus software.

Antivirus firms agree that they are becoming something different.

Sophos, for instance, uses several additions to signature-based AV.

Sophos examines program behaviour - the modifications a program makes to things such as system configuration and files as the program runs. The company has also built in a preexecution algorithm, a kind of crystal ball to simulate what unfamiliar code looks likely to do.

Richard Wang, manager of Sophos Labs in the US, says that while signatures are easy to create, things such as preexecution code are harder and thus take more time. But the payoff is that it can work against multiple strains of malicious software.

He said that for the Storm worm, Sophos generated only one signature but has been able to recognise all the variants. Wang describes this type of technique as "almost like a broad-spectrum antibiotic".

Child's play?

Interestingly, the One Laptop Per Child Foundation's (OLPC) XO is another place to look at new AV techniques.

The XO uses the Bitfrost specification, developed expressly for this simple computer. OLPC claims that the system "is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market".

The OLPC XO ships in a default mode that is basically locked down but simple for the user to open up. The Bitfrost specification uses a series of built-in protections, including sandboxes or program jails for applications and system-level protections that prevent alterations from code that could do something harmful.

Whether Bitfrost would work in a corporate environment or will be commercialised outside the OLPC project is unclear. But Avien's Harley, for one, thinks that there are psychological reasons why antivirus software is unlikely to go away.

"The idea of a solution that stops real threats and doesn't hamper nonmalicious objects and processes is very attractive. People (at any rate, those who aren't security specialists) like the idea of threat-specific software as long it catches all incoming malware and doesn't generate any false positives, because then they can just install it and forget about it. Unfortunately, that's an unattainable ideal."

Note to Greg Shipley: don't hold your breath on getting rid of your antivirus software.

  1. Is signature-based software here to stay
  2. There's more to antivirus than whitelisting
  3. What the future of antivirus holds

Visit Security Advisor for the latest internet threat news, and internet security product reviews