William Jackson | For virus detection, don't write off signatures
- By William Jackson
- Apr 14, 2007
Antivirus companies have long competed on their ability to quickly update signature files for detection of the latest malicious code. In some quarters, signatures have become pass' and companies now tout behavior-based blocking as one of the latest and greatest features of their products.
But it would be unwise to put too much faith in behavior-based protection, often called heuristics, by itself. Heuristics is only the tail of this dog. Signature detection provides the muscle.
Signatures are a digital fingerprint of sorts that antivirus engines can use to identify bad actors when scanning code. This is an effective technique with a glaring weakness: It can be used only against known threats. There is an inevitable window of vulnerability between the time a threat is launched and the time it is discovered and a signature is written and deployed. Brand-new attacks often can slip right through a good antivirus engine. Behavior-based detection is intended to thwart zero-day threats by looking for and flagging inappropriate behavior by code.
But heuristics has its own shortcomings. Some tests by an Austria-based organization called AV-comparatives seem to indicate that nothing else protects your computer as well as a good old-fashioned signature-based engine that is kept routinely updated.
This is not to say that behavior-based scanning is not a valuable ' indeed, a necessary ' capability for an antivirus product. But don't let hype about heuristics distract you from the importance of keeping signatures updated.
AV-comparatives routinely tests leading antivirus products against samples of malicious code. It then puts the products on ice for three months and tests them again, without signature updates, against samples that have appeared in the wild in the past 90 days. The results of this retrospective test should be an indication of how well each product's heuristic detection is working.
The folks at AV-comparatives are touchy about anyone using the test results without permission, and with good cause. It would be easy to take results out of context and give an incomplete or incorrect picture of the performance of a particular product. So you can check out the results of their most recent tests for yourself at www.av-comparatives.org.
Although heuristics results in these tests might appear disappointing, your mileage may vary, the testers point out. The results are not an assessment of absolute quality, but a comparative indication of performance for that time period with that particular set of samples.
'Users shouldn't be afraid if products have, in a retrospective test, low percentages,' they caution. 'If the antivirus software is always kept up-to-date, it will be able to detect most of the samples.' Users can feel safe with any of them, they conclude.
With these caveats in mind, I think it is possible to draw a broad conclusion about the performance of behavior-based virus detection. In general, heuristics by itself does not seem to be as reliable as signature-based detection. How effective it is on any particular product will depend on the settings it operates with. You probably could improve the detection rates, but this is likely to come at the cost of increased false positives or slower performance. Like so much of security, it is a trade-off.
Heuristics is a backstop to your antivirus engine, providing an additional layer of defense against zero-day attacks, but it is not something you want to rely on exclusively.
So just because a vendor talks up the advanced heuristics capabilities of your latest antivirus tool, do not fall prey to the temptation to ignore the signature updates. They still are your first and best line of defense.
William Jackson is freelance writer and the author of the CyberEye blog.