Paul A. Henry | Traditional defenses aren't enough
Another View'Guest commentary: It's time to replace traditional signature-based defenses with heuristics-based programs
- By Paul A. Henry
- Jul 30, 2007
Reliance on traditional antivirus defenses leaves government networks critically exposed. -Paul A. Henry
The recent penetration of government networks and those of our
allies raises serious concerns about the effectiveness of
traditional malware defenses. These breaches suggest the need to
reevaluate many of the antivirus methodologies now in use. Among
SIGNATURE. This is probably the oldest method in use to
stop virus-laden traffic. It is an exact science, producing
definitive results — the virus matches a known signature, or
it doesn’t — but it cannot protect against new or
ADVANCED SIGNATURE. By focusing on a smaller segment of
malicious code within a piece of malware, antivirus vendors have
improved traditional methods of protecting against variants of
known threats. This methodology focuses only on the probability of
a threat, though, and is prone to false positives. It also suffers
from the same inability to protect against new threats.
SANDBOX. Rather than relying on signatures, sandboxing
provides a way to run potentially malicious codes in an isolated
environment — in some form of a virtual machine. Sandboxing
is more effective than signature-based methods but can still be
fooled by a smart programmer who does a good job of hiding the
code’s malicious intent.
PASSIVE HEURISTICS. This method uses experience derived
knowledge and advanced, signature-based antivirus methods. In this
scenario, the vendor establishes a library of code segments with a
high probability of being malicious and searches the potentially
malicious code for those code segments. If they are found,
appropriate action is taken.
ADVANCED HEURISTICS. This approach combines traditional
reasoning of signatures to protect from known attacks with the
theoretical reasoning of sandboxing to protect against new —
Day Zero or unknown — attacks. It affords maximum risk
mitigation against current and future threats.
ANTI-MALWARE SCANNING. This prescanning tactic builds on
the development of sandboxing with a three-pronged approach that
veri- fies digital signatures. Pre-scanning blocks untrusted
program code, screens and blocks any suspicious code based on its
potential behavior, and filters out any potentially harmful code
that tries to exploit vulnerabilities on the client. Prescanning
includes multiple steps:
- It examines any ActiveX controls and Java applets for digital
signatures, and it verifies that the data was signed by an
authority and has not been altered since the signature was
- It performs heuristic analysis, looking for certain
instructions or commands not found in typical application programs.
Potential function calls are examined regardless of the actual
program flow, and potentially malicious functions are classified
based on a given set of rules.
- Any remaining suspects, such as scripts that try to exploit
vulnerabilities on the client, are scanned and filtered out. The
scripts themselves may not be malicious, but they are potential
enablers to inject or execute further malicious code.
The reliance on traditional antivirus defenses is clearly
ineffective and leaves government networks critically exposed. By
replacing traditional, signature- based defenses with
heuristics-based programs that include anti-malware scanning
capabilities, it’s possible to achieve the risk mitigation
capability required to counter today’s Internet espionage
Paul A. Henry is vice president of technology evangelism at
Secure Computing. (firstname.lastname@example.org).