Problems with present anti-malware methods

The present way of protecting computers against malware such as viruses, worms, Trojans, and spyware is basically reactive. It depends on a local database of information about known malware in order to recognize and disarm the invaders. Some attempt is made at using so-called “heuristic” techniques to recognize new malware that is not in the database but maintaining the protection still requires constant updating of the local database. Also, since the different types of malware have different behavior patterns and signatures, more than one type of protection is needed. Although software suites may combine the different kinds of protection in one package, many people end up with a hodgepodge of different applications. For example, I have an anti-virus program, a software firewall, a hardware firewall, three anti-spyware programs, an email filter, two Trojan removers, and various Internet toolbars for blocking popups, ads, phishing, JavaScript, etc.

Having to run all these programs and having to constantly update them is not only cumbersome but also makes a hit on system performance. For example, Symantec products were such a drag on my system that I never ran them in the background but only used them manually. (I finally chucked Symantec’s Norton anti-virus in favor of AVG.) The fact is, even with constant updating, systems are still vulnerable to so-called “zero-day” and undocumented exploits. The constant parade of new security problems makes it clear that something better than the current approach to safeguarding computers is needed.

Rollback methods

There are already several possible alternative ways to go. One is the procedure used on many systems that are open to the public in places like libraries and schools. A standard system configuration is established and any changes, including malware, that occur on the system during an individual login session are erased when the user is finished. The system is simply returned to its standard configuration. This approach has been very satisfactory in our classes at SeniorNet where we use the program Deep Freeze. Students can do anything they want to the system or even get it infected by malware but when it is rebooted it returns to its original pristine state. This is very satisfactory for a setup which remains static but can be tedious where a user installs a lot of new software or frequently creates new files. Changes to the system can be incorporated into the standard configuration if desired but this is a multi-step process and not really suitable for dynamic systems where content changes frequently. However, this approach can be modified to add flexibility by having a separate unfrozen partition where data files and frequently changed programs are kept. Installations that require Registry entries will still need to be done in a multi-step process but the average home user who is an infrequent installer of new programs could certainly use this approach. Note that this procedure is much less time-consuming than restoring something like a Norton Ghost image. Also, it is very important that the user does not have to do anything except reboot. A typical home PC user is not about to maintain up-to-date Ghost images.

I have also used the rollback software from Symantec called GoBack. I have found it to be much less satisfactory than the DeepFreeze method. It intrudes far more on the system and I have found it to be subject to file corruption and software conflicts. It is not intended for primary malware defense and I mention it only because it is a fairly common program.

Virtual machines

Another approach that is attracting more and more attention is the use of “virtual” machines. The equivalent of several independent operating systems can be created on one computer. This is especially attractive for those who install or test a lot of software. David Berlind at ZDNet has an article on the virtues of VMWare. You can have one virtual machine that is the standard setup and another test machine that gets exposed to the Internet. If the test machine gets infected, it is deleted and the standard setup is copied. Creation of new data files on a virtual machine is no different from a regular computer. Installation of new software can be tried on the test machine first to make sure that the software is legitimate or has no undesirable effects. It is also possible to have a host machine that can access a virtual machine while the virtual machine is ignorant of the existence of the host. At the moment, one problem with virtual machines is Microsoft’s draconian licensing. They demand that two virtual Windows machines on the same computer pay for two licenses. This seems short-sighted to me. Microsoft has its own virtual PC software that it bought with Connectix and this is not a way to encourage its use. ( A free download is available here.). Also this licensing policy seems likely to drive people into taking a look at Linux. There are ready-made Linux virtual machines available for downloading and running in the free VMWare player. I can easily imagine a setup where a Linux machine with its greater security is used for Internet connections while the more versatile, easier-to-use Windows machine is used for other applications. The average home PC user may not be quite ready for the virtual machine approach but I think it is well worth considering.

Sandboxes for Internet browsers

Related to virtual machines are "sandboxes". This technique creates an area on the system that is isolated from the rest of the system. Any malware infection that occurs in the sandbox is prevented from spreading system-wide. By placing the Internet browser in the sandbox, infections from the Internet are quarantined to the sandbox. Software for running sandboxes is becoming available and an excellent review and assessment of eight programs is given by Ian “Gizmo” Richards at Tech Support Alert.

Advantages of alternate approaches

None of the approaches discussed above requires a lot of defensive software with constant updates. It is not necessary to try to recognize large numbers of malware. Personally, I believe that approaches of this type combined with a good firewall are very promising. I do believe that a firewall is a must since crackers are constantly probing for machines with open ports and the time it takes before you are likely to be attacked is too short. A firewall will keep intruders out and will also warn you if something does get on the system and tries to connect to the Internet. Note that the firewall responds to what something does, not what it is. This general type of protection is behind a new approach described next.

Monitoring behavior, not specifics

This different approach is mentioned in an article at PC Magazine. The company Sana Security has a program, Primary Response SafeConnect, which monitors all running processes and examines suspicious behavior patterns. If it detects a process that it considers malicious, it quarantines files and Registry keys related to the process. According to PC Magazine, “Because it specifically responds to what a program does rather than to what it is, it is most likely to detect malware immediately upon installation or just after a system restart.” It remains to be seen how effective this particular software will be, but the general approach of focusing on the behavior of software and not its specifics is the type of thing that should be pursued. A free trial can be downloaded here. This approach could be the trend of the future but there are many companies with vested interests in the present way of doing things so there may be resistance from the Symantecs of the world.

Role of Microsoft

A wildcard in all of this is the intentions of Microsoft. The company is moving steadily into the security software area. No one outside of Redmond (and maybe not even there) can be sure about exactly how involved they are going to be in the security field. There may be anti-trust issues involved here so it isn't clear how far Microsoft may think it can go in incorporating new features that overlap with the products of other companies. However, security measures are a natural function for an operating system.

It is also unknown if the company will ever loosen its licensing strictures for virtual machines.

The weakest link of all

There have been numerous interesting studies that indicate that a significant percentage of users will trade their password for a candy bar, and the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females.

Even if there were such a thing as perfect protection against every attack, though, you're still vulnerability. As we used to say, the part of a car most likely to cause an accident is the nut behind the wheel. If you mindlessly obey e-mail messages like, "We am you bank. Fax to us you password for safeness," there's nothing any software can do to help.