Slashdot Mirror

← Back to Stories (view on slashdot.org)

The End of Signature-Based Antivirus Software?

Posted by CmdrTaco on from the one-can-only-hope dept.

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

3 of 290 comments (clear)

  1. Sandbox by hrieke · · Score: 4, Interesting

    A thought, and perhaps a better mind can say why this would or would not work.
    Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
    So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.

    --
    III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...
  2. Heuristics by Cally · · Score: 4, Interesting
    Most of the major AV programs have incorporated some sort of heuristics capability for years now. The problem with these (and the reason they're not usually turned on by default) is that they tend to false positive all over the place. So the corrolary to these test results is: how many false positives did these product generate using the same config?

    Disclaimer: I worked for a household-name antivirus sw firm in the past and now work for one that does filters network-based viruses as a network service.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  3. Switch A/V S/W from a blacklists to whitelists? by Anonymous Coward · · Score: 5, Interesting

    Wouldn't it be safer to switch from blacklists to whitelists? i.e. Only known safe applications are permitted to run. If some shiny-new-app isn't added to your current A/V whitelist for 48 hours, all that means is you can't run the program for a while. That's an inconvenience. If shiny-new-malware isn't added to an A/V blacklist for 48 hours, major damage can ensue. I'd prefer the former, personally.

    Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.

    When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.

    It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs /every/ piece of software; so the whitelist for the stuff that one particular person uses should be of a manageable size, shouldn't it?

    If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.

    Is this feasible? Where's the downside?