In the beginning of the virus era, computer users were introduced to the concept of signature-based anti-virus scanners. It’s an idea whose time may well have come and gone.
“Since the 1990s people have used signature-based scanners as their primary line of defense,” said Roger Thompson, chief emerging threats researcher at ICSA Labs, a research and testing facility for security vendors and their products.
Signature-based scanners have remained popular because of support issues, noted Thompson. A behavioral-based anti-virus scanner tends to generate a support call if it detects an anomaly. In contrast, if a signature-based scanner detects malware, the malware is blocked and it doesn’t usually lead to a support call.
“Signatures made sense when there were only thousands of viruses,” Thompson said. “These days there are 300,000 new malware samples every day.”
While he noted that it’s not possible for signature-based scanning to keep up with the volume of new malware, that’s not necessarily the issue. In his view, most new malware samples that are detected on any given day are not likely to be active in the wild.
“Testing people’s signature scanners is a dumb idea unless you know which of the 300,000 samples are the important samples,” Thompson said.
Thompson added that every anti-malware product in the world also has a behavioral layer, though he believes they aren’t properly tested and not enough attention is given to behavioral analysis.
Plugging the Security Holes
While signature-based scanning has its shortcomings, it’s not a total waste. In Thompson’s view, an in-depth, layered approach to security should include signature-based scanners.
“Every piece of Swiss cheese has lots of holes in it, but if you get enough pieces of cheese in place, you block everything,” he said. “So yes there is a point to having signatures, but testing against the whole malware zoo is dumb.”
Even vendors that don’t feature signature-based scanning as part of their core solution see some merit in having it in place. The use of signature-based scanning is often seen as a way to create a baseline level of security to stop amateur attacks
“Signatures are not a waste of time, as it blocks out the amateurs,” John Prisco, CEO of Triumfant , told eSecurity Planet. “It’s not going to work when it’s the Iranians or the Chinese or the Russians; it is a waste of time for those adversaries.”
Vincent Liu, managing partner at security consultancy Stach and Liu, told eSecurity Planet that the key issue is keeping up with new variants. “The gap exists in detecting malware that hasn’t been seen before,” he said.
In Prisco’s view, traditional signature-based anti-virus can be complementary to other approaches and might be able to stop as much as 20 percent of attacks. That said, he sees a need for solutions like the one his company develops, that offer a more comprehensive approach to determining what is actually occurring.
“We can detect based on algorithms something that is indicative of malware and we’re able to remove it quickly; that’s the basis of our product,” Prisco said. “We collect everything and then we determine whether or not what is going on in your machine is malicious or not.”
Same Old Malware
Where and when signature-based anti-virus is effective has a lot to do with the threat landscape itself. While there is some evolution, enterprises are likely to see more of the same kinds of attacks that they have already been facing.
“There haven’t been any truly new fundamental attack techniques in years, just variations on old ones,” Liu said. “Like APT – it’s not new, it’s just marketed like it is. Everything old is new again.”
According to ICSA’s Thompson, the current wave of malware is in the fourth inning of the game. The only thing that will change the current malware trends is some kind of extinction-level event.
“Every few years there is an extinction-level event such as the release of Windows XP SP2 where the firewall was on by default and it wipes out a class of malware that is prevalent at the time,” Thompson said. “I can’t see any possible extinction-level event insight for the current set of security issues.”