The last twelve months have provided enough evidence to convince the most sceptical of analysts that the defences are broken and anti-virus scanning is just not up to the job. Slammer, Sobig, Blaster, Swen et al have all managed to wreak havoc with not only the humble home user but corporate users alike. Research carried out by Hewlett-Packard's Matthew Williamson in their Bristol labs has confirmed my belief that the signature approach to virus detection is fundamentally flawed.
Williamson's research first published in New Scientist (September 2003) found that even if a signature is available from the moment a virus is released, it cannot stop the virus spreading if it propagates fast enough. "These fast viruses are what we are getting at the moment", Williamson says, adding that they are getting better at being quicker.
Government Health Warning
So why aren't the anti-virus vendors issuing government style health warnings with their software to warn us that they might not be able to prevent virus infection? Why is it that nearly every article I read on the subject of virus defence always urges the reader to use anti-virus software? Keeping it up to date of course! It almost feels like a conspiracy to fleece the computer user out of more and more cash. Dear reader, the situation is even worse than you might be beginning to think. Having spoken to several organisations who, despite having the latest anti-virus updates deployed still became infected, it appears in certain circumstances some products just don't work as advertised. One possible cause of this type of incident is when remote users connect to the network it seems possible that identified viruses can sometimes slip "under the wire" undetected.
There has been much debate within the anti-virus community over the past ten years about the effectiveness or otherwise of behaviour blocking techniques, as a generic protection against malicious code. The general conclusion is that behaviour blocking gives rise to too many false positives to be of use. However, I wish to contest that conclusion.
There are many forms of behaviour blocker, some go to extraordinary lengths of complexity to decide whether the code in question is malicious or not. They endeavour to analyse the suspect code and by deriving its programmed actions these are then compared against a rule based database to reach a conclusion. I favour a simplistic approach.