Rarely a day goes by that someone doesn't ask me to recommend a good antivirus scanner. But without understanding the particular environment and the inherent threats to that environment, determining the perfect product is impossible. More than a dozen good antivirus scanners—and a handful of great ones—are on the market. To find the perfect product for your environment, you need to understand the ingredients of a good antivirus scanner. You also need to do some product research and testing if you want to identify the best scanner without paying expensive consulting fees. (Although all antivirus scanners detect more than just viruses, I frequently use the term virus to refer to all sorts of malicious software—malware—to make the article more readable.)
Start with the Platform
Your first task is to inventory the platforms and systems you need to protect. Don't forget your PDAs and other wireless devices, such as Wireless Application Protocol (WAP)—enabled gateways. This inventory will partially determine which types of code—DOS viruses, Windows malware, Trojan horses, macro viruses, Instant Messaging (IM) threats, hostile ActiveX controls, malicious Java applets, email worms, HTML scripting threats—the antivirus scanner will need to watch for.
Several Web sites offer information about which antivirus products cover certain platforms. I like the supported-platform summary list at AV-Test.org (http://www.av-test.org/sites/tests.php3). However, just because a scanner runs on a particular platform doesn't necessarily mean that scanner is a good product for that platform. Check out Virus Bulletin's VB 100% awards (http://www.virusbtn.com/vb100/about/index.xml) for the pass/fail rankings of several antivirus products.
Signature- or Behavior-Based?
One basic decision you'll need to make is whether you want a behavior-based or signature-based scanner. Behavior-based scanners look for program behaviors that are characteristic of malicious code. For example, a file that copies itself and appends the copy to another executable file is highly suspicious, as is a JavaScript routine that attempts to modify the registry. Most behavior-based scanners either parse incoming content to search for specific programming code or place new content in a safe "sandbox," monitor its behavior, and prevent it from doing anything harmful. Behavior-based scanners excel at detecting new viruses in the window of vulnerability before antivirus vendors can develop and distribute a new signature. If you're interested in behavior-based scanners, check out Finjan Software's SurfinGuard and SurfinGate.
The more popular scanners—and those this article concentrates on—use a stored database of signatures to find malicious code. Vendors build pattern-matching algorithms based on a short series of bytes that appear in every replica of a particular virus. The virus's byte signature is typically 8 to 16 bytes long and is compared with the bytes in an examined host file. Vendors must choose signatures carefully so that their products don't turn up too many false positives and false negatives. More than 60,000 malware programs now exist, so signature databases can become quite large. Some antivirus scanners create signatures by using a hashing routine to take unique "snapshots" of the malware. The scanner's engine runs the hashing routine on suspect files and compares the results with the stored hash results in the signature database. If the two hashes match, the software makes its catch. This seemingly small difference in the way products capture and store signatures can decrease the malware's signature from as many as 16 bytes to as few as 2 or 3 bytes—quite a difference when multiplied by 60,000.
The Importance of the Engine
Signature-based antivirus scanners consist of two primary components: a signature database and a scanning engine. Most people understand the importance of having an up-to-date signature database with accurate signatures, virus names, and repair information. But understanding the scanning engine—the antivirus workhorse—is equally important.
Whenever a new type of exploit is discovered that the antivirus engine doesn't consider, the engine must be updated. For example, the W2K/Streams virus—discovered in September 2000—hid its code in the previously unexploited NTFS file-stream structure. At the time, no antivirus scanner scanned Windows NT's alternate file streams, so an engine update was necessary. While antivirus coders worked on signature updates for recognizing the W2K/Streams virus, other developers had to update the virus-scanning engines, testing installation and backward-compatibility.
Changes in malware techniques occur rapidly, so your antivirus vendor must produce new scanning engines and update customers regularly. (For information about the evolution of virus coding, see the sidebar "The Evolution of Virus Encryption," page 8.) Most vendors update their scanning engines a few times a year. If your scanning engine is 2 or more years old, something is amiss. Some vendors have a modular scanning engine and can send small updates along with the latest virus signatures. More often, the client must install the new client engine from a large download file. Check with your antivirus vendor about the frequency and methodology of engine updates. Most products automate the process so that you don't have to visit every client machine to do an update.
For efficiency, scanning engines keep some data in memory during scanning and keep other data on disk. Most antivirus products load the engine and common signatures in memory and store less commonly used signatures, features, and file-repair information on disk.
Prev. page
[1]
2
3
4
5
next page 
