Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Signature Based Detection


  • Please log in to reply

#1
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Evening all

We can all see that the amount of malware being produced is increasing day by day, but most of us probably do not know just how huge the numbers are. I came accross this assessment recently in a post by Bobbi Fleckman

Every day, more and more viruses appear. It's not your imagination. Sophos, a developer of antivirus software, estimates that some 30 pieces of malware come into existence per day. With more than 10.000 viruses per year.


This got me thinking and I would like to offer my thoughts up for discussion.

The majority of the security applications that we all use rely on matching their scan findings against a database of malware signatures. These signature databases have to be updated so as to keep up with the new nasties as they are released. 18 months ago, a weekly update was more than sufficient, but that is no longer the case. It is not uncommon to update daily now.

As the rate of new malware release increases, the need to have more frequent/larger updates will do likewise.The provision of these updates has a cost for the developers and as a result their overheads will increase also. I can foresee the time when the cost in maintaining the currency of the definitions file becomes unsupportable to developers and/or the frequency and size of updates becomes unnatractive to users.

In summary, I fear that if the current malware trends continue, the future of signature based detection may be shorter than we think.

Reasoned discussion is welcome here.
  • 0

Advertisements


#2
Johanna

Johanna

    The Leather Lady

  • Moderator
  • 3,038 posts
It seems to me that we must start emphasizing education and prevention on the PC user side. The malware isn't going to go away- if anything, it will develop into using more subversive techniques to compromise a user's system. People need to understand that they NEED a firewall, and it must be on and enabled to do any good, they need to learn about sensible clicking and downloading, and users need to establish an appropriate back up routine so there is no panic if they must reinstall the OS. I've been reading about the rootkit malware starting to threaten users in a whole new unpleasant way, with the cooperation of Windows. Frankly, I don't see an end to the malicious garbage on the internet, but education and prevention would have a farther impact than any scans or tests we can run users through. Oh, and keep telling people NOT to buy any system that doesn't come with a real XP cd.

Some people code their nasties for the fun of it, and there isn't much we can do about that, but wouldn't it be great if we could remove the financial incentive for the malware makers who are stealing and profiting from their scumware? Legal consequences and judicial retribution would be a good weapon, if we could ever get global standards agreed on, and punishments severe enough to be considered a deterrent. With enough pressure, maybe they would find more ethical ways to scam the public? Just my two cents.

Johanna
NOT a malware geek, but an eXPerienced user dismayed by the idiot proofing MS is trying in desperation to address customer complaints. "I clicked on all the links on the p*rn site, and now I have a mess. It's Microsoft's fault because IE let me do it!" Ugh. I think these are the same people who blame the fast food industry for being fat.
  • 0

#3
Pi rules

Pi rules

    Member

  • Member
  • PipPipPip
  • 634 posts
I don't have enough time to put my opinion as well as others did/will, but I'll try.

Signature-based detection may start to dimish, but I think that heuristic-based scanning will start to become mainstream. It can help stop a virus on the first machine that it is infected with. I think that signatures for the most widespread and/or difficult to remove will still come out, along with added heuristic ablities, but that's what I think.

Edited by Pi rules, 17 October 2005 - 05:57 PM.

  • 0

#4
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Topic Starter
  • Retired Staff
  • 2,014 posts
Thats an interesting point you make. Some AV apps make use of heuristics already, but one of the problems is that because they look for behaviours, the FP rate goes up and as a result they require more informed use than a "Fix all found" app.

My own view of the future is actually similar to yours in some ways. I think that the new HIPS apps such as Online Armour, Prevexx and ProcessGuard/Regdefend will become more and more mainstream, providing the principle defence with on demand scanning (increasingly from an online source) as a backup.
  • 0

#5
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
You bring up a good point about the cost of maintaining a database. There have been many open source anti-virus projects, but most fail because of the critical timing of getting new definitions released, and the cost to maintain them.

However, I don't see the number of infections and the size of the db being a real problem. Broadband becomes more mainstream every day, and the size of new hard drives is just incredible. The entire db doesn't need to be downloaded every time, updates can be added. I think other methods will be added to provide an additional layer of security to database protection, but I don't think it will be replaced anytime soon.

P.S. the 'FP rate' referred to above is an acronym for False Positive.
  • 0

#6
fleamailman

fleamailman

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,383 posts
I am glad Joanna mentioned a backup option as an answer, it may also come to the point where one has to partition the harddrive between XP for everything else and linux for the Internet, eitherway and without meaning offence I worry that the hjt way of removing malware is going to get prohibitively long seeing that if one has something like nail.exe as the process the client goes through perhaps hours by himself, together with the time it takes for the malware remover to clarify his work too, the whole things probably takes days then: so save/reformat/reinstal/load may become his best bet that is once he has gone through the regular scans but suggesting that here is a bit like suggesting an application of hair-remover to the scalp in a hairdressing school so please don't think that I am detracting from the good work everyone does, more just clarifying an observation of something one sees here.

UK biker, many thanks for this important thread, any chance of a link to the original quote as I would like to read more.

Edited by fleamailman, 18 October 2005 - 08:01 AM.

  • 0

#7
fleamailman

fleamailman

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,383 posts
OK, I give up, the first thing I did in reading the starter thread is google Bobbi Fleckman who turns out to be a star in the Bobbi Fleckman story. which looks like Friends; however, if those now laughing would care to link me to the right material, it will delay me from posting another recipy in Geeks to Go cafe but not for long.
  • 0

#8
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Topic Starter
  • Retired Staff
  • 2,014 posts
Hi There Fleamailman.

The quote from Bobbi came from a post in a private forum, so unfortunately I cannot link to it. However, I will find out the original source and see if i can link to that.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP