ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Change of tactics in war on viruses

Tom Espiner ZDNet.co.uk

Published: 01 Mar 2006 15:35 GMT

• 
• 
• 
• 
• 

With increasingly diversified threats and a splintered antivirus industry, some security providers are arguing that mainstream antivirus companies are simply not nimble enough to cope with new waves of malware. Traditional approaches to providing updates — which require the malicious code to be in the possession of the security companies — are fundamentally flawed, the argument goes.

IronPort, a US purveyor of Web monitoring services, is one of the companies championing a different approach to dealing with viruses, worms and other nasties. The technology that IronPort uses to filter spam and quarantine emails is different from most other vendors — it uses "Web reputation" as a basis for quarantining suspect email traffic.

Bad reputation
Information about where and who the email claims to come from, what it contains, and the reputation of any link in the email, is used as a basis to decide whether the email will be quarantined. The intended recipient of the email can then decide whether to take it out of quarantine.

"At least 95 percent of businesses are using traditional antivirus defences, but businesses are still getting infected at the moment," says Tom Gillis, senior vice-president of IronPort. "We know this because we run traditional antivirus engines on our solutions, and we still have to quarantine the mail [containing malware] that the antivirus software doesn't catch. The technology in antivirus labs is not orientated towards dealing with the first wave of an attack."

IronPort believes antivirus companies fall down because of their "historical" approach to dealing with unseen malware. "All heuristics and signatures are historical," says Matt Peachey, IronPort's director for northern Europe. "Signatures are retrospective, and heuristics look at the profiles of existing viruses. Both are based on historical data."

Too little, too late
Ironport claims that it takes normal antivirus companies between 2 and 64 hours to come up with the signature required to block the virus. "Even if businesses have a traditional solution in place, they are completely exposed for this time," says Ambika Gadre, IronPort's senior director of product management information services. But IronPort claims that companies that use its technology should be protected from get go if they have set up their quarantine parameters properly.

IronPort isn't the only vendor to use reputation-based quarantining, as CheckPoint, Cisco, and TippingPoint, among others, currently sell such systems. The offerings have one thing in common however — they use sender-based reputation technologies that can shut down ports to block virus attacks.

More than signatures
Vendors who continue to use the traditional approach to antivirus software reject some of the claims made by advocates of the reputation-based approach. Raimund Genes, chief technologist of anti-malware for Trend Micro, says that his company's approach to email filtering does not rely on signatures alone.

"This is an interesting argument," says Genes. "This would be true if we just relied on creating signature definitions, but we also have Internet traffic monitoring, and intrusion detection and protection systems. We actually saw and reported an occurrence of Nyxem on 16 January, and developed a signature for it then. IronPort did not report it until 18 January."

Trend admits that if a network worm were to spread in minutes, then IronPort would detect it earlier than traditional vendors, but he doubts whether the company would actually be able to protect businesses earlier.

Similarly, security company Sophos says that its antivirus technology is designed to be used alongside other services. "Our email gateway product does more than just scan for viruses — antivirus is really just one part of our product. We can block any executable file at the email gateway just like IronPort can. It's odd that IronPort have singled us out for this attention, especially as they have just given us the IronPort 2005 Platinum Partner award for being the best antivirus vendor," says Sophos senior technology consultant Graham Cluley.

Trojan attacks
With an increase in targeted Trojan attacks, where criminal gangs tailor emails to try to fool recipients into running certain applications or visiting Web sites hosting malicious code, some antivirus vendors argue that mail monitoring services — like that offered by IronPort — are not much of a defence.

"I predict fewer global attacks, and more targeted attacks that mail monitoring companies will fail to pick up because there will be no peak of mass-mailers to alert...

For more, click here...

• 
• 
• 
• 

• Share this article:
• 
• 
• 
• 
• 

• Most Recent
• Most Popular
• Most Discussed