Before the arrival of the fast-spreading worm/blended threat, the staple technology of anti-virus software – fingerprinting - arguably provided both preventative and proactive protection against the average computer virus. That is, in the past, vendors were able to ship new fingerprints for most viruses before they could achieve widespread distribution. This is because traditional viruses spread slowly - only when humans exchange infected files - on the order of days or weeks. Consequently, in the majority of cases, anti-virus software blocked initial infection, preventing corporate machines from being compromised and precluding the need for costly manual cleanup and downtime.

In contrast, given the prolific speed at which worms and blended threats spread today, the fastest spreading infections sometimes sneak past traditional anti-virus software and entrench themselves in desktop and server systems before anti-virus vendors can post an appropriate fingerprint. Once these machines are infected, the role of anti-virus software fundamentally shifts from a proactive/protective shield to that of a clean-up utility.

Clearly traditional anti-virus software is less effective against the fastest spreading threats. The question is: Is there a technology that could transform anti-virus solutions from their current role as clean-up tools to their original role as a protective solution? I believe that the answer is “yes” and that the technology that will make this possible is behavior blocking. This article will provide a high-level look at behavior blocking technology and explore how this technique may help save corporations from the next generation of fast spreading worms and blended threats.

Fingerprinting and Heuristics – Still Effective?

Traditional fingerprint-based anti-virus software detects malicious code by searching for tens of thousands of digital fingerprints in all scanned files, disks and network transmissions. Each fingerprint is a short sequence of bytes extracted from the body of a specific virus strain. If a given fingerprint is found, the content is reported as infected; however, since anti-virus fingerprints are based on known sequences of bytes from known infections, this technique often fails to detect new strains.

In contrast to fingerprinting, heuristic anti-virus technology detects infections by scrutinizing a program’s overall structure, its computer instructions and other data contained in the file. The heuristic scanner then makes an assessment of the likelihood that the program is malicious based on the logic’s apparent intent. Such a scheme can detect unknown infections since it searches for generally suspicious logic rather than looking for specific fingerprints.

To cope with the most complex infections, modern fingerprinting and heuristics engines often employ CPU emulation or “sand-boxing” techniques in conjunction with simpler bit-and-byte scanning. These products work by performing limited emulation of a program within a virtual machine to reveal otherwise obscured logic. This emulation is extremely limited (often fewer than 1000 instructions are emulated in the typical program) and the program under scrutiny never actually runs on the real CPU or poses a risk to the system.

A big plus for both fingerprinting and heuristics is their ability to detect infections in files before these threats have a chance to run and infect computers. This is because these techniques can detect infections merely by examining the bits and bytes of each file (or performing a very limited, virtualized emulation session). However, since these schemes don’t actually observe full execution of the scanned software, they often fail to detect new infections; there are simply too many ways to obfuscate malicious code, and often the only way to know something is malicious is to watch it run on real silicon and attempt harm. This is where behavior blocking comes in.

Call (813) 712-9619 today, to schedule an appointment with one of our technicians!