Traditionally, antivirus scanning is performed by comparing a potentially hostile program with a list of characteristic malware signatures. The problem is that the system is always one step behind viruses, Trojans and other hostile programs. Following a review of this problem, we present some alternative techniques.
Viruses and other malicious attacks are a constant threat to corporate infrastructures, and pose a real problem for their very activities as a large number of processes migrate to the virtual world. The new malicious codes being created every day are almost all based not on their particular qualities, but on the behavior of the system under attack, behavior not foreseen by the program’s original creator.
In fact, it’s extremely difficult for developers of even the smallest applications to predict how all the program’s components will react to every conceivable eventuality. Writing code is a relatively easy task. On the other hand, understanding in detail all the code’s behaviors in all situations proves to be an extremely costly operation in terms of time, human capital and money, and the complexity is all the greater when a large number of developers have been involved in the project, making it all the more difficult to grasp. Add to this the fact that programmers can inadvertently modify the program and create new behaviours, and you’re faced with an insurmountable task: creating an infallible application is virtually impossible, and you’re reduced to chasing catastrophe with patches.
In a personal environment, updates and the use of antivirus software based on virus signatures are usually sufficient to overcome this problem. In a business environment governed by extremely tight constraints, a third way of dealing with malicious attacks needs to be added: heuristic antivirus analysis. Heuristic analysis is based on extraction functions that consider applications as an aggregate of mathematical functions and relations, enabling the operation to be performed without regard to the intrinsic nature of the program.
Today’s heuristic antivirus techniques use several approaches to deal with potentially malicious code:
– binary code analysis: machine language is decompiled on the fly by the antivirus into a higher-level language and then analyzed.
– Runtime Execution Monitoring: in the event of anomalies, the program is neutralized. The main drawback is that the anomaly is only detected by the antivirus when it is executed. An e-mail containing a virus as an attachment will never be neutralized, since by default the harmful load has not yet been executed.
– integrity verification: the antivirus checks that both the potential target of the attack and the potentially hostile program are intact. As soon as one of these two programs no longer corresponds to its original signature, the process is stopped. Instead of starting with a virus signature base that will always be late, we start with a limited, stable and always relevant code signature base. The problem is that an anti-virus that uses integrity checking does not detect harmful but unintended use of legitimate code functionality. The best we can do is to contain a problem we can’t prevent from arising in the first place.