Never before has Internet security been at the forefront of so many
minds - and that includes the security experts. Threats of and
worries over so-called cyberterrorism have swept through the online
community as well as through the newspapers.
Governments and other heavy users of online data are on their guard
(some would say panicking). A whole host of nasty Internet-borne
pests, ranging from the mildly inconvenient to the downright
malicious, are allegedly just waiting to jump out and bite us.
One of these virtual pests is the infamous e-mail virus, ever on
the increase and capable of causing sizeable damage not only to
those oblivious to the impending danger and with no form of
anti-virus protection, but also to those who thought they had
covered their backs.
At the imaginatively named annual Virus Bulletin conference in
Prague last month, the usual suspects gathered to ruminate over the
year's viral developments, the merits of Anna Kournikova and the
demise of the highly contagious Love Bug. The recent Nimda hybrid
virus, which emerged exactly a week after the attacks on the World
Trade Center, was also inevitably a subject for discussion. This
virus explored new ways of distribution, and certainly put the wind
up many anti-virus suppliers when it broke out.
In the minutes and hours that followed Nimda's initial appearance
some anti-virus suppliers found themselves issuing patch after
patch to their users as they discovered more facets of the virus
and more holes that needed to be covered. The anti-virus suppliers
once again found themselves playing catch-up to a slippery
virus-writer and losing the game.
Nimda was allowed to spread as it did because the traditional
methods of virus protection, used faithfully for so many years, are
no longer up to the job. For many anti-virus suppliers, letting
viruses through to their customers is an accepted occupational
hazard. If a customer neglects to update its software regularly and
is foolish enough to open an attachment from an unknown source it
is not the suppliers' problem when events take a turn for the
worst.
I don't think that this is the right way to go about virus
prevention (after all surely that's what all anti-virus suppliers
are looking to achieve?) Software by its nature is reactive, it
relies on diligent IT staff to download the signatures to stave off
the latest viruses.
Things certainly can be done differently - both by scanning for
viruses at the Internet level and by scientifically predicting
virus outbreaks, they can be completely avoided.
In recent years the transportation of computer viruses has
undergone massive change. For any modern-day, self-respecting virus
there is only one way to get around and that is via the Internet.
It is quick, it has a global reach and superb infrastructure.
Therefore the logical place to stop viruses is also at the Internet
level, not at the desktop or the server where most anti-virus
software still sits. By simply re-routing e-mail traffic via a
virus scanner, viruses can be detected before they penetrate the
company network, not afterwards.
This is plain common sense. What is clever is getting to a virus
before it gets to you. Blocking every nook and cranny so that
outbreaks, and the ensuing clean-up costs, are avoided.
Those in the trade call this heuristic scanning, and it is a highly
underused and hugely important weapon in the fight against the
virus writers. Heuristic scanners rely on being ahead of the game,
on being constantly updated and learning how to interpret evolving
e-mail characteristics.
Heuristic scanning is not looking for viruses, but looking for
virus behaviour, it is looking for tomorrow's outbreak for which
there is no signature. A heuristic scanner works in a number of
ways, it keeps tabs on abnormal shifts in virus traffic (for
example, one e-mail into an account and 500 e-mails out would
certainly be flagged as dubious), it detects the payloads of
viruses (the often costly after-effects) and how they are triggered
(this may be every time a certain application is run).
Patching up the problem of e-mail viruses is no solution. The
solution lies in looking past cumbersome software to a more
logical, proactive mode of detection. It lies in scanning for
viruses before they enter your network. Being the first anti-virus
company to issue the first signature isn't good enough, signatures
shouldn't even enter the equation. Traditional virus detection
needs to become modern, effective virus prevention, particularly at
times such as these.
Mark Sunner, chief technology officer, MessageLabs