There is a variety of anti-malware products to help IT
managers in their battle to keep users' machines safe, and
understanding the product categories is key.
If Bill Gates is to be believed, the fight against spam has
already been won. In January 2004, he reportedly said at the Davos
forum that spam would be a thing of the past in two years. This
will raise eyebrows in the offices of managed security services
firm BlackSpider Technologies, which logged more than 1.3 million
phishing attacks this January alone - up 115% from the previous
month.
With viruses and worms now having been joined by spyware,
corporate IT managers are under more pressure than ever to protect
users' machines, but the array of options can be bewildering.
Understanding the difference between the product categories is the
first step.
One of the biggest disparities between anti-virus and anti-spam
software is their relative maturity as product categories. Because
viruses have been around for much longer than widespread commercial
e-mail, anti-virus software is a very mature category in which
relatively little innovation has happened over the past few
years.
Conversely, anti-spam is the least mature in terms of having
been around as a shrinkwrapped product category, according to
Andrew Jaquith, a senior analyst at the Yankee Group, even though
the category has gained massive popularity in the past few years.
The relative immaturity of anti-spam software means there has been
more innovation, and less of a consensus when it comes to required
feature sets and methods of working.
Anti-spam software uses a variety of techniques to help spot
junk mail. These have evolved over time in a game of cat and mouse
with spammers. The software can generally be mapped along a
spectrum of sophistication depending on how many of these
techniques it implements, and how advanced they are.
At one end of the spectrum is the simplest software, which
allows in only approved e-mail. This software is based on
automatically generating white lists by using challenge and
response mechanisms. An individual sending an e-mail to one of
these systems will be sent a return e-mail asking them to complete
a task (such as electronically signing a web form) to prove their
legitimacy. Successfully completing the task adds that individual
to the white list.
Challenge/response systems are inherently unscalable, especially
for companies that consistently receive e-mails from new sources.
"There is also a huge network overhead," said Ross Anderson, an
analyst for Canadian market research company Info-Tech Research.
"For every message that comes in, there is a challenge going out.
You are doubling your message load," he said.
Whereas white list/challenge and response software allows in
only the good, blacklist-enabled software takes the opposite
approach, blocking out what it knows to be bad. Blacklists are
created by specific organisations to list known offensive IP
addresses.
Blacklist-enabled products use reverse domain name server (DNS)
techniques to find originating IP addresses, checking them against
lists of known offenders, or in some cases automatically blocking
e-mails sent from dynamic IP addresses. They run the risk of
blocking valid senders, especially as they can often take some time
to update.
The more complex anti-spam software attempts to evaluate e-mail
without initially assuming it to be good or bad based on something
as basic as an IP address. Simply scanning for tell-tale keywords
evolved into using wildcards and fuzzy logic to cope with
deliberately misspelt terms.
In response, spammers became more devious, using increasingly
sophisticated techniques. These included putting white text against
a white background in an e-mail containing words designed to
confuse filters. Splitting words using HTML comment tags and spaces
to keep the words human-readable while throwing off lexical
analysers is another technique.
Anti-spam companies responded by developing new technologies
such as fingerprinting to try to uniquely identify junk e-mails.
Still others are using Bayesian analysis, which looks at the
structure of an e-mail without relying on content to deduce the
probability of it being spam.
In more recent years, even more innovative approaches have come
to the fore, including reputation-based systems using algorithms,
such as Vipul's Razor, which rely on spam reports from
individuals.
When an individual marks something in his inbox as spam, such
systems send a fingerprint of the e-mail to a central server and
score it according to the reputation of the sender. The more that
the community agrees with you by also marking that e-mail as spam,
the more influence you have over the system when categorising
future e-mails.
The spectrum of complexity in anti-spam products mirrors the
model laid out by Gartner's Neil McDonald in his analysis of
host-based intrusion prevention, in which he places applications in
a grid with three columns headed:
- Allow known good
- Block known bad
- Unknown.
His grid also uses three rows:
- Network-level protection (which analyses network traffic before
it has a chance to target a PC)
- Application level (which analyses files on a machine)
- Execution level (which provides protection while an application
is running by watching its activities).
Gartner describes anti-virus technology as software designed to
block known malicious code. Traditionally, anti-virus software has
used signature analysis techniques to spot malicious software on a
machine. Anti-virus suppliers will produce tens of thousands of
signatures targeting different viruses, worms and variants of
malware. "It's a question of process, in that anti-virus software
is only as good as its last signature update," said Donal Casey, a
security consultant with systems integrator Morse.
Signature-based anti-virus software is seen as reactive, because
suppliers must produce the signatures for the software to download
before a machine is protected.
Anti-virus software has moved into advanced heuristic analysis,
which watches an application's behaviour and shuts it down if it
tries to do something that the anti-virus tool recognises as
suspicious. It is a safe bet, for example, that a process launched
by an e-mail application that opens a command line interface or
tries to create its own SMTP server is up to no good.
This approach protects the system before an attack signature is
available, thus addressing the zero day exploit concept in which
exploits spread quickly following the unveiling of a system
vulnerability with no known patch. On the other hand, malware
writers will then be tempted to write viruses or worms that attack
a system in new ways, so the cat-and-mouse struggle between
anti-virus firms and virus writers will continue.
This is why, as with anti-spam systems, the most effective
anti-virus software will employ a mixture of approaches to thwart
malicious code. Relying on a mixture of signature and behavioural
analysis will help to filter out different kinds of virus, just as
relying on Bayesian analysis, reverse DNS lookup and other
techniques will stop more spam.
Industry watchers are also seeing categories of security
software converging for a variety of reasons. Just as spammers,
spyware and virus writers are beginning to collaborate, so
anti-virus companies are starting to bring the different software
categories together.
"There is a convergence of that threat vector, and suppliers are
making a similar move," said Thomas Raschke, senior analyst at
Forrester Research. "Traditional anti-virus suppliers are beefing
up their portfolios with spam or spyware offerings."
These categories of application - anti-spam, anti-spyware, and
anti-virus - can each be subdivided into subcategories based on the
target platform: client-based, server, appliance-based, or
externally hosted. Each platform has its own feature
requirements.
On the client, for example, the end-user is probably a business
person who just wants to get on with the job. "Something that goes
on the desktop has to be a simpler and more structured tool with
fewer configuration options," said Info-Tech's Anderson. "It has to
be running in the background."
On the other hand, server-based anti-virus and anti-spam
products must be more manageable so that administrators can tweak
them. Look for features enabling administrators to provide
different weightings and rules for analysing and stopping malware
and spam.
Typically, businesses will want a combined server/client
solution that enables administrators to centrally manage desktop
systems from a server. McAfee, Symantec and Trend Micro are the
biggest suppliers here. McAfee offers its Virusscan and
Virusdefense SMB editions, both of which offer file server and
desktop protection, the latter including e-mail server protection.
Symantec's Anti-Virus Business Pack, also available in fileserver
and mailserver configurations (with the latter offering anti-spam
protection), again offers centralised management. Trend Micro sells
through business partners.
At the client level, integration between anti-spam and
anti-virus products is still limited, but at the server level,
including gateway and appliance-based applications, the two are
well integrated.
Companies such as Ironport offer anti-spam and anti-virus
modules in a single piece of hardware. Ironport also blends
together engines from different companies, picking the Sophos
anti-virus engine alongside the Symantec Brightmail anti-spam
engine.
Multi-layered protection is also a popular feature, with
companies offering multiple anti-virus engines to provide a better
chance of catching viruses. Clearswift is one firm offering the
ability to link to multiple engines. It also offers spam and virus
protection in one package.
But it is in hosted applications where the product categories
are really converging. The advantage of using a hosted third-party
anti-virus or anti-spam solution is that e-mail never reaches your
network, said Jaquith.
It is little wonder that hosted systems (commonly referred to as
managed services) are becoming more popular. Other software
suppliers may have a challenge selling software-as-service models
to customers, especially after the loss of confidence following the
failure of the application service provider market to deliver the
promised benefits at the turn of the decade.
But whereas companies may feel uncomfortable moving, say,
accounting data outside the firewall, e-mail communications have to
travel across the internet anyway, so it makes sense for virus and
spam protection services to be offered in the cloud.
Hosted systems have capitalised on this advantage, expanding
into full-service communications management offerings, covering not
only anti-virus and anti-spam scanning, but also moving into e-mail
archiving and retrieval. The rationale is that businesses faced
with regulatory compliance requirements will have an easier job
offloading e-mail storage and retrieval to a third party.
Companies like Postini are also moving into instant messaging
and web traffic management, offering to stop worms, Trojans and
viruses along with inappropriate content in these communications
streams.
Nevertheless, there can be downsides to hosted services.
Because most anti-spam systems will classify the occasional valid
e-mail as spam (called a false positive), such products must offer
the ability to check e-mail before it is finally deleted.
In desktop anti-spam filters, these e-mails are moved to a
folder that is accessible by the user for easy checking. But as
systems move further away from the desktop, this becomes harder.
Beware of hosted anti-spam solutions that only authorise systems
administrators to check for false positives. This can introduce
both scalability problems and a delay for the end-user, who may
miss important e-mails as a result.
IT managers may be understandably uncertain about which product
and platform to choose when deploying anti-virus, anti-spyware and
anti-spam systems. But amid all these uncertainties, one thing is
clear: the internet is a bad neighbourhood. Whatever lock you
decide to put on your company's front door, it had better be a
sturdy one.