Securing victory in a game of cat and mouse

There is a variety of anti-malware products to help IT managers in their battle to keep users' machines safe, and understanding the product categories is key.

There is a variety of anti-malware products to help IT managers in their battle to keep users' machines safe, and understanding the product categories is key.

If Bill Gates is to be believed, the fight against spam has already been won. In January 2004, he reportedly said at the Davos forum that spam would be a thing of the past in two years. This will raise eyebrows in the offices of managed security services firm BlackSpider Technologies, which logged more than 1.3 million phishing attacks this January alone - up 115% from the previous month.

With viruses and worms now having been joined by spyware, corporate IT managers are under more pressure than ever to protect users' machines, but the array of options can be bewildering. Understanding the difference between the product categories is the first step.

One of the biggest disparities between anti-virus and anti-spam software is their relative maturity as product categories. Because viruses have been around for much longer than widespread commercial e-mail, anti-virus software is a very mature category in which relatively little innovation has happened over the past few years.

Conversely, anti-spam is the least mature in terms of having been around as a shrinkwrapped product category, according to Andrew Jaquith, a senior analyst at the Yankee Group, even though the category has gained massive popularity in the past few years. The relative immaturity of anti-spam software means there has been more innovation, and less of a consensus when it comes to required feature sets and methods of working.

Anti-spam software uses a variety of techniques to help spot junk mail. These have evolved over time in a game of cat and mouse with spammers. The software can generally be mapped along a spectrum of sophistication depending on how many of these techniques it implements, and how advanced they are.

At one end of the spectrum is the simplest software, which allows in only approved e-mail. This software is based on automatically generating white lists by using challenge and response mechanisms. An individual sending an e-mail to one of these systems will be sent a return e-mail asking them to complete a task (such as electronically signing a web form) to prove their legitimacy.  Successfully completing the task adds that individual to the white list.

Challenge/response systems are inherently unscalable, especially for companies that consistently receive e-mails from new sources. "There is also a huge network overhead," said Ross Anderson, an analyst for Canadian market research company Info-Tech Research. "For every message that comes in, there is a challenge going out. You are doubling your message load," he said.

Whereas white list/challenge and response software allows in only the good, blacklist-enabled software takes the opposite approach, blocking out what it knows to be bad. Blacklists are created by specific organisations to list known offensive IP addresses.

Blacklist-enabled products use reverse domain name server (DNS) techniques to find originating IP addresses, checking them against lists of known offenders, or in some cases automatically blocking e-mails sent from dynamic IP addresses. They run the risk of blocking valid senders, especially as they can often take some time to update.

The more complex anti-spam software attempts to evaluate e-mail without initially assuming it to be good or bad based on something as basic as an IP address. Simply scanning for tell-tale keywords evolved into using wildcards and fuzzy logic to cope with deliberately misspelt terms.

In response, spammers became more devious, using increasingly sophisticated techniques. These included putting white text against a white background in an e-mail containing words designed to confuse filters. Splitting words using HTML comment tags and spaces to keep the words human-readable while throwing off lexical analysers is another technique.

Anti-spam companies responded by developing new technologies such as fingerprinting to try to uniquely identify junk e-mails. Still others are using Bayesian analysis, which looks at the structure of an e-mail without relying on content to deduce the probability of it being spam.

In more recent years, even more innovative approaches have come to the fore, including reputation-based systems using algorithms, such as Vipul's Razor, which rely on spam reports from individuals.

When an individual marks something in his inbox as spam, such systems send a fingerprint of the e-mail to a central server and score it according to the reputation of the sender. The more that the community agrees with you by also marking that e-mail as spam, the more influence you have over the system when categorising future e-mails.

The spectrum of complexity in anti-spam products mirrors the model laid out by Gartner's Neil McDonald in his analysis of host-based intrusion prevention, in which he places applications in a grid with three columns headed:

  • Allow known good
  • Block known bad
  • Unknown. 

His grid also uses three rows:

  • Network-level protection (which analyses network traffic before it has a chance to target a PC)
  • Application level (which analyses files on a machine)
  • Execution level (which provides protection while an application is running by watching its activities).

Gartner describes anti-virus technology as software designed to block known malicious code. Traditionally, anti-virus software has used signature analysis techniques to spot malicious software on a machine.  Anti-virus suppliers will produce tens of thousands of signatures targeting different viruses, worms and variants of malware.  "It's a question of process, in that anti-virus software is only as good as its last signature update," said Donal Casey, a security consultant with systems integrator Morse.

Signature-based anti-virus software is seen as reactive, because suppliers must produce the signatures for the software to download before a machine is protected.

Anti-virus software has moved into advanced heuristic analysis, which watches an application's behaviour and shuts it down if it tries to do something that the anti-virus tool recognises as suspicious. It is a safe bet, for example, that a process launched by an e-mail application that opens a command line interface or tries to create its own SMTP server is up to no good.

This approach protects the system before an attack signature is available, thus addressing the zero day exploit concept in which exploits spread quickly following the unveiling of a system vulnerability with no known patch. On the other hand, malware writers will then be tempted to write viruses or worms that attack a system in new ways, so the cat-and-mouse struggle between anti-virus firms and virus writers will continue.

This is why, as with anti-spam systems, the most effective anti-virus software will employ a mixture of approaches to thwart malicious code. Relying on a mixture of signature and behavioural analysis will help to filter out different kinds of virus, just as relying on Bayesian analysis, reverse DNS lookup and other techniques will stop more spam.

Industry watchers are also seeing categories of security software converging for a variety of reasons. Just as spammers, spyware and virus writers are beginning to collaborate, so anti-virus companies are starting to bring the different software categories together.

"There is a convergence of that threat vector, and suppliers are making a similar move," said Thomas Raschke, senior analyst at Forrester Research. "Traditional anti-virus suppliers are beefing up their portfolios with spam or spyware offerings."

These categories of application - anti-spam, anti-spyware, and anti-virus - can each be subdivided into subcategories based on the target platform: client-based, server, appliance-based, or externally hosted. Each platform has its own feature requirements.

On the client, for example, the end-user is probably a business person who just wants to get on with the job. "Something that goes on the desktop has to be a simpler and more structured tool with fewer configuration options," said Info-Tech's Anderson. "It has to be running in the background."

On the other hand, server-based anti-virus and anti-spam products must be more manageable so that administrators can tweak them. Look for features enabling administrators to provide different weightings and rules for analysing and stopping malware and spam.

Typically, businesses will want a combined server/client solution that enables administrators to centrally manage desktop systems from a server. McAfee, Symantec and Trend Micro are the biggest suppliers here. McAfee offers its Virusscan and Virusdefense SMB editions, both of which offer file server and desktop protection, the latter including e-mail server protection. Symantec's Anti-Virus Business Pack, also available in fileserver and mailserver configurations (with the latter offering anti-spam protection), again offers centralised management. Trend Micro sells through business partners.

At the client level, integration between anti-spam and anti-virus products is still limited, but at the server level, including gateway and appliance-based applications, the two are well integrated.

Companies such as Ironport offer anti-spam and anti-virus modules in a single piece of hardware. Ironport also blends together engines from different companies, picking the Sophos anti-virus engine alongside the Symantec Brightmail anti-spam engine.

Multi-layered protection is also a popular feature, with companies offering multiple anti-virus engines to provide a better chance of catching viruses. Clearswift is one firm offering the ability to link to multiple engines. It also offers spam and virus protection in one package.

But it is in hosted applications where the product categories are really converging. The advantage of using a hosted third-party anti-virus or anti-spam solution is that e-mail never reaches your network, said Jaquith.

It is little wonder that hosted systems (commonly referred to as managed services) are becoming more popular. Other software suppliers may have a challenge selling software-as-service models to customers, especially after the loss of confidence following the failure of the application service provider market to deliver the promised benefits at the turn of the decade.

But whereas companies may feel uncomfortable moving, say, accounting data outside the firewall, e-mail communications have to travel across the internet anyway, so it makes sense for virus and spam protection services to be offered in the cloud.

Hosted systems have capitalised on this advantage, expanding into full-service communications management offerings, covering not only anti-virus and anti-spam scanning, but also moving into e-mail archiving and retrieval. The rationale is that businesses faced with regulatory compliance requirements will have an easier job offloading e-mail storage and retrieval to a third party.

Companies like Postini are also moving into instant messaging and web traffic management, offering to stop worms, Trojans and viruses along with inappropriate content in these communications streams.

Nevertheless, there can be downsides to hosted services.  Because most anti-spam systems will classify the occasional valid e-mail as spam (called a false positive), such products must offer the ability to check e-mail before it is finally deleted.

In desktop anti-spam filters, these e-mails are moved to a folder that is accessible by the user for easy checking. But as systems move further away from the desktop, this becomes harder.  Beware of hosted anti-spam solutions that only authorise systems administrators to check for false positives. This can introduce both scalability problems and a delay for the end-user, who may miss important e-mails as a result.

IT managers may be understandably uncertain about which product and platform to choose when deploying anti-virus, anti-spyware and anti-spam systems. But amid all these uncertainties, one thing is clear: the internet is a bad neighbourhood. Whatever lock you decide to put on your company's front door, it had better be a sturdy one.

Read more on Antivirus, firewall and IDS products