Virus prevention is better than 'cures'

Never before has Internet security been at the forefront of so many minds - and that includes the security experts. Threats of...

Never before has Internet security been at the forefront of so many minds - and that includes the security experts. Threats of and worries over so-called cyberterrorism have swept through the online community as well as through the newspapers.

Governments and other heavy users of online data are on their guard (some would say panicking). A whole host of nasty Internet-borne pests, ranging from the mildly inconvenient to the downright malicious, are allegedly just waiting to jump out and bite us.

One of these virtual pests is the infamous e-mail virus, ever on the increase and capable of causing sizeable damage not only to those oblivious to the impending danger and with no form of anti-virus protection, but also to those who thought they had covered their backs.

At the imaginatively named annual Virus Bulletin conference in Prague last month, the usual suspects gathered to ruminate over the year's viral developments, the merits of Anna Kournikova and the demise of the highly contagious Love Bug. The recent Nimda hybrid virus, which emerged exactly a week after the attacks on the World Trade Center, was also inevitably a subject for discussion. This virus explored new ways of distribution, and certainly put the wind up many anti-virus suppliers when it broke out.

In the minutes and hours that followed Nimda's initial appearance some anti-virus suppliers found themselves issuing patch after patch to their users as they discovered more facets of the virus and more holes that needed to be covered. The anti-virus suppliers once again found themselves playing catch-up to a slippery virus-writer and losing the game.

Nimda was allowed to spread as it did because the traditional methods of virus protection, used faithfully for so many years, are no longer up to the job. For many anti-virus suppliers, letting viruses through to their customers is an accepted occupational hazard. If a customer neglects to update its software regularly and is foolish enough to open an attachment from an unknown source it is not the suppliers' problem when events take a turn for the worst.

I don't think that this is the right way to go about virus prevention (after all surely that's what all anti-virus suppliers are looking to achieve?) Software by its nature is reactive, it relies on diligent IT staff to download the signatures to stave off the latest viruses.

Things certainly can be done differently - both by scanning for viruses at the Internet level and by scientifically predicting virus outbreaks, they can be completely avoided.

In recent years the transportation of computer viruses has undergone massive change. For any modern-day, self-respecting virus there is only one way to get around and that is via the Internet. It is quick, it has a global reach and superb infrastructure. Therefore the logical place to stop viruses is also at the Internet level, not at the desktop or the server where most anti-virus software still sits. By simply re-routing e-mail traffic via a virus scanner, viruses can be detected before they penetrate the company network, not afterwards.

This is plain common sense. What is clever is getting to a virus before it gets to you. Blocking every nook and cranny so that outbreaks, and the ensuing clean-up costs, are avoided.

Those in the trade call this heuristic scanning, and it is a highly underused and hugely important weapon in the fight against the virus writers. Heuristic scanners rely on being ahead of the game, on being constantly updated and learning how to interpret evolving e-mail characteristics.

Heuristic scanning is not looking for viruses, but looking for virus behaviour, it is looking for tomorrow's outbreak for which there is no signature. A heuristic scanner works in a number of ways, it keeps tabs on abnormal shifts in virus traffic (for example, one e-mail into an account and 500 e-mails out would certainly be flagged as dubious), it detects the payloads of viruses (the often costly after-effects) and how they are triggered (this may be every time a certain application is run).

Patching up the problem of e-mail viruses is no solution. The solution lies in looking past cumbersome software to a more logical, proactive mode of detection. It lies in scanning for viruses before they enter your network. Being the first anti-virus company to issue the first signature isn't good enough, signatures shouldn't even enter the equation. Traditional virus detection needs to become modern, effective virus prevention, particularly at times such as these.

Mark Sunner, chief technology officer, MessageLabs

Read more on Antivirus, firewall and IDS products