Contrary to some industry observers, antivirus software is not dead. It is, however, undergoing a game-changing transformation.
It has to. After all, the current model of detecting viruses through blacklisting simply cannot keep pace with the unprecedented volume of malware released every day. To continue to be effective, antivirus must transition from the current signature-based model to a new hybrid model that uses whitelisting to allow trustworthy applications, blacklisting to block prevalent known malware, and reputation-based ratings to automatically categorize the "long tail" of unknown malware and legitimate software.
An Inflection Point
By some measurements, the volume of malicious software is now outpacing the production of legitimate programs. Symantec recently measured the adoption rate of new software applications and found that out of almost 55,000 unique applications deployed during a weeklong measurement period on Microsoft Windows PCs, 65 percent were malicious.
In fact, there's never been more malware. Nearly half a million new malicious code threats appeared just in the last half of 2007, according to Symantec's latest Internet Security Threat Report. That's more than twice as many as were discovered in the first half of 2007 and five times the number detected in the last half of 2006.
It could get worse as attackers adapt. They have already shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. Using servers that generate a new malware strain every few hours-or minutes-they can unleash individual attacks against each victim. So far, cybercriminals have created millions of distinct malware strains, and antivirus software vendors are collecting tens of thousands more every day. If these attack trends continue, the public could face millions of new threats every year.
At the same time, antivirus vendors are feverishly working to generate up to 20,000 new virus fingerprints each day. However, most products detect only a fraction of new malware, even as many strains of older malware go undetected. Furthermore, attackers can easily circumvent most generic signatures by tweaking existing malware files, scanning them with an antivirus scanner, and repeating the process until the scanner no longer detects the infection. Such modifications can be done by hand or, unfortunately, all too easily via automation.
As a result, whereas a few years ago a single signature could protect tens of thousands of users against a widespread threat, today a single signature typically protects less than 20 users against a micro-distributed threat.
Clearly, in such an environment, traditional signature-based detection-or blacklisting-alone is not enough.
Identifying Good Programs
As the volume of malicious code continues to skyrocket, security techniques must increasingly focus less on analyzing malware and more on analyzing "goodware."
Whitelisting has traditionally been used on high-value servers because their static configuration makes a whitelist easy to build. Yet, even though most infections occur on desktops and laptops, whitelisting has not been extended to these systems. Why not? Because desktop machines are far more dynamic than locked-down servers, employees download software packages on them to do their jobs, and desktop applications often self-update-thereby making it extremely challenging for an enterprise to create and update a whitelist for such machines.
Nevertheless, a comprehensive whitelist could virtually eliminate traditional infections on these endpoints. Some companies have taken a do-it-yourself approach wherein the vendor or customer manually constructs the whitelist. Other vendors have chosen to partner with top software OEMs to build the list, while still others deploy Web spider software to gather files for the list. Unfortunately, thus far, none of these approaches have yielded a comprehensive enough and current enough whitelist that can reasonably be used to lock down desktops and servers without costly manual administration.
A new approach to building whitelists supplements whitelisting with new reputation-based protection technologies. Reputation-based protection is game-changing in that it leverages the wisdom of millions of users to provide customers with actionable information about the software they download and install. This helps customers make the right choices based on the experience of other, real users just like them. Early indications show that this approach, when complemented by traditional antivirus technology, radically improves protection, especially against the onslaught of personalized malware seen today.
Taming the Long Tail
One of the most difficult challenges of antivirus protection today is figuring out how to deal with threats that are on so few systems that they often go undetected using traditional blacklisting. After all, if only a handful of people in the world have a specific threat, a security vendor has little chance to discover that specific threat and write a signature for it.
Unfortunately, because there are so few common versions of today's malware, malicious programs tend to occupy this so-called "long tail" of software distribution. Similarly, it's difficult for security companies to locate less popular, yet entirely legitimate, software applications and add them to a whitelist. Imagine a small software vendor that caters to just a handful of customers. What are the odds that this vendor's software will be discovered and added to a whitelist in a timely fashion?
This is where the addition of reputation-based security looks promising. A reputation-based rating system for applications can provide users with an accurate security score, not unlike a credit rating, for every application they encounter on the Internet. This enables users to make more-informed decisions about the programs they download before installing them. Moreover, organizations can use the highest-confidence ratings to identify legitimate applications and then automatically populate their whitelists.
Most legitimate software is created for mass distribution and today's malicious programs have extremely limited distribution before they're mutated for the next user. To respond to this, a reputation-based system can leverage a prevalence-based reputation approach to assign lower ratings to less-prevalent software.
For example, an administrator could stipulate policy guaranteeing that only highly prevalent applications-for example, those with at least 10,000 other users-are allowed in an enterprise. Such a policy would weed out all but the most prevalent malware, which traditional fingerprinting via blacklisting can detect easily, yet allow the deployment of most popular legitimate applications.
As another example, a reputation-based system can derive reputation ratings based on the provenance, or source, of the application, and assign higher ratings to applications from known, trusted vendors. Using these and numerous other techniques, organizations can deliver highly accurate reputation ratings for applications that can fundamentally change the efficacy of security software.
With complementary blacklisting, whitelisting and reputation-based technologies safeguarding both enterprise and consumer endpoints, business and homes have a more formidable, long-term solution to the malware epidemic. Perhaps the greatest benefit of a hybrid approach is that it would finally return the burden of antivirus protection from the shoulders of weary customers back to security vendors.
Carey Nachenberg is a Symantec Fellow in the Security Technology and Response Group at Symantec Corporation.