,

Antivirus makers struggling to do their job at detecting viruses, looking for new approaches

imagesIf there is one thing the current  antivirus industry is not good at, it is doing its primary function to stop viruses.

While global businesses and consumers are making the industry a multi-billion dollar market, antivirus software being offered today rarely live up to their expected role as virus filters. Experts say that antivirus software right now stand a very small chance of detecting and blocking newly created computer viruses because virus makers are always ahead of the curve. This current trend is prompting new startups and some companies to get creative in this new reality of our digital world.

Venture capitalist at Norwest Venture Partners Matthew D. Howard said “The bad guys are always trying to be a step ahead. And it doesn’t take a lot to be a step ahead.”

The early part of personal computing saw viruses produced by those who want to do digital mischief. However, during the mid-2000s, criminals realized that malicious software can be used for financial gain instead, prompting a new wave of millions of all types of viruses.

Way back 2000, there were fewer than a million strain of malwares created by unsophisticated amateurs. Ten years later, the figure grew to more than 49 million virus types, said a German research firm AV-Test.

The introduction of millions of new viruses also saw the growth of the antivirus industry, though experts would say that the industry is playing catch up. Most of the itme, the damage has already been done before the antivirus industry can come up with an effective counter. It is not uncommon for bad guys to first gather a company’s trade secret, or filter a databank, or take hold of consumer bank account details, before any antivirus can do anything.

Results of a new study by research company Imperva, based in Redwood, California, and students from the Technion-Israel Institute of Technology show this trend to be true. A team in the company led by Amichai Shulman, the firm’s chief technology officer, gathered and analyzed 82 recent computer viruses and tested them using 40 antivirus software including products from Symantec, Microsoft, Kaspersky Lab, and McAfee.  The team discovered that the initial detection rate of these software is less than 5 percent.

It normally takes about a month in average for antivirus products to update their virus dictionary to be able to detect new viruses. The study also found out that the products with the best detection rates are Emsisoft and Avast are free, though users can buy the full products for additional features. The study shows that despite the massive $7.4 billion spending on the antivirus industry last year, the current batch of popular antivirus products are doing poorly in their main job.

“Existing methodologies we’ve been protecting ourselves with have lost their efficacy,” Ted Schlein, a security-focused investment partner at Kleiner Perkins Caufield & Byers said. “This study is just another indicator of that. But the whole concept of detecting what is bad is a broken concept.”

The design of  existing antivirus software , which are normally inherently reactive, is part of the problem. Antivirus makers needs to capture and analyze a new virus first to identify its “signature” before they can come up with an effective way to deal with it.

This process can vary and may take a few hours to several years.  Last May 2012, Kaspersky Lab was able to capture Flame, a very sophisticated virus that was thought to be stealing computer data from computers for about five years.

Chief researcher at F-Secure, Mikko H. Hypponen, wrote in an essay that Flame was “a spectacular failure” for the industry.

“We really should have been able to do better. But we didn’t. We were out of our league in our own game.”

Industry leaders like McAfee and Symantec, both of which flourished on antivirus products, are now acknowledging the limitations of their products and are trying to look for new approaches. Both of their websites no longer use the word “antivirus” and Symantec has started to rebrand its popular antivirus products like calling them Norton Internet Security and Symantec Endpoint Protection.

Imperva, the main sponsor of the antivirus study,  has a new set of products that promotes looking at security from a different perspective. Imperva products check out access to servers, files, and databases for any suspicious activity instead of simply blocking previously detected “signature”, like what normal antivirus programs and firewalls do.

While companies can only look into the distant future for an anti-virus free environment, many financers and investors are predicting that the old antivirus tools will no longer be staying for long.

Phil Hochmuth, a security analyst in research company International Data Corporation, said that digital attackers have evolved, and that the conventional virus detection methods are no longer effective.

More and more investors are now starting to fund new group of start-ups that renders the traditional virus detection obsolete. The current thinking now says that blocking everything that is bad is not enough and no longer possible. Security companies of the future should make software that can spot unusual behavior and clean up machines once damaged has been done.

Some of the top start-ups recognized today includes firms like FireEye, Seculert, Bromium, Bit9, Mandiant, and CrowdStrike.

Bit9 has received financing from financial institutions like Kleiner Perkins and Sequoia Capital. Bit9 uses whitelisting, a method of minimizing malware infection by allowing only traffic that the system know is secure.

McAfee bought Solidcore, another whitelisting firm in 2009. Symantec products are currently running Insight technology, a similar software that does not allow unknown files to run in a system.

David G. DeWalt, the former CEO of McAfee, which was acquired by Intel in 2010, is now running FireEye, a start-up that creates a system that compartmentalizes company applications in virtual containers before scanning them for suspicious activity to determine which applications to be allowed to run. FireEye has received more than  $35 million in financing from In-Q-Tel, Norwest, and Sequoia Capital.

An Israeli start-up called Seculert uses a different approach to the problem. It tries to identify the source of threats-the command and control centers of malware–so it can give an early warning system to businesses and governments.

If security companies can eventually make the digital world for desktops safer, it is likely that attackers will already have moved on to smartphones.

In October 2012, the FBI said that there are a number of malicious apps that compromised Android devices. In July last year, Kaspersky Lab was able to identify the first malicious app in Apple’s App Store. The US Department of Defense is calling for a more comprehensive effort from universities and companies to look for ways to protect mobile devices from viruses. Symantec, McAfee,a nd other security firms are already working on the challenge, while Lookout, another start-up that offers products that scan apps for viruses and malwares, have received a huge funding valued at about $1 billion.

source: nytimes