Let the script kiddies play in the sandbox
COMMENTARY--The idea of simulating a computer within a computer is not new. An early operating system called CM/CMS created virtual machines on big mainframes, so individual desktop users could have their own files and storage--the appearance of their own machines. Also, Java applets run inside their own Java Virtual Machines inside our desktops. Now a handful of security companies, including Norman ASA, have revitalized this idea to help stop computer viruses and other malicious code. Current antivirus technology is based on pattern matching. When you receive malicious code, the virus-scanner engine in your antivirus software compares the code with the half-million viruses patterns stored in its database. If there's a match, the code is stopped and you are informed that the such-and-such virus is present. If there's no match, the code is left to run. That's why it's important to keep your antivirus signature files current. Still, given the lag time in developing new signature files, you may be exposed to harmful code for up to six hours.
NOW A TECHNOLOGY called sandboxing, which is modeled on the computer-within-a-computer concept, is also being used to fight viruses. It allows you to run malicious code in a protected environment on your computer, so the code can't harm your data. Sandboxing can protect your system against unknown threats because it operates within a few simple rules. You could, for example, define your system registry as being off-limits to changes.
However, a sandbox's simplicity is also its Achilles heel. "The problem with sandbox technology is its false positives," said Hank Dugan, president and CEO of Norman Data Defense Systems, a division of Norman ASA. An example of a false positive is when a company sends out a new version of a program that, when installed, needs to delete the old version and make changes to the system registry. Sandbox technology could stop a legitimate program like this one from making changes on your system, as well as stopping harmful programs such as viruses.
What Norman has done is a little different from traditional sandbox technology. Instead of simulating only a Windows environment like other sandboxes, Norman created its own simulated operating system capable of emulating any operating system, including DOS, OS/2, and Windows. It will also be available soon for Linux and other platforms.
THE ADVANTAGE OF simulating multiple operating systems is that it allows Norman to catch viruses created for different platforms. Norman technology could, for example, stop Linux viruses on a Windows machine that's not even running Linux. That should reduce the number of potential virus carriers out there in the world. Sounds good, but is there a performance trade-off?
Because of their large databases, pattern-matching antivirus engines are often criticized for hogging too many resources and taking too much time to work. Does sandbox technology have the same drawback? Not really, according to Kurt Navig, manager of the engine team at Norman ASA in Norway. He says Norman's sandbox technology can process "about one second per file, less for clean files," dismissing performance as an issue.
Navig said Norman has sped up its unique virtual environment by freezing an image of its simulated machine. He told me it's like setting Windows to hibernate, so it doesn't have to go through all the booting process when it's called upon.
So if sandbox technology is so good, then why not parse all virus and malicious code through it? That may not be the best idea. Navig says sandbox technology can't tell you which virus you have, only that you have some possibly malicious code. Pattern matching technology will always tell you what virus you have. "So, for the moment, you need both," he said.
In addition, the Norman sandbox currently doesn't support Windows scripting worms or macro viruses.
WHEN USING Norman technology on your desktop computer, you will see only that a virus was stopped. However, administrators monitoring enterprise systems will have access to more detailed information, such as hard data from infection sites, and logs of the malicious code's behavior. And, if you're really motivated, you can run a viral zoo through the sandbox that simulates your own configuration, and observe the behavior of hundreds of known viruses on your system.
That sounds a little like Easel, a new simulation environment available from CERT, the security center at Carnegie-Mellon University. Easel, now in beta release, runs only on the Apple Mac platform, but is designed to allow administrators to simulate their network environments and the damage that worms such as Nimda or Code Red can do.
So when will you and I see sandbox technology on our desktops? There are currently products on the market that use sandboxes to stop malicious code. Finjan and Pelican come to mind. Norman's release of its new virus scanner, however, will be gradual. Desktop customers will have access to the same sandbox technology as enterprise customers, but probably not until this summer.
Should all antivirus products include sandboxing technology? Why or why not? TalkBack to me below.