Change of tactics in war on viruses

Could quarantining emails be a better way of dealing with viruses than the traditional approach used by most antivirus companies?
Written by Tom Espiner, Contributor

With increasingly diversified threats and a splintered antivirus industry, some security providers are arguing that mainstream antivirus companies are simply not nimble enough to cope with new waves of malware. Traditional approaches to providing updates — which require the malicious code to be in the possession of the security companies — are fundamentally flawed, the argument goes.

IronPort, a US purveyor of Web monitoring services, is one of the companies championing a different approach to dealing with viruses, worms and other nasties. The technology that IronPort uses to filter spam and quarantine emails is different from most other vendors — it uses "Web reputation" as a basis for quarantining suspect email traffic.

Bad reputation
Information about where and who the email claims to come from, what it contains, and the reputation of any link in the email, is used as a basis to decide whether the email will be quarantined. The intended recipient of the email can then decide whether to take it out of quarantine.

"At least 95 percent of businesses are using traditional antivirus defences, but businesses are still getting infected at the moment," says Tom Gillis, senior vice-president of IronPort. "We know this because we run traditional antivirus engines on our solutions, and we still have to quarantine the mail [containing malware] that the antivirus software doesn't catch. The technology in antivirus labs is not orientated towards dealing with the first wave of an attack."

IronPort believes antivirus companies fall down because of their "historical" approach to dealing with unseen malware. "All heuristics and signatures are historical," says Matt Peachey, IronPort's director for northern Europe. "Signatures are retrospective, and heuristics look at the profiles of existing viruses. Both are based on historical data."

Too little, too late
Ironport claims that it takes normal antivirus companies between 2 and 64 hours to come up with the signature required to block the virus. "Even if businesses have a traditional solution in place, they are completely exposed for this time," says Ambika Gadre, IronPort's senior director of product management information services. But IronPort claims that companies that use its technology should be protected from get go if they have set up their quarantine parameters properly.

IronPort isn't the only vendor to use reputation-based quarantining, as CheckPoint, Cisco, and TippingPoint, among others, currently sell such systems. The offerings have one thing in common however — they use sender-based reputation technologies that can shut down ports to block virus attacks.

More than signatures
Vendors who continue to use the traditional approach to antivirus software reject some of the claims made by advocates of the reputation-based approach. Raimund Genes, chief technologist of anti-malware for Trend Micro, says that his company's approach to email filtering does not rely on signatures alone.

"This is an interesting argument," says Genes. "This would be true if we just relied on creating signature definitions, but we also have Internet traffic monitoring, and intrusion detection and protection systems. We actually saw and reported an occurrence of Nyxem on 16 January, and developed a signature for it then. IronPort did not report it until 18 January."

Trend admits that if a network worm were to spread in minutes, then IronPort would detect it earlier than traditional vendors, but he doubts whether the company would actually be able to protect businesses earlier.

Similarly, security company Sophos says that its antivirus technology is designed to be used alongside other services. "Our email gateway product does more than just scan for viruses — antivirus is really just one part of our product. We can block any executable file at the email gateway just like IronPort can. It's odd that IronPort have singled us out for this attention, especially as they have just given us the IronPort 2005 Platinum Partner award for being the best antivirus vendor," says Sophos senior technology consultant Graham Cluley.

Trojan attacks
With an increase in targeted Trojan attacks, where criminal gangs tailor emails to try to fool recipients into running certain applications or visiting Web sites hosting malicious code, some antivirus vendors argue that mail monitoring services — like that offered by IronPort — are not much of a defence.

"I predict fewer global attacks, and more targeted attacks that mail monitoring companies will fail to pick up because there will be no peak of mass-mailers to alert...

For more, click here...

...them. Hackers don't want to be seen now," says Trend Micro's Genes.

Trend also argues that monitoring email is no guard against threats brought into the company by teleworkers, and by consultants bringing in infected laptops and USB memory sticks.

In response IronPort claims that its products are designed to work with existing antivirus solutions, rather than being a holistic package. "The way antivirus companies produce signatures complements IronPort. We are the traffic cop that enforces quarantine," says Gillis.

Independent testing
Sophos agrees that IronPort's product complemented theirs, but called into doubt IronPort's motives for calling antivirus vendors' products into doubt. "They would say their solution is better than others, wouldn't they? Don't believe what vendors are saying — let's get independent guys to test their product. Come on, let's face it. It doesn't matter a hill of beans what vendors say, including us," says Cluley.

Analyst house Butler Group claim that a belt-and-braces approach to security makes the most sense; no one technology will provide complete protection. But the organisation's research analyst Alan Rodger admitted that traditional methods of dealing with viruses are limited.

"It's true there are challenges for antivirus vendors. The main challenge is keeping signatures up-to-date," he says. "There is a lag-time [when there is no signature available for new threats]. All protection vendors need to mitigate the threat of lag-time, and customers need to consider that this is a major requirement of security solutions."

The advantage of the approach used by email monitoring companies such as Ironport is the emergence of a new threat and a signature is not applicable, as malware is pre-emptively quarantined, according to Rodger.

Blended is best
"By analysing the characteristics of email, these types of solutions empower themselves," he says. "If you can put something in place that doesn't solely rely on outside input, and allows users to validate emails themselves, this is certainly a valuable layer of a multi-layered approach," Rodger explains.

This multi-layered approach involves buying products that cover all bases. According to Rodger, antivirus solutions can "look at what's out there, and combat other threats. Email protection solutions supply protection for incoming emails, but antivirus combats other threats, for example, those introduced directly to PCs through connected hardware. I would definitely advocate a layered approach, depending on who is accessing the solutions and which solutions that are deployed against a full range of attacks."

Andy Buss, senior analyst for canalys.com agrees that mail monitoring systems can mitigate the effects of infected mail through sender reputation, but that a multi-layered approach is needed.

"It comes down to the complexity of computer clients needs — there is no one size fits all solution," says Buss. "There is a lag time. Antivirus companies do respond with a signature, but until then companies have to rely on heuristics. However, non-signature heuristics can be difficult to use and unreliable. For widespread end-point protection they generally cause more problems than they resolve."

No one-stop-shop
The consensus seems to be that to create the best defence against viruses and other malware, companies will need to develop a blended approach and use a variety of services and techniques. But creating an effective multi-vendor security strategy depends on how well different technologies integrate — something which the security industry must address if it is to serve its customer base properly

"I think this demonstrates the fragmented nature of the antivirus industry. There is no one antivirus and spyware solution. They can be bundled, but they're not integrated. In the future we will get tighter integration, especially with spyware," says Buss.

Editorial standards