A few correspondents and a reader who posted to this blog two weeks ago, have leapt to the wrong conclusion about the “AVID heroes”, the companies I regularly mention; AppSense, Bit9 and SecureWave that actually do stop viruses and related malware, as opposed to signature-based AV software, which only does sometimes and doesn’t stop zero-day threats. (AVID = Anti Virus Is Dreary)

They assume that the AVID heroes use behavioural techniques to stop malware. They don’t. The behaviour tracking idea sounds sensible when you first encounter it. You post a software agent somewhere that watches for specific behaviour such as trying to log the keyboard or trying to access the network or the Internet. Malware behaves like that, so “if walks like a duck and squawks like a duck, then it’s a duck, so shoot it.”

The problem with this is the ugly duckling that turns out to be a swan. As we all know, swans are protected (in the UK), you can’t shoot them and only the Queen is allowed to eat them. Stuff that looks as though it might be malware can also be important and useful software. The trojan that provides remote control of a PC is not much different from the administrator’s utility that takes remote control of the PC. How would the agent software know which was which?

So the reality is that behavioural tracking can identify suspects, but it cannot tell you for sure whether that odd little executable, 1mav1rus.exe, is on side or off side. You need to ask someone fro an opinion—the user. And that’s fine, except that the user is not necessarily going to know for sure. Indeed if 1mav1rus.exe renames itself to Word.exe then the user is likely to be fooled. In order to have the conversation with the user you have to suspend the executable anyway—in case it takes the opportunity to put the PC up for sale on eBay, post embarrassing personal adverts on Craig’s List and send the user’s credit card details to Al Qaeda. But actually you cannot do anything at all until 1mav1rus.exe steps out of line and you will only know that after the event.

If the virus writer wants to be clever then he/she can also have the virus behave in a stealthy way, not directly doing anything but using valid surrogate executables to do what it wants. If you deploy behavioural tracking the viruses will just get subtler. I’m not saying behavioural tracking is a waste of time. Such monitoring activity gathers useful information, but it won’t stop all viruses effectively. Close, but no cigar.

By the way, the three AVID hero companies (SecureWave, AppSense and Bit9,) are about to become four. I cannot name the newcomer because I’m under non-disclosure, but I can say that it is yet another start-up that uses the right approach.

Fact is that the VC community knows that AV software is fatally flawed (a number of VC companies also read this blog) so they are happy to throw real dollars at companies that can actually address the virus problem. Eventually there will be more AVID products than AV products.

  Subscribe to HaveMacWillBlog in a reader