Security software firms have a new weapon in their battle against computer viruses, but it has a significant downside: it could block some legitimate programs as well.
Still, even those whose software has been unjustly accused by the new technology say it could be the industry’s best shot to stem the rising tide of viruses and worms.
In the old days — two years ago — each new computer virus would be analyzed and then blocked by the security software firms, which used a virus "signature" that was the malicious software equivalent of a person’s fingerprint. When the virus tried to gain entry to a protected PC, it was blocked.
But given the surge in malicious computer viruses — new ones now show up by the thousands every hour — creating a signature for each one takes too long. Instead, security software firms have started using a relatively new technique called "heuristics" (in which rules of thumb are used to find answers) that blocks viruses based on suspicious behaviour rather than positive identification.
The trouble with heuristics is that it makes mistakes. Early last year, a program from Roseville, Minnesota, software firm Shavlik Technologies, called NetChk Protect, was stopped dead in its tracks by Symantec’s Norton antivirus software. While the Shavlik software wasn’t a virus, the way in which it distributed software patches over corporate networks bore some resemblance to typical virus behaviour. When the Norton software mistakenly blocked it, the result was what technical people call a "false positive." Too many false positives reduce the usefulness of antivirus software.
"Our software mimicked something Symantec was using as an ‘evil behaviour’ trigger," said Eric Schultze, Shavlik’s chief technology officer. "We had to change the way our code worked to make it look less evil."
A recent story in the Washington Post quoted industry experts as saying consumers should be concerned about the new antivirus technique because it might make their PCs less safe than before.
"Many observers say that despite all its new bells and whistles, the antivirus industry as a whole continues to fall behind in identifying the very latest malicious software," the Post reported in mid-March.
California-based Symantec says that’s wrong, and that new antivirus techniques are, if anything, a little too sensitive in detecting what appear to be viruses.
"Is there a slightly higher chance of false positives this way? Maybe," said Ben Greenbaum, a Symantec senior research manager. "But there’s also a much smaller chance a virus will slip by." Symantec has increased its testing of heuristic technology to reduce the number of "false positives," he said.
Questions about the new technology used to detect viruses are surfacing at the same time that Symantec is releasing its semi-annual Internet Security Threat Report. In the report, Symantec said new malicious code threats rose 136 per cent in the last half of 2007, and that it detected nearly half a million new threats in the period. During all of 2007, the number of new malicious software threats — including viruses and others threats such as spyware — rose fivefold from 2006, Symantec said.