Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have been programming for over 20 years now and I have an idea about virus protection that I don't believe anyone else has thought of how to do. My problem is that I can't find anywhere that I can learn about the detection of virii. I don't care about writing them (I'm sure that it would help to know but that is not what I am persuing) just how to check for and detect them. Any thoughts or directions? Thank you.
John W. Borelli
IT Specialist
OmniIT
borelli35
http://www.securecomputing.com/gate...
Virus detection starts with it's 'signature' but has the article on the above site says, it's not good enough due to the time lag between the release of a virus and the time it takes for virus companies to add it's 'signature' to their data base. That lag time has made Anti Virus programs basically worthless in my opinion.
0 
that's like calling the fire department worthless because of time spent traveling to a burning building. sure, it'll burn longer, but it'd be a hell of a lot worse with no protection at all, ever...
0
I don't understand your ANALogy. The fire dept. doesn't need updated .dat files to recognize a fire. AV programs need them to recognize a virus.
0
Ok, to be more specific; it's true that when you make a better lock you make a better thief. This is why heuristics are limited in being affective. My thought is (to steal the fire dept. analogy) the fire dept. doesn't go to put out a fire based on being able to identify the person or reason for the fire starting but rather based on the fact that there is a fire. This of course would make it too late in the case of virii but what if we could see the smoke and then respond before the fire? Thoughts? insights?
John W. Borelli
IT Specialist
OmniIT
borelli35
0
I don't know why we have to use the fire ANALogy but since we do, then the virus creator is the arsonist and you can't tell he's an arsonist when you look at him. He looks like an everyday person and the virus can look like anything he wants it to look like without any smoke. Using the fire ANALogy, the fire dept usually arrives after the damage is done.
A better ANALogy would be AIDS. After all, we are taking about a virus. A fire is not a virus. AIDS is a bunch of viruses all put together.
The point is ANALogies are worthless.
0
Ok, then AIDS. Let's say that we watch for the risk factors known to cause the introduction of the virus? I know that virus monitoring does this to some extent but I'm looking at an idea that is a bit more specialized and specific (obviously I don't want to be too specific on an open forum but I hope we can derive the general intent/direction)...
John W. Borelli
IT Specialist
OmniIT
borelli35
0
first, let's stop capitalizing "anal," since we're not in 3rd grade.
okay, the fire analogy wasn't that great, fine.
my point was that it's stupid to criticize antivirus solutions just because of the lag time between NEW virii creation and NEW definitions that recognize them. Just because there is a new virus kicking around the net doesn't mean you don't still need protection from all the virii that were created yesterday, the day before, etc.
HIV is the virus, and it's only one virus. But it copies itself so inaccurately that it mutates very rapidly, which is part of what makes it so difficult to treat.
So for the sake of simplicity lets pretend there is just HIVa (original strain) and HIVb (mutant strain). If people had a cure for HIVa, but then HIVb came along and was immune to the HIVa vaccine, it would be stupid to stop protecting people against HIVa.
There's some scary new viruses out there, many of which antivirus software isn't even aware of yet.
but do you think that means the old viruses are all gone?
0
Ok fine, I'll stop capitalizing anal but then you can't say virii. The plural is viruses.
Secondly, I do have protection against viruses and it's not an anti virus program. Lag time doesn't affect my chances of getting a virus and I don't have to wait for anyone to play catch-up.
Why? Because I lock my registry with MJ Registry Watcher. I set it on reject and no viruses can be installed.
0
Ok, ok... let's not bicker about things like words...arguing about caps and virii vs. viruses (yes the latter is correct) is just as childish.
Second, the MJ register watcher is much appreciated. Thanks for the link.
Third, this MJRW is more along the lines of what I am making reference to. Instead of looking for the ever changing and constantly mutating viruses themselves lets monitor the known behaviours. Locking the registry isn't a bad idea but maybe it would be less intrusive to just watch for specific types of transactions within the registry...in other words the behaviors are less numerous to watch for then the ever growing list of new and/or mutated viruses.... This is just a general concept but if it became more specialized I would like to experiment with a behaviours definition file rather than a virus definition file...after all, surely potential behaviour would be a smaller list than constantly updating the culprit itself and behaviours actually lend themselves more seamlessly to more accurate heuristics as well.
John W. Borelli
IT Specialist
OmniIT
borelli35
0
MJRW does exactly that. It constantly watches for attempted changes in the registry and auto rejects them. The user is notified of the attempt when the icon changes to red in the tray.
0
exactly...now I want to do this same thing with memory, HDD access, removable hardware, DMA requests etc and adnosium. But to test this approach I need to be able to identify viruses randomly/blindly so that I can monitor certain cause and affects that would help me fine tune my code...sort of a control group experiment if you will. Thank you again for your input as it is greatly appreciated.
John W. Borelli
IT Specialist
OmniIT
borelli35
0
If I had a way to identify viruses "randomly and blindly" as you said, I could retire. Looking for ADS (Alternate Data Streams) might help but that's not 100% fool proof either. CrucialADS was one such program.
0
threatfire is another heuristic-based protection software that looks for behavior instead of definitions. Kasperski has some kind of proactive defense, which appears to be similar as well, and prompts for permission whenever there's a requested change to the registry. i think this is kind of what Vista was going for too, when it asks you to confirm your action two or three times.
since security is most effective in layers, one might suggest a combination of signature-based and heuristic-based protection, but i don't know how well they play together (i know 2 AV programs can't really coexist on the same machine).
of course, all this software can slow your machine, and the constant requests for permission get old real fast. But there will always be that inverse relationship between usability and security.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
