Signature-Based Versus Heuristic-Based Anti-malware

Demand for more proactive virus-detection technologies has been heightened due to Web-based threats that have escaped traditional, signature-based virus protection. This problem is primarily due to the fact that the viruses are "unknown" or that enterprises have failed to update signature files.

Unlike traditional viruses, which rely on the user to spread the infected files, these new, "blended" threats are automated. Compromised computers in homes and businesses are always scanning the Internet and local networks for other vulnerable computers to infect, meaning they spread without user interaction. The prolific speed at which malware spreads today is due to its ability to often sneak past traditional antivirus software and entrench itself in desktop and server systems before antivirus vendors can post an appropriate signature.

Since blended threats are designed to get past point-solution security systems, proactive, behavior-based analysis employing heuristics is increasingly becoming a vital need in layered security architecture.

Similarly, Web sites rely on various embedded programs such as Java and ActiveX controls to create their unique look and feel. These programs can run automatically when the site is viewed by the user, allowing a virus to be embedded on a Web page and infect a user viewing that particular page. Many companies block Java from coming through their firewalls, but, unfortunately, this move can restrict important and legitimate business-related applets.

Real-time behavior analysis using advanced heuristics identifies and analyzes downloaded code as it enters the network. All characteristics of the code are examined for security violations on the fly. Any code that violates the corporate security policies is logged and blocked at the gateway, while end users are notified with an on-screen alert. Examples of security policy violations include attempts to delete files, open network connections, and alter registry settings.

Real-time behavior analysis enables companies to allow trusted Web applications or services into the corporate network and to scan all other Web content for malicious behavior. This approach permits trusted content to flow freely into the network, while all other "unknown" content is checked before it can proceed.