The end of antivirus definition updates?

Well, frankly, there has been talk of the end of definition based antivirus scanning for years. You see the achilles heel of any AV scanner is that it has to have signatures of what known viruses look like, so there will always be a reflex window, where there’s a new unknown virus that people are getting infected with before there’s a reaction from the antivirus vendors. The supposed cure for this dillema was hueristic scanning which was supposed to detect things that “looked” like they might be viruses. A noble goal, but along the path it’s proven innefective mostly, either too aggressive and tagging EVERYTHING as potentially viral, or really unnoticable.

There is, however an article at looking at the recent worm bout and noting that several vendors detected exploit attempts without an update. 2 were able to detect 6 out of 6 different attacks without a signature update. They do note that one of these also generates a large number of false positives.

I don’t know if heuristics? (hueristics?) are the answer, they need to keep imroving though because false positives are what prompt people to disable the heuristic scanning. Further, maybe this needs to be a different class of software that analyzes 1)who is running this process, 2) is it automated or running from a user currently logged in 3) if it’s not run by a current user, why is it running? is it something that should run unattended? … maybe this is something that happens at a lower level (the kernel?)

Anyway, we’ll see if this is the end of definition updates (I’m not holding my breath though.)

   Send article as PDF   

Similar Posts