This past weekend, Slashdot posted a story entitled Why Popular Anti-Virus Apps ‘Don’t Work’. It references two articles containing discussions of the same.

Malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release.

Well, duh! I had a computer science professor that would give us an F if he could get our programs to crash. He always sat down and tried the same few things to start with—wrong parameters, corrupt input data, etc. If you didn’t test for these before you turned it in, you got the grade you deserved. If you wanted a virus to propagate, wouldn’t you test that it wasn’t detected by the popular AV (anti-virus) software first?

Anyway, in order for AV software to not slow your machine down to an unusable state, they rely on checking for “signatures” of the virus—typically expected chunks of code within an executable (either the code itself, a CRC checksum or hash of the same). Other methods exist, such as heuristic analysis and running everything in a sandbox, but they typically slow down the client too much.

Are signatures still really the best way to prevent the spread of computer viruses? What will the next generation of viruses and AV software hold?

This entry was posted on Wednesday, July 26th, 2006 at 2:20 pm by Peter Hesse and is filed under software. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.