|
 |
|
General Information
|
Add To My Personal Library |
October 23, 2009
• Vol.31 Issue 26
Page(s) 24 in print issue
|
Beating The Malware Odds
Knowing How Anti-Malware Products Work Is Half The Battle
|
| Key Points
• Traditional antivirus products scan files and compare them to characteristics of known malware (found in signature entries on product malware databases).
• Many people do not realize that most spam arrives via botnet-controlled computers.
• The primary purpose of malware is theft, be it of money or information that can lead to financial gain. | | When virus and spam activity causes enterprise productivity to go down, data center and IT managers are the first to hear about it. Half the battle is trying to get rid of these pesky problems, and the other half is knowing about the tools that thwart them. Here is a look at the way antivirus and antispam tools operate so you can do a better job of keeping your enterprise up and running.
 Antivirus
This year, 99% of antivirus programs are essentially signature scanners, according to Roger Thompson, chief research officer at AVG Technologies (www.avg.com). This means that they are good at detecting known viruses and malicious code, or malcode, but are not able to detect new malcode until new signatures are added. “Unfortunately, the bad guys know this, so they simply generate large amounts of malcode every day to hide the ones that they really want to release,” Thompson says.
 According to Thompson, a good antivirus solution includes a dedicated Web scanner, a behavior layer, and a main scanning engine that is aimed at the malcode that is out in the wild. “More than ever, the best way to do security is to adopt a layered approach,” he says.
Peter Beardmore, senior product marketing manager at Kaspersky Lab (www.kaspersky.com), says typically, the concept of antivirus is mostly considered for endpoint protection. But Beardmore explains that through the past decade, endpoint protection requirements have evolved beyond traditional antivirus. “Most packages also include personal firewalls, heuristics, some form of application control, antispam, etc.,” he says. “And in the enterprise, the products are typically bundled with centralized management.” He says antivirus protection is also typically found on gateway products, email servers, and application servers.
Traditional antivirus products essentially scan files, either on a disk or coming in through a network connection, and compare them to characteristics of known malware (found in signature entries on product malware databases). Beardmore says these signatures are updated through the Internet by vendors on a regular basis for all customers with valid licenses. He says the method and context of comparison varies from vendor to vendor and has certainly evolved with time. When a match is found, the malware is blocked, quarantined, or removed.
Email antivirus tools also scan incoming emails for computer viruses, worms, Trojan horses, and other unwanted software before they reach a user’s mailbox, thus blocking such malicious content from entering the network. Nicholas Sciberras, product manager at GFI Software (www.gfi.com), says email antivirus tools make use of traditional virus-scanning techniques to detect malware. “At the same time, email antivirus software utilizes other methods to detect such emails, such as detecting email exploits that might be used by malware,” he notes. “Email antivirus tools also scan outbound emails for malware which might dishonor the organization.”
Angelos Kottas, product marketing manager at Symantec (www.symantec.com), says antivirus on a mail server searches for and removes malware by scanning mail and attachments as they move through the server. “Before mail is delivered to the end user, the antivirus product examines it against a database of known threats,” Kottas says. "Advanced antivirus products also use heuristics and other day-zero techniques to identify and remove unknown threats.”
Antispam
Kottas says there are two primary approaches to blocking spam. “The first and more traditional approach is to scan the content of emails to look for specific content or patterns that are associated with spam messages,” he says. “This can include analysis of embedded URLs, use of key words and images, and other forms of content analysis.”
The second approach adds a level of reputation analysis at the time of connection. Kottas says this method of spam fighting looks at the source of the email (the sender IP) and determines if that source is known to be a spam sender. "More adaptive approaches can also monitor the history of a sender’s email flow over time and start throttling back connections when the percentage of emails that are spam starts to increase,” he says.
Messaging protection software detects not only the presence of spam, but the presence of network internal spam botnets, according to David Perry, global director of education at Trend Micro (www.trendmicro.com). Perry says many people do not realize that almost all spam arrives via stolen botnet computers. “The modern data center cannot spare the bandwidth nor their own ethical considerations to random spam vendors,” he says. “No large computer installation of any kind can hope to operate well without managed anti-malware protection and protection at the messaging server.”
Kaspersky found that spam amounted to 85.5% of all email traffic over the first half of 2009. Beardmore says in laymen’s terms, that’s a lot of email, network traffic, and disk space. He says that by blocking spam and malware at the point of entry (gateways and data center servers), enterprises can reduce the overall load on their systems while simultaneously reducing risk.
Thompson says antispam tools work by a combination of blacklisting known spammers and using Bayesian filters to try to determine that a given message is spam as opposed to regular email.
Sciberras says that when malware manages to enter the network, it will quickly propagate to infect other systems within the same network. “Because of this,” he says, “one would want to deploy antispam and email antivirus software at the perimeter of the network, scanning all the emails before they enter the network [and] thus avoiding wastage of resources from spam and stopping all malware before it reaches your systems.” 
by Chris A. MacKinnon
Heading
• Antivirus tools: These tools scan files for computer viruses, worms, Trojan horses, and other unwanted software. Email antivirus tools block this malware from reaching users’ mailboxes, thus blocking such malicious content from entering your network.
• Antispam: Antispam tools make use of various technologies to identify spam emails and block such emails before reaching the users’ mailboxes. Technologies used to identify spam emails include IP reputation and DNS-based blacklists.
• Phishing: Phishing emails, which are considered a mix between spam and malware, imitate emails from well-known institutions in order to fraudulently gain personal information such as passwords or credit card details. |
|
|
