Defence im depth is crucial in the intensifying battle against malware. While Internet-level virus scanning gives a far higher detection rate, an organisation needs desktop scanners to protect mobile computers and removable media, and to check encrypted files.
Technology’s latest antivirus weapon, Internet level scanning, intercepts viruses before they enter the perimeter.
The older desktop defences offer advantages too. File system stability can allow a viral infection to be detected simply because files have changed, while more detailed analysis may be done on recently changed files.
Moreover, the desktop is the only place where encrypted malware can be detected, though encrypted traffic was only about 0.005 per cent of all e-mails in 2002. The most likely danger is an encrypted e-mail with a document containing a new macro-virus.
Although Internet-level scanning delivers multiple benefits, most service companies fail to take full advantage, offering only desktop, server or gateway antivirus products.
The desktop market is sensitive to scan times — a product that is 10 per cent slower will lose business. But at the Internet level, 1/10-second or even 10-second delays are insignificant, allowing the use of more heuristics.
Much statistical analysis — which is not viable on the desktop — can be done on files, including opcode frequency analysis, code analysis, junk code analysis, checksum analysis, cryptographic analysis and entropy analysis. Although some desktop products use these techniques, available time issues prevent thorough analysis.
Traditional antivirus vendors are sensitive to the size of the signature or pattern file required for an antivirus product. At 1MB-plus, users who roll out to hundreds of desktops start complaining. Yet with around 50,000 known viruses, this represents only 20 bytes per virus.
At the Internet level there is infinitely less space pressure; even using a heuristic knowledge base, equivalent of a pattern file, say 2.5GB, without impacting speed. The knowledge base can be as large as required without slowing the flow. This extra data size allows far more in-depth checking.
Nick Hawkins is general manager Asia Pacific, MessageLab