HP Claims Virus Throttler Snuffs Out Worms

Hewlett-Packard (NYSE: HPQ) has worked out the bugs in software it says will slow down the spread of worms and viruses within servers.

Virus Throttler -- which HP had said it was shelving back in August because it was having trouble integrating it with Microsoft (Nasdaq: MSFT) Windows server software -- is now back, HP CTO Tony Redman said Tuesday at the company's Software Universe in Madrid. HP said it solved the problem by creating access through a network driver.

Ready for ProLiant

The software will be available beginning in early 2005 on ProLiant servers running Windows 2000 and 2003 and for HP ProCurve network switching devices. HP is conducting Windows compatibility testing on the product.

Redmond said HP is working on a version of the software for PCs, but would not say when it might be released. He was even vaguer on the potential for a Linux version, saying only that HP is working on it, but that the multiple releases of Linux make it difficult.

The company has also tested it on 50 of its own servers, which it intentionally infected with viruses to monitor the throttler technology's capabilities. Redmond said the software worked without interfering with the servers' normal performance.

Analyst Doubts

Although the idea is a good one, SecurityCurve analyst Ed Moyle said, he's unconvinced it will work.

"I suspect that the implementation might fall short of the ideal in determining threats ahead of time. Specifically, without analyzing the malware and producing a signature for it, I think HP might find it difficult to determine which machines are infected and which aren't," Moyle told TechNewsWorld.

"Almost everyone will agree with the statement that reducing the infection rate for infected machines while maintaining network throughput for non-infected machines would be a boon to our industry. However, I don't think this is by any means a 'malware panacea,'" he said.

Detects Malicious Behavior

The software, developed at HP Labs in Bristol, England, works by detecting intrusions through behavioral patterns. Viruses will attempt to rapidly make the same connection over and over again, for instance. Once this type of activity is recognized, Virus Throttler slowly clamps down on the activity. Systems administrators will be alerted so they can decide what other steps are necessary to eliminate the infection.

But just as the industry works on new ways to hamper malware, malware writers are working to get around the barriers.

"I think that it is likely that malware authors will come up with ways to try to get around this technology. For example, there are a number of papers in the hacker community discussing how to circumvent IDS (Intrusion Detection) technology -- it's only a matter of time before someone will discover, test, and publish methods to circumvent this. If, for example, HP uses 'number of connections per second' to attempt to classify something as malware/non-malware, malware authors could re-tool their software to slow down the connection rate," Moyle said.