When was the last time you updated your anti-virus software?
Even if you update your AV software frequently, there’s still a gap between the time a virus is released into the wild on “day zero” and when virus fighters can update their programs to squash the malware.
To truly secure a network, what’s needed is a way for AV software to wipe out that gap. A company in Lindon, Utah, believes it has found a way to do just that.
Avinti has released a product called iSolation Server that quarantines e-mail messages containing suspicious code and runs that code in a virtual isolation chamber to determine if it will behave maliciously.
The most common way to fight viruses is by identifying their “signature,” a chunk of code that allows AV software to eye a culprit and kill it. But to identify a signature, a virus must be known. And in the time it takes for a virus to become known, its signature to be identified and an AV software update to be issued, the malware can wreak havoc.
According to Avinti CEO Terry Dickson, it can take an AV vendor four to six hours to respond to a virus outbreak. “In the Internet economy, the virus can be around the world and doing its damage in a minute,” he told TechNewsWorld.
“It does things that the conventional signature-based anti-virus products don’t purport to do, that’s to trap things that haven’t been seen before,” John R. Muir, managing partner at Trusted Strategies, an IT security research and analysis firm in San Ramon, California, said of iSolation Server.
Trapping Unknown Viruses
He explained that Avinti has found a way to take things that are unknown, put them through a series of filters, and if they look fishy, put them in an isolation chamber. There the software can exercise them and see if they exhibit viral behavior. If they do, it can delete them. If they don’t, the software can move them forward.
“We’re never smart enough to figure out all the things that hackers and other perpetrators can do, so the real test is to see what would happen in a real machine,” he told TechNewsWorld.
“[Avinti] seems to have a unique solution to a growing problem,” he added.
David Cassee, IT director for InteliTarget, a sales and marketing firm with about 50 employees in Herndon, Virginia, and a beta tester of the software also praised it.
“We’ve been really happy with it,” he told TechNewsWorld. “It’s incredibly low maintenance.”
“It caught a number of viruses right away without the delay that we would typically see with a service where you’re waiting for virus definitions to be updated,” he said.
“We haven’t seen any false positives,” he added. “It’s been a great tool.”
Although the Avinti solution may appear relatively simple on its face, it hasn’t been until recently that the technologies have lined up to make the package a reality, according to CEO Dickson.
“There’s been a convergence of high-performance processors, commercial-grade off-the-shelf virtual machines and some behavioral-based technologies that we’ve engineered around the two of those to make this truly unique and available at this point in time,” he said. “As early as a year, year and a half ago, the availability of all three of those things wasn’t possible.”
Others, however, found the technology underwhelming. “Aside from the fact that this is running on a PC, there’s nothing too earth-shattering here,” observed Bill Franklin, president of the 0Spam Network Corporation, an AV software company in Coral Gables, Florida.
“Folks like us and MXLogic have been offering real ‘day zero’ or ‘hour zero’ coverage for months — and just not on a PC,” he told TechNewsWorld.
He maintained that since iSolation Server avoids interpreting text and HTML, it’ll be vulnerable to “remote attachments” — links within messages that steer a recipient to a site where an exploit is downloaded to their computer. He added that currently his firm is researching some new truly nasty permutating trojan code that probably wouldn’t do well with this type of system. That code can create several hundred thousand or millions of variants in a single mega-attack.
Horsemen Versus Tanks
“Our latest AV code is running on very powerful cluster nodes, and it takes a lot of ‘umph’ to determine intent when the code can take several million distinct execution paths,” he revealed. “A PC just doesn’t have the CPU bandwidth to develop an accurate characterization of a mass virus attack on a company of any size whatsoever.”
“In short,” he continued, “with the coming threats we’ll see before the end of the year, the architecture mentioned will just croak — just like traditional AV software. It’s the equivalent of tanks against horse mounted cavalry.”