Anti-Virus Firms Scrambling to Keep Up

For its part, Sunbelt Software, a security software company based in Clearwater, Fla., recently added more than 50 new servers to its malware analysis center to lighten the load of a lab already straining under the daily deluge of new virus samples.

"We've had to bring in a great deal more hardware and come up with tons of different new detection methods just to deal with the incoming malware load in the past year," Sunbelt President Alex Eckelberry said.

Much of that automation involves creating more generic signatures capable of detecting a broader range of malicious files. That approach relies less on recognizing any telltale code fragment than it does identifying a suspicious type of behavior or overall resemblance to a well-known family of malicious software.

This labor- and time-saving method has its shortcomings, however. For one thing, employing more generic detection methods can lead to a greater number of false alarms, wherein innocent files are mistaken for viruses. These kinds of errors can be extremely disruptive for customers, and they've become more common as anti-virus makers have increased their reliance on generic detection methods, said Andreas Marx, managing director for AV Test.

Marx said that while all anti-virus companies maintain comprehensive lists of known "good" files with which to test their daily anti-virus updates and avoid false alarms, many times those tests are never conducted.

"It looks like more and more that for time reasons these scans are not even performed, but the update is released 'as is,' putting the users at a high risk to destroy their running, non-infected systems," Marx said.

A handful of these so-called false positives have had a fairly broad impact on customers. In December, Russian anti-virus maker Kaspersky erroneously flagged Windows Explorer -- the visual interface for Windows itself -- as a Trojan horse program. Earlier in the year, a faulty update to certain versions of Symantec's Norton Antivirus program detected two essential Windows components as malicious, crippling millions of Windows PCs.

Headache for Consumers

Malicious software is becoming harder to remove because more virus writers are including components that bury the malicious files deeper within the operating system. For many users, some of today's most tenacious intruders cannot easily be removed without re-installing the operating system. Re-installing isn't such a huge hassle for business, which tend to keep user-generated data files in separate digital storage bins than the underlying operating system. Indeed, for some businesses, a virus infection is grounds to rebuild the infected machine with a known safe copy of Windows and any other needed applications.

But home users often will try almost anything before re-installing Windows, mainly because they typically do not have those same data and system backup plans in place, said Don Jackson, a senior security researcher for Atlanta-based SecureWorks.

"Comprehensive remediation of infections is badly hurt by generic detection, and unfortunately a lot of today's infections are extremely difficult for the average user to remove completely," Jackson said. "You can see the evidence of that by number of people desperately posting to various security self-help sites."

An increasing reliance on generic detection also has made it more difficult for consumers to find instructions online for removing an infection that can't be completely eradicated by anti-virus software. Instead of pinpointing a malicious intruder with a specific filename (e.g. "MyTob Worm.AB"), generic signatures often will assign plain vanilla names to malware files, such as "Generic Trojan Dropper," or "Backdoor.generic." Such vague names entered into a search engine produce so many results that people with machines victimized by such malware often are at a loss as to how to proceed, said David Harley, an anti-virus consultant and administrator of the Anti-Virus Information Exchange Network (AVIEN), a group made up of corporate IT security administrators who share trends and data on the latest malware threats. .

"What happens now is some stuff can be removed generically, and that does happen, but a lot of the time [the victim's anti-virus product] says I think you have a problem here, but I'm afraid you're going to have to sort it out yourself," Harley said. "That puts the user who just wants this stuff off his machine in a terribly awkward position."

Experts say PC users shouldn't depend on anti-virus software to save them from risky online behaviors, such as clicking on Web links included in unsolicited e-mail and instant messages. Rather, they say, anti-virus should be part of a layered security approach that includes using a firewall to keep out unwanted Internet traffic and applying software updates for both Microsoft Windows and third-party software -- particularly popular programs used to display documents or play audio and video files.

"The problem is that we have this ongoing, unrealistic expectation that somehow we are going to detect 100 percent of the malware out there, when in fact what we have today is slightly less detection than we did, say, in the mid-1990s, when we were actually catching 70 to 80 percent of the new threats," said AVIEN's Harley.

For security researchers on the bleeding edge of defending information networks, even those less-than-stellar numbers may be seem a bit inflated. Jerry Dixon, director of analysis for Team Cymru, a security research firm in Burr Ridge, Ill., said his team recently submitted more than 1,000 samples of brand new malware for scanning by 32 different commercial anti-virus products from around the globe. The result: Only 37 percent of the programs were detected as malicious by any of the products.

"The real challenge here is for people to get it through their heads that anti-virus is not a panacea, and that it's always going to fall short of identifying threats in real-time," said Trend's Perry. "The challenge for us as an industry is to try to change that perception, while at the same time integrating new threat mitigation features into our products."