Handbook of Local Area Networks, 1998 Edition:LAN Security
Click Here!
Search the site:
ITLibrary
ITKnowledge
EXPERT SEARCH
Programming Languages
Databases
Security
Web Services
Network Services
Middleware
Components
Operating Systems
User Interfaces
Groupware & Collaboration
Content Management
Productivity Applications
Hardware
Fun & Games
EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
RoadCoders
Y2K Info
Previous
Table of Contents
Next
Drawbacks of Signature Scanning
Despite the existence of sophisticated antivirus tools, many organizations rely almost entirely on signature scanning to detect viruses. In light of the virus boom, signature scanning alone is a mediocre defense, at best. Some of the drawbacks of this commonly-used approach are described in the following sections.
Passivity
The most profound flaw in relying on signature scanners is that they are reactive, or passive. The goal of scanning is to detect a virus that has already infected a file or a boot sector. The ideal method is to prevent viruses from infecting the system at all, not merely to be informed of the problem after the fact.
Incomplete Checking
A polymorphic virus, which produces varied but fully operational copies of itself, can deceive signature scanners by altering or encrypting its signature. Signature scanners have attempted to address this by including several signatures for a given virus, one for each possible encryption method or iteration of the signature. As polymorphic viruses become increasingly sophisticated, the brute force method of including more signatures in the scanner will not be able to keep up with all the possible variants of all the polymorphic viruses. Many polymorphs already evade detection by interspersing noise instructions or by interchanging mutually independent instructions within the code to continually modify the signature. A simple signature-based scanner cannot reliably identify this type of code.
Failure to Scan for Newer Viruses
Scan strings can only be extracted and cataloged if the antivirus vendor has a sample of the virus. In the recent past, it took the most common viruses six months to three years to become prevalent, giving vendors enough time to send out regular updates of known viruses and head them off. The exponential growth in viruses has increased the likelihood of a new virus reaching the LAN or PC before the update from the antivirus company does. Besides creating a chance of missing an unknown virus, signature-based scanners require constant updating. If the signature scanner is not centrally administrated, it slows productivity and drains resources because of the management tasks needed to install each successive enterprisewide update.
Insufficient Scanning Frequency
In theory, a virus infecting a system at 8:59 a.m. could be caught one minute later if the network is routinely scanned at 9:00 a.m. However, the opposite scenario is just as likely. A network may be scanned at 9:00 am and become infected at 9:05 am. If the virus is a fast infector such as Dark Avenger or Frodo, once it is in memory it can infect not only executed programs, but even those that are merely opened. Such a virus has almost 24 hours of free time to wreak havoc in the network. Even worse, because many signature scanners open files in order to scan them, the very act of using the scanner can allow the virus to infect all programs at once.
Slow Scanning
Any scanner takes a finite amount of time to scan a machine for viruses — perhaps five minutes or more. If the 70 million US employees who use PCs spend five minutes a day scanning, and earn $15 an hour, the annual cost of scanning (260 days a year) is more than $22 billion. The costs of scanning exceed the purchase price of antivirus software after just a few weeks of scanning. More sophisticated tools can cut this time drastically by scanning checksums instead of the entire contents of every file. The more viruses a scanner must search for, the more places within a file it must search, and the more files it must search across, the slower the search must be. Because strings must be stored in memory, and memory is limited, there will soon be two-pass products that load one set of strings, scan, then load a second set and scan. Although computers are faster now, hard drives are also getting larger.
Dependence on User Compliance
Traditional scanners do not work unless employees remember to use them. Some users are inclined to value their own productivity and convenience more than their employer’s security concerns, and thus are not motivated to consistently scan. Even diligent users tend to get lax if scanning every day for a month produces no alarms.
Previous
Table of Contents
Next
Use of this site is subject certain Terms & Conditions.
Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited.
Please read our privacy policy for details.
Wyszukiwarka
Podobne podstrony:
mbdch20 76720030817180248id!767763 766Boeing 767 200 300ER 400ER Operating Manualmbdch20 766763 766767 768756 767 (2)766 769więcej podobnych podstron