Someday, behavior analysis might replace signature comparison in AV solutions. But I don't think so. Like all security controls, these two approaches to detecting malware are layered defenses, supporting each other, identifying threats the other misses.
Not every break-through security product is a good idea, an effective solution for protecting devices from the effects of malware attacks. This seems to be the case with a new product called NovaShield AntiMalware 2.0.
Earlier this year, NovaShield, Inc. announced that it had received a $500,000 grant from the U.S. National Science Foundation (NSF) to enable completion and introduction of a new behavior-based anti-malware product (RedOrbit, 3 March 2008). Detecting malware based on behavior instead of the traditional signature comparison approach is touted as being a better defense against zero-day attacks. Attacks that occur before AV vendors can update customer signature files. I agree with this view, but I’ve yet to see a product that effectively defense using behavior heuristics alone, without support from signature reviews. NovaShield AntiMalware 2.0, released this week and priced at $19.95, seems to reinforce this point.
Neil J. Rubenking posted the results of his NovaShield test at pcmag.com. He gave it a rating of “Poor,” with the following bottom line comments:
NovaShield AntiMalware aims to block malware by detecting malicious behaviors. In testing it was a near-total flop, though it detected several valid utilities as "high risk" threats. And it rendered two test systems unusable. There's no reason to buy this when you can get ThreatFire free.
The only positive Rubenking had to say was it installed quickly.
NovaShield isn’t the only AV vendor trying to get to market with a behavior analysis engine. As mentioned in the PC Magazine review, ThreatFire is a free behavior detection product, but the company positions its product as a supplement to signature-based solutions. Not a replacement. Figure 1 depicts alleged detection improvements when using ThreatFire with popular AV products.
Figure 1: Increased Protection when Using ThreatFire
All the main AV vendors (e.g. McAfee, Trend, and Symantec) have integrated some level of behavior analysis into their malware defense products. However, none are making claims that behavior heuristics alone provide sufficient protection.
Someday, behavior analysis might replace signature comparison in AV solutions. But I don’t think so. Like all security controls, these two approaches to detecting malware are layered defenses, supporting each other, identifying threats the other misses. Whether located on desktops or in intrusion defense appliances, only a combination of the two provides sufficient protection to networks and end-user devices.