Since the early days of the PC, it has been standard advice to new users that one should install and keep up-to-date an anti-virus program on the computer – especially if it is a Windows PC. The anti-virus software works by scanning files (for example, when they are opened, executed, or saved) and looking for clues that indicate potentially malicious software (often called malware). The most common technique for doing this uses a database of malware signatures provided by the vendor; these are small patterns that appear in the executable code or other parts of the malware. In one way, this is a good approach: it gives a clear result, and false positives are relatively rare. On the other hand, it has the obvious disadvantage that it cannot possibly detect malware that the anti-virus vendor has never seen before. As the use of anti-virus programs in general, and signature-based detection in particular, spread, an “arms race” was started between the vendors of anti-virus software and the creators of malware.
The “Unsafe Bits” blog at Technology Review has a report, based on work done by Panda Security, a Spanish anti-virus vendor, that shows one reason why the good guys seem to be losing. Malware writers have for some time been using tactics to mask or vary the appearance of their code, so that it will be less likely to match an anti-malware signature. The task of keeping track of these changes is getting harder; for one thing, there are more of them:
On Wednesday, the company [Panda] announced that the quantity of malicious software seen by its customers has skyrocketed recently, with the firm now processing some 37,000 samples per day. In 2008, Panda saw 22,000 new samples every day, on average.
And the malware creators are getting better at changing their products more rapidly. (Even if a particular virus writer doesn’t know how to do this very well, he can obtain a toolkit to help him on the Internet.)
Panda documented the churn by noting that 52 percent of samples are only seen in a single 24-hour period. Another 19 percent do not last more than two days. Within three days, 80 percent of all malware disappears from the Internet.
Given this rate of change, even the daily updates that anti-virus vendors have been using for some time are probably not enough. Of course, most vendors now use various detection heuristics in addition to signature matching, but these have their own problems.
I still recommend that Windows users obtain a decent anti-virus program and keep it up to date. But having an effective firewall, in hardware or software, keeping up to date with software security patches, and avoiding software known to be particularly prone to malware attacks (such as Internet Explorer version 6) are probably more important.