Anti-virus software is dead? Resolving malware requires breaking old ideas

Author: Serdar yegulphosphatase

In the past few years, our computers have suffered unprecedented attacks, and malicious software has become increasingly intelligent and powerful. We can't help thinking, in the future Internet world, is anti-virus software still not part of the puzzle?

Security never exists in the PC World

For a long time in the past, the security issues we mentioned today did not exist in the PC world. The emergence of anti-virus software is not to help early operating systems and software against any attacks, but more to solve users' own mistakes. They work independently and seldom connect to the network. At that time, few malware, such as the Morris worm in November 1988, were able to pose serious threats.

However, with the prevalence of network connections and downloads, malware has become popular. At this time, the anti-virus program evolved into a universal system protective cover, monitoring and guarding all activities from the network to the disk.

The problem is that these anti-virus solutions are terrible for system resource consumption. A pc may become safer, but people cannot bear it running at half the speed. What's worse is the false sense of security created by these programs. People often become vigilant after daily updates and are attacked accordingly.

Permission restriction is finally available

A major change in the protection mechanism is the addition of user permissions. By default, a program cannot change any system configuration at will. To modify system settings, you must have administrator permissions.
Linux, OS X, and NT versions of Windows (NT, 2000, XP, and above) have set this permission restriction. However, this permission function still does not work well until recently: for example, most users log on as administrators in Windows, because it is too troublesome if not. There are too many Windows applications that can change everything when writing them until Vista and User Account Control appear: windows programmers have now developed the habit of running without the root permission. [Bkjia.com Editor's note: Windows 7 has also made great progress in this regard. For details, see "five things you should know about Windows 7 Security "]

Malware killer: zero-day attack

If the operating system is in a completely bug-free environment, limiting user permissions may be a relatively safe method. Unfortunately, the bug does not exist, which provides malware makers with the opportunity to explore new vulnerabilities that have not been patched, such as the notorious "zero-day attack ". The recently discovered OS X Kernel defect also emphasizes this point: Someone can bypass the permission mechanism through this vulnerability to directly write data to the kernel space.

In addition to zero-day attacks, the problem is that the end user still has many vulnerabilities that have not been patched for a long time and may eventually open the door to the bad guys. As BKJIA has previously introduced, Qualys, a network security enterprise, has found that patch patching generally takes 30 days. The irony is that the software that has not been patched for the longest time is the most widely used: Microsoft Office, Windows Server 2003, Sun Java, and Adobe Acrobat.

Is the whitelist valid?

A relatively new method in system security is the whitelist, that is, pre-defined directories of programs allowed to run. The whitelist can severely treat any running program, which enables it to defend against malicious software such as keylogger in local defense. However, the bkjia.com Security Channel has reported that the whitelist may affect the anti-virus software market.

The hard problem in the whitelist is that you need to create and maintain the list, which is the same as that in the blacklist. On the other hand, the whitelist is usually much smaller than the blacklist, which is easier to maintain and effective directly. For example, in Windows, you can set a whitelist based on file paths.

Another approach is to maintain a whitelist by a third party, such as using a pre-created whitelist from Kaspersky Lab to load and run only those "good" software. Local users can also add common applications that they need.

What is the value of retrospective protection?

If the anti-virus concept needs to be extended to include general "System Protection", it should now include how to recover from a disaster or how to accommodate a disaster.

Disaster Tolerance can be implemented using a "sandbox" approach, allowing any downloaded or installed software to run in a virtual space and analyze its behavior. Sandbox operations have helped improve security. In the long run, it is better to develop into a mature platform instead of being an additional application.

Disaster recovery assumes that an error may occur, but can be easily recovered. The full-system images of Vista and Windows 7 or OS X can provide great assistance, and can be more effective with the sandbox technology.

The best long-term solution for malware needs to be completed based on the platform. Although the complexity of the current software makes it impossible to build a unified security platform, such a platform cannot be perfect, but it can achieve higher security through continuous strict internal and external improvements. The most useful temporary solution will still come from a third party, but the old concept that needs to be changed is "scanning all actions", which brings more trouble while solving the problem.

Anti-virus software may not die, but may change its shape to adapt to the requirements of the times. It will develop into a complementary solution for mainstream computing and continue to help us prevent various threats.