Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next Drawbacks of Signature Scanning Despite the existence of sophisticated antivirus tools, many organizations rely almost entirely on signature scanning to detect viruses. In light of the virus boom, signature scanning alone is a mediocre defense, at best. Some of the drawbacks of this commonly-used approach are described in the following sections. Passivity The most profound flaw in relying on signature scanners is that they are reactive, or passive. The goal of scanning is to detect a virus that has already infected a file or a boot sector. The ideal method is to prevent viruses from infecting the system at all, not merely to be informed of the problem after the fact. Incomplete Checking A polymorphic virus, which produces varied but fully operational copies of itself, can deceive signature scanners by altering or encrypting its signature. Signature scanners have attempted to address this by including several signatures for a given virus, one for each possible encryption method or iteration of the signature. As polymorphic viruses become increasingly sophisticated, the brute force method of including more signatures in the scanner will not be able to keep up with all the possible variants of all the polymorphic viruses. Many polymorphs already evade detection by interspersing noise instructions or by interchanging mutually independent instructions within the code to continually modify the signature. A simple signature-based scanner cannot reliably identify this type of code. Failure to Scan for Newer Viruses Scan strings can only be extracted and cataloged if the antivirus vendor has a sample of the virus. In the recent past, it took the most common viruses six months to three years to become prevalent, giving vendors enough time to send out regular updates of known viruses and head them off. The exponential growth in viruses has increased the likelihood of a new virus reaching the LAN or PC before the update from the antivirus company does. Besides creating a chance of missing an unknown virus, signature-based scanners require constant updating. If the signature scanner is not centrally administrated, it slows productivity and drains resources because of the management tasks needed to install each successive enterprisewide update. Insufficient Scanning Frequency In theory, a virus infecting a system at 8:59 a.m. could be caught one minute later if the network is routinely scanned at 9:00 a.m. However, the opposite scenario is just as likely. A network may be scanned at 9:00 am and become infected at 9:05 am. If the virus is a fast infector such as Dark Avenger or Frodo, once it is in memory it can infect not only executed programs, but even those that are merely opened. Such a virus has almost 24 hours of free time to wreak havoc in the network. Even worse, because many signature scanners open files in order to scan them, the very act of using the scanner can allow the virus to infect all programs at once. Slow Scanning Any scanner takes a finite amount of time to scan a machine for viruses — perhaps five minutes or more. If the 70 million US employees who use PCs spend five minutes a day scanning, and earn $15 an hour, the annual cost of scanning (260 days a year) is more than $22 billion. The costs of scanning exceed the purchase price of antivirus software after just a few weeks of scanning. More sophisticated tools can cut this time drastically by scanning checksums instead of the entire contents of every file. The more viruses a scanner must search for, the more places within a file it must search, and the more files it must search across, the slower the search must be. Because strings must be stored in memory, and memory is limited, there will soon be two-pass products that load one set of strings, scan, then load a second set and scan. Although computers are faster now, hard drives are also getting larger. Dependence on User Compliance Traditional scanners do not work unless employees remember to use them. Some users are inclined to value their own productivity and convenience more than their employer’s security concerns, and thus are not motivated to consistently scan. Even diligent users tend to get lax if scanning every day for a month produces no alarms. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.