Antivirus software is a required component for safe computing. Security experts warn that an unprotected computer straight out of the box and connected to the Internet will catch multiple virus infections in its first 20 minutes online.
Antivirus software programs, however, are only reliable if they are regularly updated with the latest detection signatures. Even up-to-date antivirus protection doesn’t guarantee infection-free computing. A window of opportunity exists for new virus code to infect thousands of computers connected to the Internet. An eight-hour gap exists between the time it takes antivirus watchers to discover a new virus in the wild, create a remedy and distribute the cure to subscribers in a signature update.
To the Rescue
Two companies have been working together to shut that window. After nine months of in-house and beta testing, global information technology services company EDS and the Internet security firm IronPort Systems released a jointly created Virus Outbreak Filters system this week.
Virus Outbreak Filters provide an early-warning system for virus protection. They thwart virus proliferation, hopefully averting the lost time and high costs of recovering from virus attacks on corporate networks. Officials at both companies say their antivirus innovation will impact the general population.
IronPort already works with large ISPs such as AOL, Sprint, Verizon, Bell Canada and RoadRunner. While not available to individual consumers, the filters applied at the ISP and corporate levels will go a long way to curtailing the spread of viruses, company officials told TechNewsWorld.
VOF Unmasked
The VOF process is similar in concept to methods employed to build spam filters, said Ambika Gadre, director of product marketing for information services for IronPort Systems.
IronPort has built massive e-mail bases for its customers that allow the company to track global volume of e-mail being delivered through different ISPs. The process involves tracking content, black and white approval lists, open relay lists and geographic locations.
“In-house statisticians monitor the tracking results,” Gadre said. “They find that anomalies are excellent predictors of virus baseline activity just as they are in spotting spam. Virus Outbreak Filters are just like that. But they are based on other parameters as well. We also look at mail from new senders and zipped files.”
VOF results are impressive. Recently, EDS was able to get a four-hour-and-48-minute lead time on the last outbreak of the Bagel Virus (Bagel AI). The filtering process quarantined more than 34,000 suspect e-mails, having detected a suspicious pattern hours before any antivirus vendors could release an updated virus signature.
Ninety-seven percent of all virus-infested e-mail that tried to hit EDS’s 10,000-user customer network was quarantined. This saved hours of downtime for the company. Moreover, the company did not lose any “good” e-mail.
VOF procedures produced even greater results with a more recent MyDoom (0) variant. EDS achieved a nine-hour lead time.
Screening Process
Gadre said most antivirus interception is based on signature recognition of known viruses. This is the main cause of the six- to eight-hour gap.
“The nature of virus attacks has changed,” Gadre told TechNewsWorld. “Now 90 percent of new virus code is spread through attached files in e-mail. Now it takes only minutes to spread viruses worldwide.”
Part of the screening process involves reputation filters based on the legitimacy of the sender. IronPort is a partner in the Sender-ID campaign to block Spam.
“The use of reputation filters has been very successful for us. It handles 75 percent of bad e-mail,” Gadre said.
The VOF process relies on dynamic response quarantine to complete the filtering task. Messages with characteristics of bad e-mail are placed in quarantine for up to 48 hours. Once they are proven to be free of malicious code, the messages are released for delivery.
“We quarantine questionable items,” Gadre said. “We don’t delete them. We hold them in quarantine until new virus signatures are available.”
Benefits and Advantages
The VOF process combines the slower detection standards of signature-based virus detection with the fast response produced by filtering suspicious e-mail. The filtering takes place at the customer’s location. But the mail-filtering devices communicate with IronPort’s servers off-site.
Mail does not get rerouted. Instead, it is quarantined locally. Customers can configure the thresholds for each threat level as appropriate to their corporate policies. Threat levels may be set from zero to five.
Gadre said protection is available around the clock and no large IT staff is required for maintenance. The technology can provide significant savings, as Gadre said it can cost companies from US$200 to $500 per desktop computer to clean out each virus infection, not including lost productivity.
IronPort provides security services to six of the biggest Internet Service Providers. VOF is available indirectly to their individual customers and directly to enterprise and small businesses.
Novel Idea
Richard C. Parvin, a senior engineer at EDS, devised the VOF concept after the massive Blaster Worm attack of August 2003 and the Doom virus last January gave him enough raw material to view the problem from a new perspective.
“I just ordered a shields-up command,” the capability leader for Internet access engineering said, referring to his decision to make an emergency halt to the delivery of all corporate mail at the company. He said that approach was very clumsy because it stopped both good and bad mail. He decided to use EDS’s existing spam mail database to spot questionable characteristics in the quarantined mail.
“The problem with leveraging the spam network already there was what to do with it,” he said. “For the first time I had some tools to work with. We stopped all mail until I figured it out.”
Parvin knew that in order to realize his goal of saving customers from viruses, he needed to shorten the time it took to spot a problem and shut down mail delivery. “I got it down to 15 minutes,” he said.
Parvin then worked through EDS with IronPort to perfect the VOF process. In theory, industry desktops won’t be vulnerable to viruses with the new filtering process, according to Parvin. The system improves upon both the virus signature and heuristics methods of spotting malicious code.