Malware Scanner Definitions, Signatures

[Soda_Popinsky]

With the introduction of bogus malware scanners like StopSign (http://www.eacceleration.com/) and pretty much anything advertised in a pop-up, I feel like its time for a change in the way Anti-Malware is handled. I have a few questions and would like to see some opinions.

AV's are great and all but I think that they are losing the fight, and I don't believe that the responsibilities are distributed efficiently among malware vendors. Just today, I ran updated scans with multiple scanners, (everything through the malware checklist I wrote) on an office box, and the malware practically won. I had to do all sorts of manual removals of virii & adware with HJT and other hacks, and I spent the most amount of time I have ever spent on a machine like this. Funny thing was, xp was fully updated.

So I've been thinking, it seems like every malware vendor has a scanner, and definitions. Norton sells the AV scanner, and they sell a subscription to download signatures. But with new bogus scanners becoming available, and even COMMERCIALS for them (stopsign), the average consumer will soon be screwed over. I think the future of desktop Anti-Malware will need to be open source. So far all I have seen is ClamAV, which I like, but it doesn't seem very quick, or up to date from my minimal use. So here are my ideas for a better AV solution.

1. I think that splitting up the responsibilities into 2 groups would be more powerful. The scanner end would be developed by the open source community, and the definitions developed by the current vendors (or community). The definitions should be designed by a standard, so a single scanner can use multiple vender definitions. This way, Norton, McAfee and other AV companies still make money off their subscriptions, provide better definitions because they no longer need to develop the scanning engine, and can still compete with each other to provide stronger, quicker definitions at a faster rate. Definitions created by open source groups will be possible, because a standard design exists for them, and homemade definitions will be possible as well. The scanner's integrity will be the same as any open source project.

2. A centralized location to submit malware, possibly goverment operated, that vendors and open source developers can have access to, to create definitions. When an alpha definition is made, the malware is locked up.

Obviously, huge roadblocks exist in this design. The "standard" definition will be near impossible to create, because of polymorphism. It would take global vendor support to pull off, and would probably only happen if they can all agree on a standard design for definitions and scanners. And a standard for heuristics is obviously tough too, because heuristics suck as it is anyway. Only time can tell, I guess.

Thoughts or comments?

[SDK]

You won't make multiple company work together. That a dream that would happen.

For myself, I think the key reside in the merge of Anti-Virus and Anti-Spyware into one powerful tool. Spy-ware and malware need to be thread like Virus!

[Soda_Popinsky]

merge of Anti-Virus and Anti-Spyware into one powerful tool

Thats sort of the point. A scanning engine that can load multiple definition files for whatever the definitions are for.

You won't make multiple company work together.

Obviously I'm not convincing anyone to change, but I think that consumer demand will eventually break the anti-malware buisness into 2 independent markets, the scanning engine, and the signatures.

[RejectKnowledge]

I tend to agree with what Soda is saying. I'm sure all of us, at one point or the other, have thought that our anti-virus should be able to pick up spyware, and malware too (the idea sure corssed my mind). True they are two different things, but just think about it. To the common end user, it's just an annoyance. They don't understand replicating virus, or tracking cookie. They understand "PC slowing down" "PC not booting" or "IE going haywire OMFG!1!!1!".

Having the scanners developed by the open source community will bring it with the many myriad benefits of having open source software (and a drawback or two as well, I'm sure). The race for having updated definitions will then be an interesting ones. The winner would be the user community because we've got big AV companies scrambling to give us updated, effective definitions.

Yes, but again the problem of syncornization exists. It'll be interesting to see what ideas we can come up with. So guys, pour in some suggestions?

Cheers.

[Und3ertak3r]

Very Idealistic.. bit like a recent post on Virus Free Internet.. BUT.. It could work..

1/ Forget the Big Av's .. they want max return on dollar.. and the virus engine is their baby, as are their def codes.
2/ Put this idea to the Open Source comunity..a quick search of Souceforge probably will show a number of projects..
3/ get behind the projects you find and promote or help with code (beta test or submitt code)

consumer demand will eventually break the anti-malware buisness

then the solution is to work on the consumer.. a lot of people still think that you need an IBM PC to have the most compatable PC.. and that Norton is ithe only Anti Virus that works.. (Oh the same ones who think Windows is good and Microsft is bad.. except microsoft Office..or is that.. I don't want windows but I do want microsoft .. I give up.. too many id10t's this week)

Cheers

[SDK]

The general population is scared to death about virus! Making AV software pick up malware would wake-up a lot of peoples!

[Soda_Popinsky]

1/ Forget the Big Av's .. they want max return on dollar.. and the virus engine is their baby, as are their def codes.

Here's the catch though...
An open source definition standard will launch countless new AV groups that release definitions. Think about it, the subscription buisness would be a very, very easy buisness to get into, because no scanner needs to be developed, and the work is already outlined. If there is a demand, then the bigger AV companies would offer that signature in time, because it would profit them. AV subscription costs would sink to nothing, and there will be many different cost efficient options. Norton will cost a lot, and some other budget AV will come around with their definitions.

But the signatures have to be standardized. Thats the hardest part of all, if near impossible.

[Irongeek]

It's a great idea Soda, but I doubt you could ever get the big AV vendors to buy into it until a large percentage of users already used the open standard. It will be great for the users, but I'm not sure how the big vendors will make a profit from it (so there would be no reason for them to support it). It would pretty much be up to the Open Source community to make the Scanner and the Defs.

[Soda_Popinsky]

Norton would be selling their name, and they are already established as having a solid R&D department. Selling subscriptions is what they do already, it's how they make money off of AV! Another plus would be specialized signatures- A guy like merjin can add his CWS sigs to the scanner. The more I think about it, the more I think it will eventually happen. All someone has to do is make the scanner, and outline an agreeable definition standard. Then open source groups would get involved first, and the big guns would split their definitions up for their scanner and the open source one for profit.

I received this pm from a member about sigs:

Good anti-spy programs will use a variety of methods for detection including registry scanning, md5 signatures, digital fingerprints, filesize, CLSID, windows titles and other traces that spyware leaves on your machine.

If you ask me, static detection technniques would be simple to standardize.
Also, check out the pdf I attached. From looking at the detection techniques, I think that may not be rocket science to standardize, even with limited heuristics.