Norton Internet Security logo

Frequent updates for always-on protection

Aug 23, 2010

As you know, most antivirus programs use several methods to detect, prevent and remove computer viruses, worms, Trojan horses, adware, spyware, Rootkits and other forms of malware. The most commonly used methods are Heuristic-based detection and Signature based detection.

Signature based detection
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses.

Because new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary.

Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.

Heuristic-based detection
Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.

For example, the Vundo trojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundo family into two distinct members, Trojan.Vundo and Trojan.Vundo.B.

While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. Padded code is used to confuse the scanner so it can't recognize the threat.

It should be mentioned that, if the antivirus software employs heuristic detection (of any kind), success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives. For example: A false positive is identifying a file as a virus when it is not a virus. If an antivirus program is configured to immediately delete or quarantine infected files (or does this by default), false positives in essential files can render the operating system or some applications unusable.

Update frequencies
So, as you have seen, to protect computer, it is important that antivirus program update definitions as more often possible. That's why I decided to compare the update frequencies of old version of Symantec Norton Anti-Virus 2008 and Symantec Norton Anti-Virus 2009/2010:

According to AV-Test Company, since 1st January 2010, they have recorded 54493 updates of Symantec Norton Anti-Virus 2009/2010, this is 236 updates per day, 1651 updates per week or 7077 updates per month. On the other hand, since 1st January 2010 — AV-Test Company has recorded 555 updates of Symantec Norton Anti-Virus 2008 (that is 3 updates per day, 17 updates per week or 72 updates per month). Conclusion? Try to always use only the most recent versions of software, and, this applies not only antivirus solutions, but also other programs — if you want to stay secure and to save your privacy.

Also, I compared the Symantec Norton Internet Security 2010 product, with the five products (Panda Internet Security 2010, Kaspersky Internet Security 2010, F-Secure Internet Security 2010, AVG Internet Security 9.0 and G Data Internet Security 2010/2011), which according to recent antivirus tests — offers better protection. Comparison results, you can see in the chart below:

Following these comparisons, and the antivirus tests result of the company AV-Test, I thought that Norton Internet Security is a good security suite for protecting data, of course, if PC is always connected to the Internet and can regularly download the last virus definitions.

0 comments: (+add yours?)

Post a Comment

Note: Only a member of this blog may post a comment.