Tuesday, December 06, 2005

the 'behaviour monitor' fairytale

y'know, i'm starting to get a little sick and tired of the recent resurgence of
anti-virus software looks for suspicious behaviour so why didn't/couldn't it stop X
and
anti-virus software should look for suspicious behaviour so that it can protect us against Y


it's not a new idea - not by a long shot... it's more than 10 years old and used to be known as behaviour blocking...

way back in the day there were some programs that did this sort of thing (notably thunderbyte anti-virus) but the idea lost favour for some very good reasons...

the first is that if you allow the malware to run (which you need to do in order to take note of it's behaviour) then the malware can simply shut down the behaviour monitor and go on about it's merry malware way without having to worry about raising any alarms... this wasn't just a theoretical possibility, it happened... then it happened again, and again and again... even today, despite the lack of widespread use of this technique, viruses and worms and trojans and all sorts of other malware routinely are programmed to kill large lists of security-related processes... clearly, once the malware is running on the same cpu as your security software the window of opportunity for that security software to reliably stop the malware is closed...

another very good reason the idea fell out of favour is the false alarm problem... the software would have to decide whether or not to raise an alarm based on the number and severity of suspicious actions a suspect program takes - the lower the threshold is set the more sensitive it is to suspicious actions and the more likely it is to raise an alarm on something that is completely safe - the higher the threshold is set the less sensitive it is to suspicious actions and the more likely it is to let something bad slip through... letting bad things through is bad enough, but raising alarms on safe programs when the user has basically no real way to determine if the behaviour monitor's suspicions are warranted or not wastes the user's time on needless research and recovery - not to mention that most user's first instinct when faced with an alarm from their security software is something closer to panic than to reasoned analysis...

there are still a few products out there that use behaviour monitoring, but in general they're obscure products... the problem of being shut down by malware is mitigated by that obscurity (security by obscurity is no security at all, however) as the malware writers won't think to include those products in the large lists of processes to kill... the problem of false alarms is dealt with by - well, perhaps there's a good reason they remain obscure products (perhaps the problem isn't dealt with all that well at all)...

although behaviour monitoring does have some strength in areas where contemporary scanning technology is weak (new malware), it's weaknesses more than cancel out that strength...

(and yes, i'm fully aware that one way to deal with the problem of being shut down by the malware is to run the malware in a virtual environment instead of on the physical machine, but then we're no longer talking about simple behaviour monitoring - that's sandbox technology)

0 comments: