Monday, February 18, 2008

why proactive anti-malware controls are dumb

no, i'm not trying to insult proponents of proactive techniques... i'm not trying to say that using proactive controls is dumb, but rather that the controls themselves are dumb...

the diametrical relationship between proactive and reactive preventative controls can be considered equivalent to the one between generic and malware-specific (aka known-malware) techniques respectively... to be truly proactive means to be able to do something about or block a piece of malware before anyone knows anything about it - therefore it can't be malware-specific because a malware-specific control can't be built until after knowledge of the malware is acquired...

therefore proactive/generic controls lack the knowledge component that reactive/malware-specific techniques have and so are stupid... by extension, built-in knowledge is a luxury only reactive/malware-specific techniques can have... of course it is entirely possible to have a little bit of both and provide some shades of gray between these black and white polar opposites...

being stupid isn't necessarily a bad thing in a control, mind you... sharks are often referred to as being perfect killing machines but you won't catch anyone accusing them of being unusually intelligent... so using a dumb control can still be smart if the control is effective... in fact, one could even say that using a dumb control effectively requires intelligence because it doesn't come with any of it's own...

2 comments:

Luke said...

Actually proactive anti-malware controls can be smart.

As you yourself pointed out in a comment, proactive anti-malware should focus on tracking the context of the behavior exhibited by the application.

That's pretty smart to me, far smarter than known malware scanning.

There are already products like Threatfire and to a lesser extent Mamutu, Primary Response SafeConnect etc that already do this (or at least claim to_....

kurt wismer said...

while i'll agree that the design of such controls would be pretty smart, the controls themselves would not be...

basically what i'm talking about is having knowledge... truly proactive controls fundamentally cannot have knowledge of threats because they're designed before those threats come into existence... causality keeps proactive controls dumb...

they can still be effective, they can still be sophisticated, but they cannot contain knowledge...