Friday, March 21, 2008

the price of anti-virus

i found an interesting opinion on the pricing of anti-virus products over at the agnitum blog a while ago - basically mikhail penkovsky is saying (among other things) that part of the development cost should have gone away a long time ago... well, i have a different opinion...

i've often said that signature updates tell a known-malware scanner what to look for while engine updates tell a scanner where and how to look...

the need for signature updates is patently obvious - malware authors keep writing more malware so more signatures are required to detect the new malware... you might think that after a while, however, you wouldn't need to update where and how the scanner looks for things, there should only be so many ways and places to hide the malware, right?

wrong - not only are there basically an infinite number of ways for malware to perform all the functions we already know about, as new legitimate software is developed new opportunities for exploitation open up along-side them (ex. create a new document format that contains macros and watch new macro-based malware get developed)... furthermore, there are a number of things that scanners still don't do well enough that require more research and development (like seeing through packers and other obfuscation techniques)...

these are just a couple of the reasons why the underlying scanning technology itself is constantly being redeveloped and reworked and why the cost of that development has never gone away...

0 comments: