Gilles Gravier's Weblog

Are we going towards a world where antivirus software will become too slow?

In Symantec's 10th Internet Security Threats Report, it is noted that in 2006, over 6700 new Windows viruses were identified. The number here may seem innocent in itself, but think about this... we've had viruses since I've been hearing of personal computers (there were already viruses on Commodore Amigas and Apple IIs in the eighties - granted they didn't propagate by themselves and you had to share them by giving an infected floppy to a friend). But the progression rate is accelerating. Every year sees even more new viruses than the previous.

What will the impact of this be on your every day activity if you use an operating system that is a heavy target for viruses?

In the comming years, your computer will, for every sensitive file accessed (executables, dynamic libraries, shared object code in general) need to scan that file for multiple tens of thousands of different virus signatures. Even with strong optimisation of scanning code and disk access, this heavy activity won't be without effect on the reaction time of the computer. Even today, if you want to play it unsafe for a few minutes and turn off your antivirus, you will notice your machine is significantly faster in running various activities.

What can we do about it?

Maybe the first thing to do is, and should be, to consider deploying operating systems that are not as sensitive to viruses and other malicious code. Consider operating systems that have proper user permissions, that don't encourrage the actual user to log in as administrator for day to day activities. Make sure that your operating system of choice is designed so that user-triggered programms can't modify system parameters or files. Pick an operating system for which the only possibility for malicious code to run efficiently is to exploit an implementation bug, rather than a normally planned feature.

This is sometimes more feasible on the server side, than on the desktop side. But it will already help a lot if your server infrastructure can perform at full speed while being almost completely insensitive to the usual malicious code out there.

If you can't change your desktop, then you will be stuck with degraded performance as antivirus software around the world struggles to scan for more and more vulnerabilities. You can partially mitigate this by first protecting your machines from external aggressions (by deploying host based firewalls), which will limit the number of worm infections, but will not necessarily protect your machine from infected documents and client-side attacks. Then you need to educate your users seriously about the risks of infection of their machine from third party content. It's mostly a lost battle, as history has shown.

It seems that the price to pay for using insecure platforms will be of not being able to fully use the computing power of our machines, in addition to the risks of infection by malicious code.

Posted at 11:41AM Sep 27, 2006 by gravax in Security  |  Comments[0]