'Genotyping' Fends off Onslaught of Virus Variants

A new anti-virus technology from Sophos, Inc. is designed to protect users against the flood of malware variants that are attacking networks with sometimes overwhelming speed.
An IT administrator at the Maryland Department of the Environment no longer worries about the alphabet soup of virus families that used to plague his work day. Now he downloads one virus update and feels safe from the onslaught of variants that is likely to follow.

''Keeping up with the updates was a real chore,'' says Henry C. Torrance, the lead computer network specialist at the state agency, which has 1,200 users, eight offices and 30 to 35 servers. ''I'm not worried about 10 patches a day. I'm just looking for one file that covers several different viruses in the same family. It covers the alphabet soup.''

Torrance says the new genotyping technology from Sophos, Inc., an anti-virus and anti-spam company with U.S. headquarters based in Lynnfield, Mass., is slashing the time he has to allocate to dealing with virus updates.

Sophos started using this genotyping technology last summer, according to Marc Borbas, product manager for Gateway Solutions at Sophos. And since then, they have been quietly working it into a growing number of virus updates.

The genotype technology, according to Borbas, is designed to identify variants of a particular malware family. For instance, once a genotype update has been issued for Mydoom or Mytob, that one update is aimed at protecting against the army of variants that will follow the original worm or virus.

Borbas explains that genotyping looks for certain genetic characteristics in one family. How does it interact with the operating system? Does it copy itself to a certain folder? Does it open a backdoor? Does it infect other files on your machine? Once these types of characteristics are noted, the technology will look for them in any variants that may follow the original malware, enabling the software to protect against the new worm or virus without a new virus update being sent out.

''With viruses, it's the variants that are becoming so hard to deal with,'' says Borbas. ''When something new comes out, you have to get it in the lab and find out how to protect against it. That can take anywhere from an hour and a half to a day or two days... What the genotype does is add another layer of protection.''

Borbas acknowledges that other companies have tried and are working on anti-virus software that detects behavior. Some of those have met with dismal results because of a high rate of false positives. He says the Sophos product is different because it looks for very specific traits.

''Mydoom had 50 or 60 variants,'' he says, adding that genotyping detected 77 percent of those variants from the single update. ''That means if you're a corporate security manager sitting there fighting the Mydoom virus, 77 percent of the time you didn't have to do anything. Twenty-five percent of the time you did have to handle an update, but it was a substantial improvement.''

Paul Stamp, an analyst at Forrester Research, an analyst firm based in Cambridge, Mass., says some anti-virus companies have taken the approach where they look for a straight match. Other companies have looked for general behaviors. Few, if any, of those efforts worked.

Sophos' genotyping, however, combines those two methods, and has a more successful model, he says.

''This takes a layer of complexity out of the update process,'' says Stamp, who adds that he hasn't seen this technology elsewhere yet. ''The less frequently you have to do [updates], the less complicated it is.''

Sophos analysts are using the genotyping to both protect users against viruses but also to help filter out spam, which often uses similar email headers, key words and phrases, and patterns of html tags.

Andrew Jaquith, a senior analyst at the Boston-based analyst firm the Yankee Group, says fighting virus writers and spammers today is always a tricky business.

''Everybody is looking for more clever ways to get a leg up on the bad guys,'' he says. ''It's an arms race. This represents an escalation on the defense. So good for them. But then the bad guys will escalate.''

For today, anyway, Torrance says he has less updating to do and his users are happier -- and that's a powerful combination for any IT shop.

''To be honest, I don't even worry about my anti-virus updating system,'' he adds. ''That's how reliable it's been... We actually have end users now who have emailed us back saying, 'Thanks for choosing Sophos.' That's a pretty bizarre testimonial from end users who don't have any say in what product we choose.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.