Zero Hour Anti-Virus Measures Could Mean More False Positives

Zero Hour anti-virus prevention is clearly the hot area of competition among anti-virus vendors these days.  Each vendor is trying to narrow the window between when a virus is first released "into the wild" and when an anti-virus signature is deployed for use in scanning engines.  It’s a significant problem because about 1,000 new viruses are created each month, although many are variants of existing viruses.

Vendors are approaching this problem in several ways, but a common approach is now to isolate programs that look like they could be viruses.  Perhaps they attempt to load themselves into a PC’s startup sequence, or communicate with an external server.

Vendors use automated tools to analyze these files and make determinations based on rulesets that they’ve developed. It’s not practical to manually examine a large number of files unless there is a strong likelihood of a virus.

While these zero hour solutions can be helpful, administrators should be prepared for a higher number of false positive reports than they might otherwise receive from traditional scanning engines.  Because of the imprecise nature of determining whether a given file might be a virus, mistakes will be made. Administrators have to determine how they will handle files that have been singled out by a zero hour solution, and whether the cost of doing so is worth the benefit of increased virus protection.

Thanks to Kevin Haley of Symantec for the idea for this blog item.

One Comment

  1. Posted February 24, 2005 at 9:34 PM | Permalink

    I agree, false positives are the issue when heuristics are involved. I work for a company that has a solution that does a great job addressing the zero hour smtp virus issue. Using virtual machine technology, it lets executables run in a virtual full working client environment and watches its behavior. I can’t think of a better way to see if something is a virus than to execute it, let it run and see what it does. We don’t replace signature av, we enhance them.
    Any thoughts?

Post a comment

You must be logged in to post a comment. To comment, first join our community.