Fighting malware and spam

Scanning on the wire

Dr Igor Muttik McAfee AVERT

Among the side effects of the explosion in both the use of the Internet and connectivity levels is - unsurprisingly - the proliferation of malicious software in networks. Traditional workstation-only solutions are acquiring features from the standard network security arsenal - firewalls, mail scanning, spam filtering, intrusion detection/protection.

At the same time, standard tools and hardware for protecting networks (firewalls, routers, switches, intrusion-detection and intrusion-protection systems) are having more and more features bolted onto them in order to better combat malware. Increasing network loads dictate the hardware approach, but adding anti-malware and anti-spam features requires flexibility that is generally achievable only in software. A major requirement is an ability to perform algorithmic and computationally complex analysis - required, for instance, to detect non-static malware. Detecting such objects (polymorphic worms, for instance) via software anti-virus scanners is a developed, mature technology but converting this functionality into network hardware is problematic.

We present an analysis of alternative design solutions for network scanning that implements AV features - pure hardware (quick but inflexible), pure software (slower but thorough), a combination of both (complex, more expensive, but could be quick and flexible) and a combination of a simple hardware device attached to a central server that provides centralized complex scanning (cheap and flexible but not easily scalable). Several real-life examples are used to illustrate.

We discuss an effect of a discovery of many exploits in common Internet graphical data formats like WMF, PNG, BMP, ANI on hardware versus software business. Problems associated with scanning different Internet protocols are also analysed.