The Illusion Revealed
In this section, we’ll review each type of security solution to see how it protects your computer and where it fails.
Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
The first solution is the traditional, signature-based anti-virus/anti-spyware filter. The program compares files against a regularly updated “blacklist” of bad content. If the file is on the list, the filter will block or remove it based on instructions in the blacklist. Anything not on this list is presumed to be good.
The evolution of the blacklist method
The blacklist approach really became obsolete as soon as people connected to the Internet, allowing malware to cross geographic borders and spread in the blink of an eye.
The anti-virus providers undoubtedly realized quite early that the signature approach would at best be a short-term solution, and would eventually fail to provide reliable frontline protection. To provide protection using this method, the manufacturer first has to have a sample of the malware in hand. Then, it has to generate an update to its signatures that will properly identify and remove the targeted content.
The problem is that the researcher can isolate and view the sample only after the malware has been released, sometimes months or even years previously. Rustock.C, one of the most dangerous Windows-based rootkits found to date, is a good example of this, having been in the wild for over a year before it was discovered, analyzed, and added to detection signatures. ...
Get Beautiful Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.