January 11, 2005

Testing Security Software

By Tim Klemmer

CEO, OnceRed LLC


This is the fourth in a series of articles highlighting reasons why we need a new model for anti-virus and security solutions.


Reason #3: Security Software Testing

Ever ask yourself the following question as youíre standing in the aisle at CompUSA or Best Buy: how well will this piece of software work with my other programs? Probably not. There is a high expectation that whatever piece of software you buy will work acceptably on your computer and wonít infringe on other programs.


Games, word processors, spreadsheets, music players are just those types of self-contained software programs that you wouldnít expect any trouble from. And for the most part, you donít experience problems.


Security software, on the other hand, by its very nature is more invasive and more likely to intrude on your way of computing. First and foremost, all good anti-virus software packages install on-access/on-demand scanning. This means that every time you start up a program, every time you access a document or spreadsheet, every time you access a directory in Explorer, the anti-virus program will scan it for viruses. Unfortunately, the consequence of this is that it slows down your computer. Unfortunately still, all vendors set on-access/on-demand scanning up as the default when you install the software. They have to.


When you install security software it has to install itself in such a way that it will always have the upper hand when new programs are run on a PC. Why? For the simple reason that you are installing this software to protect you from bad software. Security software tries to analyze anything you do on your computer and decide if it is a good thing or not.


But will the software make good decisions? Will this software cooperate with other programs? Security vendors have spent years perfecting their testing and testing against enormous suites of commercial software. But they canít test every combination of software, every different version of software (there are still PCs out there running DOS 3.0 programs). They have to concentrate on mainstream. The problem is they may have no idea that your video card in combination with those two older games you installed will wreak havoc with their detection algorithms.


We see this all the time. Users send in emails or write notes in newsgroups complaining that such-and-such a package is preventing them from installing a new game or that such-and-such version is saying that their new game is infected.


Or worse still, things just donít work the same anymore since the software was installed. Downloads become more tedious because instead of just clicking download, now users are forced to answer questions about each download or approve downloads.


So whatís the answer? The answer as we have been touting in these series of articles regarding security software is to move to a more centralized approach. Instead of installing scanning software on your computer, install behavior-based software on an off-site testing server that receives test requests from the email server. All emails are routed through the testing server.


This then can be expanded to include web traffic that runs on a 10-second delay much like talk radio. You connect through the internet, all subsequent downloads, ActiveX controls, etc. are routed via a testing server and then arrive on your PC or are halted and removed and you receive the appropriate message.


In the time that it takes to receive a file, it can be tested, and trouble software can be detected. This approach works for detecting everything from viruses to worms to spyware. You as a user notice no long waiting, no downtime, no drag, and no incompatibilities.



Tim Klemmer

CEO, OnceRed LLC


Tim Klemmer has spent the better part of 12 years designing and perfecting the first patented behavior-based solution to malicious software.