display | more...
Last updated 2005-03-13: please be patient i in the process of rewriting this leading writeup. i promise it will rock your socks off.

That frequently fails to due to the polymorphic properties of the viruses and their creators.

There are two types of anti-virus programs available: pattern recognition and heuristic.

Pattern recognition be the most likely to fail due the dynamic nature of viruses, as in their can be modified to become a different strain. They require frequent updates but will never protect from the latest and greatest virus that are in the wild.

Heuristic based detection is still in it's early stages, because it is so closely tied to artificial intelligence. The current status quo on that topic is most definitely: "C- -- could do better!"

Heuristic anti-virus detection is available right now. Most of it comes with your operating system and your application suite.

We could have stopped melissa before it existed if we turned on "Enable macro-virus protection" in Microsoft Word 95 (second revision) and later, or installed the scanprot macro for Word 6.0 and later. We could have stopped iloveyou before it existed by blocking e-mail attachments with more than one filename extension. We could have stopped blaster by using hardware firewalls or the firewall built into Windows XP. We could have stopped happy99 by blocking executable attachments in e-mail entirely - something that Microsoft Outlook 98, 2000 do by default if you installed their updates, and Outlook 2002 and 2003 do by default right out of the box. Yet these viruses and their variants routinely slip past modern anti-virus software - melissa and iloveyou got to networks running McAfee, Symantec and others, and (supposedly) affected over ten million computers in 2000.1

If airport security worked like anti-virus security, terrorists would rule the skies.2

Well let's see here, Mister Bin Salen Odama...
I noticed a powerful bomb in your briefcase here, and you were spouting some terrible anti-american rhetoric but, your name's not on any of our databases for known terrorists. Have a nice flight.


Beyond using the tools built in the operating system and applications, there are a lot of third-party security products that use profile-based detection. We had CHK4BOMB in the early 1980s which was a profile-based virus scanner for DOS. We had Flu_Shot by Ross Greenberg. We have had, and still have, Wolfgang Stiller since 1995.3 "But What about false positives?" Zero-false-positive heuristic checking was available as early as November 20004 and it's evolved constantly since then. Yet we still hear the likes of this banter:

Product A detected all viruses by name.
Product B detected all the viruses too, but not by name. Therefore, A is superior.

(OK, that's not entirely fair. John McAfee once told reporters: "...the media consistently misquoted (McAfee) about how widespread Michelangelo was."5)

Even if "Product B" were widely available, you wouldn't buy it. Symantec, makers of Norton Anti-Virus, admitted this in July 1999: "What we don't want to do is make a lot of noise about shipping a product at a time when the customer is least likely to buy it."6 In other words, anti-virus firms have better anti-virus technology to sell. And sell it they would, if you would buy it.

You can get heuristic anti-virus protection any time you want. All you have to do is ask your anti-virus vendor for it. And you can use what's built into your operating system and applications.

1. http://www.house.gov/science/morella_051000.htm
2. Attributed to Rob Rosenberger of VMyths, written some time just after the iloveyou virus hysteria.
3. http://www.stiller.com/, specifically, a reference to a 1995 Shareware award.
4. http://vmyths.com/rant.cfm?id=239&page=4 - While the "naive" filter rule had false positives, the commercially available solution compared to it at this URL boasts "almost no" false positives. Do you deal with viruses as you have for the past eighteen years and lose? Or do you sift through a few false positives?
5. http://www.etext.org/Zines/ASCII/40hex/40hex-7.005, specifically, article three: Software Hard Sell.
6. http://zdnet.com.com/2100-11-515220.html, quote attributed to then CEO of Symantec, John Thompson.

Log in or register to write something here or to contact authors.