The problem with generic detection

Filed Under: Malware, SophosLabs

Our goal within SophosLabs is to provide the best protection for our customers. Key to this is providing the best proactive detection of both malware and spam. It is much better to have detected and blocked a new piece of malware than to have to react and add detection, publish it and require our customers to deploy the update to millions of desktops.

Sophos Behavioral Gentotype technology analyses malware before it executes, and identifies behavior (changing system settings, copying files, open ports etc) that is associated with malware and not 'good' applications and blocks it before it runs.

Since its introduction last year, Behavioral Genotype has blocked literally thousands of new variants of malware including the latest ecard and Dorf variations and web attacks described elsewhere on this blog.

"So," I hear you ask, "If the technology is so good, whats the problem?"

The problem is that occasionally a 'newsworthy' piece of malware appears. It may not be widespread, or actually pose a very significant threat, but it's 'different' and therefore of interest to customers, journalists and the like.

Today, we got news of a new 'Skype' worm. It spreads via the popular VoIP application's instant messaging system and purports to be a picture.

The story broke yesterday afternoon and this morning we are getting a number of requests about the details. The 'problem' is that we proactively detected it as Mal/Behav-103 so we had already protected our customers. We even allow customers to prevent the use of Skype inside their organization with application control if they wish.

With the thousands of samples we receive every day, you can understand why - if we already detect it - we don't do any further analysis other than to add the characteristics to our database of malware 'genes'. But because this is unusual and newsworthy, we've had to spend some time this morning doing further analysis to provide more information and specific detection.

So although it is a 'problem', it's one that shows we are doing a good job at providing the best proactive detection and one I hope we continue to have. :)

You might like