I posted an article back in April of ‘07 bemoaning the piss-poor performance of current antivirus technology and it looks like the mainstream guys are slowly picking it up as well.

According to this article by PCWorld.com, their tests showed that “the best performer detected only one in four new malware samples.” Catching 25% of new malware is actually a very good percentage given the reactive nature of current AV technology. That might have been great in the 90’s, when the top threat was viruses who’s propagation was largely limited to the local host but viruses are a threat of the past. Worms, trojans and bots are the current soup de jour for the bad guys and reactive countermeasures are simply inadequate at preventing them. Yes, I said prevent. I want my antivirus software to stop the attack before it becomes an infection. Once it’s an infection, it’s an incident and I have to spend time, and more importantly, money to fix it and that’s after I’ve already spent time and money on AV software and its maintenance.

As I’ve said before, AV technology needs to get their peanut butter stuck in IPS technology’s chocolate. AV should be more aware of malicious behavior as well as known malicious content. Most AV software already hooks into the kernel. Why not leverage that low-level awareness more effectively? Snarf those memory calls. Sniff that NIC access. New listener? I think not! Shut that process down and quarantine it.

‘But Michael, that’s the job of your HIPS’ you say? That’s exactly my point.