A senior Microsoft New Zealand executive, Terry Allen, confirmed this month that the company’s antivirus plan includes “behavioural” strategies, monitoring the kind of actions viruses attempt to perform on a computer system, rather than relying wholly on signatures.
The conventional strategy of regular updates to a database of malware signatures is becoming more and more difficult to sustain as the lag between Microsoft’s notifying an exploitable bug in its software and the first hacker exploitation of it becomes shorter, says Allen, the manager of Microsoft's enterprise sales and partner group. With Nimda, three years ago, the interval was almost a year; for the recent Sasser worm, it was 18 days.
Patches for such holes have to be issued, but hackers naturally reverse engineer the patch and exploit a hole which is likely still to remain unpatched on many end-users’ systems.
Allen's comments add fuel to previous informed reports from industry sources that behavioural techniques will be used in Microsoft’s first ventures into antivirus measures to reduce reliance on specific antivirus updates and add a layer of potential earlier protection against exploits.
Allen, in an interview with Computerworld on Microsoft’s progress in improving security, also emphasises the perspective is on general “malware”. It is becoming harder to draw a firm line between the traditional “virus” and other forms of exploit such as the introduction of trojans, he says. The future virus-checker and the Windows firewall, now turned on by default, will work closely in tandem, as two of the three key planks of user protection. The third is regular patching through automatic updates.
He cites a recent survey of members of the Northern Employers and Manufacturers Association (in and around Auckland) which found 65% of respondents used no antivirus software.
Service Pack 2 for Windows XP enables XP's firewall and gives it a more “user-friendly” interface, so any ports that are closed by default and genuinely need to be open can be opened. Terry acknowledges that the firewall has not been easy for the novice user to find, much less tweak. Many potentially leaky pieces of software, such as IIS server capability, will be turned off by default as part of SP2. Too much Windows software, he says, has been "shipped in convenient mode rather than secure mode."
Allen says he courted the wrath of users recently by telling doubters at one meeting that if they had to shut down the firewall to play a multiplayer game that used unconventional communications techniques, then perhaps they should think twice about playing it at all.
As far as avoiding exploitable bugs in the first place, Allen suggests Microsoft’s “secure by design” strategies are starting to pay off. In the first year after release of Windows Server 2003, 13 "critical” or “important” security bulletins were issued, compared to 42 in the first year after the 2000 Server release.
He acknowledges that Windows XP SP2, a month late for its scheduled “first-half” release date, will be too bulky for many users to download conveniently, especially over a dial-up connection; “there will need to be a CD flood,” he says.
Another update in SP2 is automatic blocking of popups in the Internet Explorer browser. Allen acknowledges Microsoft here is catching up with a feature that rival browsers such as the Mozilla variants and Opera have had for some time.