I followed an article today on Warden, the anti-cheating software used by Blizzard Entertainment, Inc. which eventually lead me to http://en.wikipedia.org/wiki/Polymorphic_code. The brief synopsis there got me thinking about the way in which anti-virus software currently works. I’m reasonably convinced that writing monolithic packages to combat swarms of virii is a mis-guided idea.
So perhaps what we need is an immune system composed of anti-viruses. These programs would seek to wage war against viruses but in a manner that avoids the pitfalls of virus propagation (primarily DDOS outbreaks). They would actively seek out insecure systems and infect them with the cure and then altruistically de-activate themselves.
I’m certainly not the first person to suggest this (and I’m reasonably certain that all attempts at such a solution have failed thus far). But I am convinced that fighting viruses with anti-viruses is the best long-term strategy. Currently we have software packages which build huge lists of black-listed programs to guard against infections. There are a couple of problems with this approach: 1) it isn’t scalable, 2) they’re targetable, and 3) it only allows the cure to be applied after the fact.
As the number of viruses in the wild continues to grow, the database for detection will also grow. Eventually there will be so many potential exploits that scanning your system for an infection will take days (even with improvements in system performance). The best way to combat this trend is to develop general-purpose anti-viruses which morph and adapt to combat new threats. The key here is that you’d be running smart agents which could achieve much greater efficiency than a scan-and-ban solution can.
More recent virus scanners do implement ‘heuristic’ scanning modes, but they are still susceptible to the concerns I’ve listed above. In order to wreak havoc on your system, a virus-writer needs only to disable Symantec or McAfee and then he/she has free reign over your bits. By distributing the cure across multiple anti-virii we could make it harder for virus writers to create countermeasures (because they’d be subject to the same constraints that anti-virus companies are now – namely that they’d have to build a database of anti-viruses to de-activate).
The biggest hurdle to anti-virii is deployment of the cure in an ethical, rationed manner (so the anti-virus doesn’t end up causing just as much harm as the virus it is neutralizing). I’ll have to think about that. It doesn’t matter what your intent is if the outcome is the same.