Manage your WServerNews profileWServerNews privacy policy
WServerNews (formerly W2Knews)
Vol. 12, #2 - Jan 15, 2007 - Issue #608
Evolving Antimalware Technology

  1. Editor's Corner
    • Evolving Antimalware Technology
    • Double-Take Announces Recovery Option
    • Quote Of The Week
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Tech Briefing
    • Evolving Antimalware Technology / 2007 Roadmap
    • So here is the 2007 Roadmap:
  4. WServerNews 'FAVE' Links
    • This Week's Links We Like. Tips, Hints And Fun Stuff.
Messaging Ninja: HALF The Admin Time

A recent independent (Osterman) survey shows that Ninja Takes HALF
the time to administer, and has significantly lower cost per user.
Combined with extremely high spam filter rates, and more than 5,000
business installations of Messaging Ninja in less than 9 months,
Ninja is the system admin's favorite for antispam and antivirus.

You can get a 50% discount when you upgrade to Ninja from your existing
antispam or antivirus app on Exchange, making Ninja super attractive.

Editor's Corner

Evolving Antimalware Technology

The bulk of this issue will consist of an article written by our Pres Alex Eckelberry. The traditional antispyware model has been fundamentally broken. He explains the entire why and how of CounterSpy V2, including why it has taken so long to develop. CounterSpy V2 is not your daddy's antimalware. It heralds the beginning of a completely new approach to the malware problem. We have only slightly changed the introduction to fit WSN. For this issue I am omitting most of our normal sections in order to accommodate Alex's words. I think you will want to read all of it. Make sure you check out the 2007 road map at the end!

Double-Take Announces Recovery Option

The Double-Take Server Recovery Option in combination with Double-Take continuous data replication directly addresses dead servers by providing customers the ability to restore entire servers, including the operating system (OS), applications and data - even to servers with different hardware configurations. This product combines continuous data replication with continuous system state protection and allows recovery from either the real-time image of the system or a snapshot image of the system from a previous point-in-time. This additional flexibility makes the solution ideal for recovering from unwanted changes such as viruses, corruption and accidental deletions.

Quote Of The Week

"Facts are stubborn things, but statistics are more pliable". -- Mark Twain

Hope you enjoy this issue of WServerNews! Warm regards, Stu Sjouwerman  |   Email me: [email protected]

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

The CounterSpy V2 Beta 5 was released, with support for Vista 32

The Number One 'High-Availability-And-Disaster-Recovery' tool in-one. Double-Take sold more licenses than all other HA/DR products combined:

Must Have FREEWARE Custom Web-Based Employee Directory. Download Now!

Tech Briefing

Evolving Antimalware Technology / 2007 Roadmap

I want to talk to you a bit about the future of our technology. A lot of this is skinny that so far has been part of a skunk works project here. Those that are technically inclined and curious about current thinking in malware fighting, however, may find this subject of some interest.

It all started over a good dinner.

On a chilly and blustery evening last January, Joe Wells, Eric Sites (our VP of R&D) and I sat outside overlooking the water at the Island Way Grill, a favorite local hangout. We were trying to recruit Joe from his position as Chief Scientist at Fortinet and the subject was along the lines of a re- invention of the anti-malware model.

In antivirus circles, Joe is a well known figure. The founder of the Wildlist, he's spent his life writing antivirus engines, getting antivirus patents and working for Symantec, IBM Thomas Watson Labs and Trend (and in his spare time, doing a complete translation of the Bible into the Sahidic dialect of the Coptic language as well as writing science fiction).

The antispyware model: Broken

We have felt for some time that the traditional antispyware model has been fundamentally broken. Antispyware programs had started out originally as niche products, marketed by the likes of mavericks such as Patrick Kolla (SpyBot), Nicolas Stark (LavaSoft) and Bob Bales and Roger Thompson (PestPatrol), and they all relied upon a brute force method of removal.

This method revolved around analyzing the files, registry keys, processes and the like associated with a malware program and putting these values into a database along with a boatload of MD5 hashes (unique signatures generated for files). Then, this database was bolted on to a system scanner. Basically, your classic antispyware product was a giant database attached to a scanning engine.

In other words, antispyware products are basically big fat databases attached to big fat system cleaners. Why did WebRoot and PC Tools do so well with their tools? Both came out of the system cleaning tools business (respectively, Window Washer and Registry Mechanic). These types of tools pound through a system, looking for files names, directories, registry keys and processes. WebRoot's SpySweeper, based on the same Delphi code that was used in the company's Window Washer, excelled at this brute force method of cleaning.

This model worked fine in the early days, and you could typically handle some pretty bad stuff with even SpyBot or Adaware. However, things got rough for the simple reason that spyware authors got really smart because the economics were so strong. The spyware programs got increasingly difficult to remove, such as the practice of using "resuscitators" - programs that would notice when you killed a file, and then recreate it (classic Direct Revenue tactic).

It got so bad that Merijin Bellekom, who had created CWShredder to kill CoolWebSearch, simply threw up his hands in frustration. As he said "I simply do not have the tools to remove the latest variants, they are too aggressive or complicated to allow automated removal by CWShredder."

We had the typical example of a user trying to remove threats, and needing to use multiple antispyware programs, run in safe mode, beat on the machine, cry, pray, ask for help on forums, run HijackThis a few hundred times, and then maybe get the use of the PC back. Even Steve Ballmer, CEO of Microsoft, went through this hell. And I certainly did on several occasions as I helped others with their destroyed systems.

The model was (and is) flawed. While the major antispyware products have improved dramatically, they simply cannot deal effectively with all the different kinds of today's threats. You have the problem of depth (how much work is required to remove an infestation) and breadth (the sheer number of infestations that may be found in the wild).

The antivirus model: A surgeon's touch

Now, while spyware was evolving, antivirus vendors were playing catchup. Antivirus engines had been dealing with nasty stuff for years, and were quite capable of removing all kinds of evil malware like worms and trojans. However, antivirus engines are designed primarily for deftly removing a piece of a file from a file or removing a few files. Consider the Melissa virus, one of history's most infamous nasties - it was a Visual Basic macro virus. Removal required removing one registry key and removing some VB code from Word's default "Normal.dat" file.

A surgical approach, compared to antispyware's demolition-team type of approach.

Contrast this surgical touch with one adware infestation that Ben Edelman documented a while back: 730 registry keys, 1,194 registry values, 461 files, and 43 file folders in one infestation! It was simply an epic amount of crap dumped on a machine. You didn't need a surgeon. You needed a demolition team! And the fact is that most of the AV companies simply took a long time to catch up. Why antivirus companies were so late in the game is a matter of speculation, but I believe it came down to the following reasons:
  1. A bewildering new type of malware that required system cleaning tools as opposed to surgical strikes. AV engines are designed for file-infecting viruses or removals of a few files - not the hundreds of thousands of unique threat types you find in spyware installations.
  2. Burdened by their own past experience. The AV guys tended to look at threats or targets through their past experience - in other words, they were looking for threats that looked like those they had encountered before. And, by and large, the newer commercial threats - especially adware - did not look like the threats the AV guys were used to dealing with. As a result, some may have been naive about installation practices (especially run-of-the-mill deception and social engineering, as opposed to the classic viruses), and thus weren't as aggressive in targeting adware programs. They were (and often still are) much too forgiving of unsavory business practices. Finally, they tended to target files and processes, not the complete suite of items (including registry keys) that needed to be removed.
  3. Worries about legal problems: Antivirus companies were faced with an even more bewildering problem: They were under the threat of legal attack from listing adware and spyware, something they had never really dealt with before.
The legal problem is interesting when you add in the geographical dynamics of the business. Now, this is all my speculation, but the major antivirus companies are in the US (McAfee and Symantec, and arguably Trend). They may be used to the US legal system (meaning, you can be sued for forgetting to supply toilet paper in the bathroom), but they are large companies, so are always nervous about legal problems.

The rest of the antivirus business is largely in Europe, and these companies are simply shocked by the US legal system. So you had an interesting intersection: Large companies not wanting to get sued, the smaller companies with a strong consumer voice being European and simply not interested in getting tied down with US legal issues (even some antispyware companies may have fallen for this legal fear - PC Tools delisted a number of threats like Hotbar and based on legal threats it received).

And the real problem with AV products: Bloat

It's a known problem that many antivirus products have become bloated and inefficient . The reason has a lot to do with the fact that the major antivirus companies need to support a broad range of viruses that may not even run on today's platforms, because of useless certifications, support for older platforms, etc. But it's part of why your AV product may take such a big hit on your system resources.

And with a user base that's leveling off (even declining for some), the game now is recurring revenue. It's all about subscriptions: Get the user in and get them on a subscription plan, even if it means billing on a "negative option". Why invest in a market which isn't growing in huge leaps and bounds, when you can milk the subscription revenue? It's a cruel statement, but there's enough truth in it by simple observation. Now Microsoft has raised concerns in enough AV companies to get them moving, but a lot of what we see is the same-old, same- old. More memory-hogging suites and more bloat. It's a broken model, because no one ever decided to really fix it.

(By the way, I'm not maligning a whole industry here. There are a number of truly standout firms in the AV world that are doing a really good job. My comments are more related to the "usual suspects".)

Today's user has a problem: Security has become a menace to performance. It's also gotten more confusing, blinding users with a blizzard of scary popups (although great improvements, as in Symantec's handling of incoming threats, have been made in this area).

What we've been working on

So what's our answer to all of this? Wipe the slat clean. Rethink the ideas behind desktop security. Create a new method that's more efficient and more powerful.

A number of parts have had to come into play to make this happen. I had to hire Joe Wells and a number of other rocket scientists and invest a significant amount of the company's financial and human resources. I also acquired technology, such as the Kerio firewall, which brought with it a number of innovative technologies such as Host Intrusion Prevention System (HIPS) and a Snort-based Intrusion Detection System (IDS). I'm also in the process of making an investment in some bleeding-edge rootkit technology. Meanwhile, I've had to just be patient and let the team do their work, something not easy for me.

CounterSpy V2

CounterSpy V2 (currently in Beta 5) is our answer to the problems of dealing with tough blended threats, and incorporates a number of new technologies, such as VIPRE and our FirstScan technology, to deal with the really tough threats. The premise behind CounterSpy V2 is:
  1. So-called "real-time" antispyware protection is not effective. If its not working at the kernel level, it's not worth the time of day.
  2. Today's antispyware technology must work at or below where the malware is executing.
  3. Equally important are detection, removal and the database definitions.
We believe this new product is a big evolution in antispyware detection and remediation. There are a number of new features in CounterSpy from the previous version, such as the fact that it runs as a service, has a small CPU and memory footprint, has a new scanning engine, and uses incremental database updates. But I'm sure our marketing people will do a much better job of pulling all of those new features together when we officially launch the product (which will be at the RSA conference in early February).


One of the things we had to do was develop an entire antivirus technology from scratch, and we call it VIPRE. We don't believe that going out and bolting on an antivirus engine is a good idea from a performance standpoint. The result of piling engine upon engine is ultimately crap, and users see right through it. VIPRE is a completely new antivirus technology, which incorporates all the classical antivirus techniques (such as removing file-infecting viruses) as well as a number of new techniques. VIPRE is especially powerful in its heuristics capability, something you may have seen if you submit malware samples to VirusTotal. VIPRE is still not done and yet it's catching an enormous amount of viruses based on its heuristics alone.

(A few notes about VIPRE for the technically-inclined: Since 99% of all malware is compressed (packed), you need to uncompress it in order to find the original entry point (that place where the malware executes) to analyze it. However, there are a large number of different compression methods and variations used. Many antivirus companies create a static unpacker for each different piece of malware, which means they have to hand-roll an unpacking algorithm for each different piece of malware - a time-consuming process. So one of the things we did with VIPRE was develop a "generic unpacker" to dynamically unpack any piece of malware.

But what happens when you actually unpack the malware? You have to analyze it in real-time, so we then had to build an extremely fast emulator which unpacks the malware, executes a few bytes, compares it to a signature and flags it if it's malware. And while we were at it, we built a full debugging environment for our engineers to run malware in a secure environment and rapidly create new signatures. Furthermore, while much of the AV world may still be using regex expressions in their signatures, we've created a new model which improves considerably on the current state-of-the-art.)

VIPRE is also platform-agnostic, able to support Linux, Mac OS, Windows, and any other platform we decide on.

This was a lot of work.

But now VIPRE is basically done. What needs to happen is to get certified by the major certification bodies and to continue adding more viruses in order to roll it up into a full antvirus product. However, a major part of the VIPRE technology is actually shipping in CounterSpy V2, solely for the purpose of making CounterSpy V2 a more powerful antispyware product. We've taken the VIPRE "juice" and put it into CounterSpy, and I think you'll really notice the difference when you're dealing with spyware.

VIPRE is a brand new antivirus engine and incorporates the latest thinking in antimalware research. It's burning-hot fast and extremely efficient.

Kernel-level active protection

Another key thing we had to do was develop a set of kernel-level drivers, designed to run from the start on 32 bit and 64 bit systems. This Active Protection sits at the kernel and sees all, stopping the bad stuff before it has a chance to execute on your system.

Our Active Protection is part of CounterSpy V2 but will, of course, be used for our antivirus product in the future.


One nifty feature of CounterSpy V2 is its FirstScan technology, which scans certain locations of the drive and removes malware prior to Windows launching. This is done directly to the drive, bypassing Windows APIs, right about the time that chkdsk would run. The purpose is simple: To get the spyware before it has a chance to execute.

The end goal

In the end, you have an anti-malware model that is a hybrid technology, melding the "system cleaning" properties of an antispyware product, along with the efficiency of a powerful antivirus engine. This will first manifest itself in CounterSpy V2, which will have major parts of our VIPRE technology in it. Then a full antivirus and antispyware product will follow a few months later. And ultimately, this will all be integrated with a firewall, IDS, HIPs, and all the rest to make a very powerful, yet efficient anti-malware system. -- Alex Eckelberry. To play with Beta 5 that has all the above:

So here is the 2007 Roadmap:

March 2006: CounterSpy Enterprise 2.0 -- This is a big upgrade which has as the primary ingredient a major upgrade to the agent. The agent will be our new CounterSpy 2.0 desktop technology, which includes parts of our VIPRE antivirus engine to improve spyware detection and remediation. This new agent provides dramatic improvements in performance and memory usage, as it is a largely re-written version of the current agent. If you want an idea as to what agent will be like (sans the pretty UI), you can download the CounterSpy 2.0 beta. Other features include Vista support (32 bit only for now), incremental updates, a new deployment server, a UI for the agent itself, and new reports. (I think you'll really like the new deployment server btw.) As always, Customers on a standard maintenance plan will be able to upgrade to this new version at no cost. Note that this is not an antivirus product, but it does include a lot of our new antivirus technology. The AV technology is only in there to improve our ability to kill malware.

Q2, 2006: Sunbelt VIPRE Antivirus Enterprise (working name) -- This is basically CounterSpy Enterprise 2.0 with the addition of our full desktop antivirus product (VIPRE). The AV technology is integrated right into the product, so that performance is not significantly impacted. If you read the blog post above, you'll get a feeling as to what VIPRE is. Since this is new product, customers on a standard maintenance plan will be offered the ability to upgrade to this new version for a nominal cost. We're going to make the migration cost very reasonable, as we'd really like as many people as possible to migrate to this new product. However, we will continue to market and support CounterSpy Enterprise, so those preferring to stay the course will be fully supported, with a continuing product plan of upgrades and updates.

End Of Year 2007/ Early 08: Sunbelt VIPRE Endpoint Security (working name) -- This is a full endpoint security solution, which includes HIPS, desktop IDS, two-way firewall (all coming out of our Kerio technology), our AV and antispyware. It's fully integrated -- not the usual "10 pounds of software in a 5 pound bag". It's designed to replace all of your endpoint security needs, especially for those companies required by regulatory or other mandates to have HIPS integrated on the desktop.

WServerNews 'FAVE' Links

This Week's Links We Like. Tips, Hints And Fun Stuff.