Thursday, April 16, 2009

It's about Time! (Threatfire)

imageThere's a new tool in the antivirus toolbox that looks very promising.  Threatfire works with other antivirus to detect viruses and spyware in a different way:  it detect malware behavior, and not specific malware infections.

This is big.  For many years, I've been making the point about antivirus software:  it's flawed because it depends on virus definitions -- an identifying code specific to a particular virus -- for detection.  This means you need to constantly update.  And now, with the constant mutations of Antivirus XP and its clones, the updates are always way behind the virus makers.

Threatfire doesn't need updated definitions.  Bad behavior is bad behavior no matter what the software.  If something is causing popups, it will find the process and fix it, even if it never saw that particular code before.

You would think this could have been done before now. It actually has been tried, but the nature of computer journalism gave people the impression that the virus definition model was superior.  Years ago, computer magazines would test both behavior-based and definition-based antivirus.  Both would be equally good at detecting viruses and protecting the computer.  But the definition-based antivirus would say "You were infected by the stoned virus" while the behavior-based one would say "You were infected with a virus."  Because definition-based antivirus could name the actual virus, it got higher ratings even though it was no better at protection than the other.

Threatfire is not a replacement for your antivirus, but rather a supplement to it. It will protect against the malware your McAfee or Avast or AVG or Symantec doesn't know about it.

I have only been able to give it a limited test; it seems to work quietly in the background and I haven't had any viruses to test it with.  But assuming it works even close to as advertised, it's an solution that's a decade or more overdue.