Monday, antimalware developer, McAfee, released details on its new cloud-based defensive system, codenamed Artemis. As we've noted several times in the past, antimalware companies don't have an easy job, and the sheer number of virus variants that now spawn from even a single base infection threatens to overwhelm any company's ability to keep up. According to McAfee, the number of attacks observed in 2008 thus far (with 3.5 months to go) is larger than the total number of attacks in 2006 and 2007 combined. Given the financial incentives and corporate business model that has become prevalent in the malware industry, this number isn't likely to start heading downwards, either.
One of the security industry's greatest weaknesses is that it is inherently reactive, and while this won't change anytime soon, McAfee believes Artemis will drastically reduce the current time-to-patch cycle, as illustrated in the diagram below:
McAfee states that problems are typically solved and patched 24-72 hours after the malware is initially spotted, and while that figure seems a bit optimistic, we'll go with it, given that the company says that even 24 hours is too long. When a major worm like Storm hits, the steps on this diagram actually go into a loop, as each new variant arrives, is tagged, and then blocked. Each time the loop occurs, there's a fresh window of opportunity/profit, which only encourages malware authors to crank out variants as quickly as possible.
The Artemis system theoretically accelerates the time-to-patch cycle by communicating directly with McAfee's online service whenever it encounters a suspicious file. Files are then scanned against the entire McAfee Avert Labs database for any similarities to preexisting behaviors or file signatures. If Avert Labs detects any sort of malware, the user than receives instructions on how to block or quarantine the file, just seconds after having received it. The on-site database (i.e., the program installed on the user's computer) is also updated to detect this malware variant if it shows up again. Presumably, the system has some way of recognizing if dozens of computers all start requesting data on the same suspicious bit of malware, and would trip some sort of built-in alarm to notify McAfee that a concerted attack was underway from a previously unknown source.
If it works as advertised, Artemis has the potential to substantially reduce the gap between the time malware is detected and the time a system is patched. Patching systems this quickly would all but close the profit window (defined here as the time any system spends under botnet control) and, if (really) widely deployed, might even negatively impact malware writers' profit margins. Such projections, however, assume that Artemis can deliver what it promises, and that is, by no means, guaranteed.
In order to prove itself, Artemis needs to demonstrate that it can appropriately distinguish between suspicious and unsuspicious files and retrieve the necessary (and correct) information from the Avert Labs database, and that the solutions it returns actually fix the problem in question (or appropriately prevent the problem from occurring). This is a tall order, given that AV programs still return false positives during any number of installation routines or other OS functions.
On the other hand, an antimalware product need not be perfect in order to be useful; if Artemis is right just half the time, just half the McAfee customers that would have been infected otherwise actually "catch" the bug in question for a meaningful amount of time. It's also hard to turn down free, and Artemis, or "Active Protection," in consumer products will be free in all versions of McAfee software. The service has already been incorporated into McAfee's Total Protection Service for small and medium businesses, and will be available later in the month for both McAfee VirusScan Enterprise and McAfee consumer products.
I'm not 100 percent sold on the program, and won't be until I see evidence that it's genuinely effective at stopping infections. I definitely applaud McAfee for developing a new approach to virus scanning and identification behind the "check local database" model and then making the results of that effort available to all current customers. Hopefully, the end result will be a noticeable drop in infections among McAfee customers, which would then spur the development of similar approaches across the antimalware industry.Posted on