SoBig opens a new can of worms

The flurry of worms, Trojans and other malware is forcing corporates to rethink their security systems, boosting interest in alternatives to traditional antivirus software.

With security spending expected to rise, IT directors are now seriously considering running combination services, which use a mixture of heuristic and more traditional virus identification files, to block fast-spreading viruses.

Heuristic scanning systems, which do not identify specific malware but block emails based on their behaviour, performed well at identifying and stopping SoBig infections.

It was stopped because its transmission system mimicked spam distribution software, which was picked up by heuristic scanning.

Neil Hammerton, managing director at EMF Systems, which offers both antivirus and heuristic scanning, said conventional software has to find a virus and build an identity file before it can be banned.

"Modern viruses are so fast that you need to be able to react fast. Heuristic scanning can pick up on malware very quickly; none of our customers got hit by the virus."

Heuristic scanning looks at the capabilities and activities of files within a PC or by scanning email servers.

If an application contains code likely to be found in malware the code is isolated until it can be examined. The downside, though, is that heuristic scanning has a reputation of producing a lot of false positives.

Traditional antivirus software has relied on finding a virus in the wild, engineering an identification file and encouraging users to download the latest update or send it off to users' machines automatically.

The disadvantage is they are unable to stop new viruses before they become established in the wild.

"Vendors are going to have to change from the traditional virus identification model," said Mark Fisher, technical manager at Trend Micro.

"We mix our traditional antivirus identification service with content scanning and filtering to boost effectiveness."