Virus Scanners - Prevention or Detection?
Published on Thursday 1st November, 2007 (AEST)
Of the three classes of security mechanisms—prevention, detection, and reaction—virus scanners are generally designed, developed, and implemented as tools of prevention. In many environments, they are the only defence from viruses, worms, and other malicious programs; software vetted by a virus scanner is naively considered safe, so few other preventative measures may be in place. This is a black-list approach to security, whereby any software may run unless it is recognised as a known baddie.
Contrast this with the white-list approach. In this approach, only a limited number of trusted applications are allowed to run. The default rule is to deny the execution of any program, unless it is explicitly permitted to run. This has traditionally been challenging to implement for a number of reasons, but as technologies such as Software Restriction Policies mature, it is becoming easier and more widespread.
In such environments, however, virus scanners are still commonplace. This may be to provide protection where certain file types aren't governed by SRPs, to provide a defence against other types of threats, or simply to play it safe.
In such environments, I tend to regard virus scanners as more of a detection mechanism than a prevention mechanism. If viruses are detected at runtime, this indicates there may be a problem with the Software Restriction Policies configuration, firewall rules, etc. It signifies that action may need to be taken to tighten or refine the security policies of the system or network.
Of course, this reasoning does not extend to every situation. For instance, gateway virus scanners (on a proxy server, mail server, etc.) have a place and purpose, even if malicious software that makes it to a user's desktop would otherwise be prevented from running locally. In such cases, virus scanners are certainly preventative in nature, even if only by preventing nuisance emails reaching the user.
Save to del.icio.us
Digg this
Submit to StumbleUponHave something to add? Simply send me an email. Comments deemed relevant and helpful to other readers will be added to this page.
