Tom,
My methodology/process catches a lot more than just Conficker
. It catches the viruses that hide themselves in System Restore space, and the ones that hide themselves using the Windows API and even File Streams. I've found many viruses this way. I just used Conficker as an example.
Unfortunately, you can't have a good process to "stop" a virus when the system itself is heavily flawed and allows compromise the way Windows does. The benchmarks I posted earlier were for known viruses. That just turns your AV program into a glorified pattern recognizer. That is irrelevant when many of the new viruses know how to subtly change themselves to avoid detection and you have to use behavior-based techniques to get at the viruses.
I don't see this situation changing any time soon. There's no good way to look at a live system considering how complex Windows is, and how it presents hundreds of hiding spots for any piece of malware. You have to find where they load from, not where they live afterwards.
The solution is to re-architect Windows, and that has only just started with Vista and Windows 7. The solution is not the multi-billion dollar malware defense industry. While it keeps many very smart people employed, it's all for naught if the underlying system has the issues Windows does.
Take a look at Green Hills Integrity, Kadak AMX, QNX, or even OpenBSD to see how an OS can be resistant to such attacks.
02-02-2009, 05:17 AM
Threaded Mode