Q.: Alexey, the first question is: What type of malware or web-borne threats is the most dangerous, from your point of view? Our readers are curious as well.

A.: I think it’s ID theft. The most dangerous malware (viruses, spyware, etc.) a user’s PC can be infected with is the one that records users’ keyboard entries, including passwords, credit card numbers and personal messages, tracks the web-sites you visit and is capable of retrieving passwords or any personal data from other programs used for web surfing. Constant and consistently renewed modifications of malicious software, especially those targeting a small number of PCs, pose a serious threat to the traditional signature-based approach and create a risk of personal computers being infested for years!

The problem becomes even more severe as some antivirus vendors do not bother to supplement their bases of malware with the samples their removal methods can’t overcome. Sophisticated malware can be so well integrated within the system that traditional removal methods turn to be ineffective against it. As you might know, one of the key goals for Agnitum’s products is to ensure malware is blocked on the earliest stage possible (simultaneously with the system boot-up) and also to eradicate malware which has been integrated into the system in most sneaky ways.

Another alarming fact is the spreading of malware which inserts itself into autorun mechanisms of removable disks (carriers). Such nefarious programs infect memory cards for photo cameras, MP3-players and other portable devices defined by an operation system as “removable storage device”. The percentage of such virus samples is growing monthly, one of the reasons being a presumed harmlessness of, say, plugging a camera into a PC as well as the boom within manifold compact data storage devices.

As for mail worms, they expansion has been majorly diminished as a result of long-lived “beware of mail attachments” security propaganda. Most likely, the removable storages problem will share the same fare. The times of virus-infected floppies have passed and people have got used to the idea their flash drives are quite safe.

Q.: What do you think about the existing malware tests (such as AV Test, VirusBulletin, etc.), do they reveal the real picture of products’ quality? Up to what extent can we rely on these researchers?

A.: Such tests as those performed by VirusBulletin are, undoubtedly, of great interest. Even if we leave the VB100 brand behind, analyzing the number of detected malware samples is still a curious thing. For instance, the fact of slightly unequal malware propagation in different regions leads to certain “geographical” peculiarities. Besides, additional materials delivered to antivirus vendors such as comparative performance tests are important for us. It’s not unusual that security manufacturers make good use of this comparative data without loading their own testing resources, creating home-made (often very subjective) techniques or performing full-scale research.

Q.: Alexey, many of our readers ask whether they should use an antivirus or a firewall, or both. If we talk about signature-based and proactive protection approach, what are the advantages and disadvantages of these two?

A.: Reactive approach (antivirus technologies) remains one of the most important means of protection against malware, aiming to identify and remove nefarious programs. The improvement and development of antivirus technologies led to the quest for integrated security. But the need for proactive defense to prevent potential malware activity and zero-day threats has been equally or even more important.

With the supplement of proactive protection (which tracks potentially risky software and components interaction as well as suspicious attempts of changing key system settings) any PC becomes better safeguarded against malicious activity and capable of preventing infections at an early stage.

To sum up, proactive defense is a key element in any data protection strategy. By tracking unauthorized behavior, it can mitigate a PC’s sensibility to any threats – notwithstanding the existence of an updated signature base.

Q.: What role shall personal firewalls play within internet security in the epoch of integrated solutions?

A.: The position of a personal firewall is at the first line of defense within the integrated solution. It seems to be the only option nowadays.

Q.: Do you think separate antivirus and firewall solutions should still be in demand and well maintained, or security suites will force them out of the market completely.

A.: There’s no doubt that security suites will hold the leading position on the market. However, standalone solutions will still be in place, the same as you may see plenty of hardware components in retail while out-of-the box laptops and desktop are abundant.

Q.: I’ve got a question concerning Vista security. This issue had been discussed even before the OS’s release and experts revealed plenty of vulnerabilities that had to be consistently patched. Now it’s been more than a year that Vista is on the market. How would you rate Microsoft’s efforts to increase the system’s security? Does it make sense to deploy Vista without third-party security software running?

A.: When just released Vista contained significantly fewer vulnerabilities than its predecessors. Many security problems can be solved with the aid of UAC (User Account Control), but it looks complicated and few users are ready to work with it. Lots of work has been carried out on the Microsoft side but still Windows is the system that wants third-party security components.

Q.: There’s an opinion that Vista’s high vulnerability that at first caused negative reaction is a relative showing. As this OS is very popular and has dominative ambitions, it attracts more hackers’ attention. Whereas less popular OS’s seem to be more secure because cybercrooks are less interested in them. What do you think about it? What OS is the least vulnerable?

A.: I completely agree with this opinion. The more popular a program is the better target it is for cybercrooks. At the same time “marginal” systems provide less transparency and their vulnerabilities are not so well-known. An exotic OS is always more “secure”. Answering the question “What’s more secure – Vista or XP?” we have to admit: it’s Vista.

Q.: What was the influence of Windows Vista Service Pack 1 launch – on the OS and on overall security?

A.: Service Pack 1 for Vista can really influence Internet security. Not for the reason of its new protection capabilities, but because many users who have anticipated this launch will finally start migrating to Vista. If you take a look at the recent “When are you moving to Vista?” surveys, you’ll realize one of the most popular answers among tech-savvy users has been “After the release of Service Pack1”. Finally it’s unveiled and we can expect more and more advanced users to turn to the latest Microsoft’s OS. The changes in Vista will prove to be fruitful later, when software developers will realize the erstwhile privileges of their programs can be significantly limited and will start to design the software accordingly. And also: when users will work in restricted regimes more often. Unfortunately, software developers hardly ever consider “The Principle of Least Privilege”, whereas the prevalence of Vista will force them to do so and take privilege issues into account. Since it’s no secret that working under a restricted account with limited rights helps avoid a good deal of modern Internet threats.

Q.: Thank you, Alexey! Don’t hesitate to let us know when you have new thoughts and observations to share.

A.: Sure, with pleasure!

Q.: Hello Roger! Thanks for being with us. A traditional question to start with: What is your educational background?

A.: I actually never completed high school. My parents really couldn’t afford to keep me there, and I was not the greatest student. I was always able to obsess over the things I was interested in, but that rarely coincided with what the teachers wanted me to do. I focused on chess, playing sports and playing music, and in doing so, learned how self-education works. This turns out to be a useful attribute for anyone involved in research.

Q.: How did you get started with your web-based threat research? Could you tell us a few words about your team and its goals?

A.: It turns out that if you’re good at computers, and you have grown up children, you get to be Tech Support Of Last Resort. If they’ve got a computer they can’t fix, they bring it home for dad to fix. A few years ago, one of my kids started bringing home machines with rootkits, and while that was interesting, the really interesting thing was how they got the rootkit. All they were doing was surfing the web, looking for lyrics to songs, and the next thing they knew, they had a whole lot of new software that they couldn’t remove. I quickly realized that the web was the emerging battleground, and built a team and a product to find and handle web-based threats.

Q.: What made you become a security specialist?

A.: I got started in the anti-virus business way back in 87. I had a team of Oracle contractors that was making good money, but I was always looking for a product that I could build and sell, and when one of my clients thought he had this new thing, a “Computer Virus”, I instantly saw the opportunity there.

Q.: What do you think are the most promising security technologies we can expect to see in products in the near future?

A.: All the security software we ever need has now been written. I’m kidding, I’m kidding!!!! I like the idea of web security technology for the foreseeable future.

Q.: What kinds of security software do you personally use?

A.: I tend not to use security software, except in test environments, and then I have about one of everything. No one actually needs security software… you just have to set up your machine properly, and you’re perfectly safe. The problem is that most people don’t know how to do that. It’s a bit like saying it’s easy to make money on the stock market… you just buy low, and sell high

Q.: Do you and your team participate in security groups and online forums? If so, which?

A.: Yes, but mostly on closed email lists with other security pros. I do post to Wilder’s forums a fair bit.

Q.: Where would you recommend users to turn on the web for security education and information?

A.: There’s an abundance of information. Wilder’s is pretty good, and we have some nice videos on youtube that are fairly educational. Search for toughonthreats and/ or rogertatmindspring and you should find them.

Q.: Thank you, Roger! It was a pleasure to talk to you. Best luck in your job!

Q.: Computer security appears to be your big interest, why is it so appealing to you?

A.: For purely selfish reasons – I want to keep control of my computer! Malware product has changed from being a (somewhat macabre) hobby to a fully fledged industry and one which shows no respect for individual rights or general well-being.

To take a common case – consider a spammer or other online fraudster who sends out ten million emails a day for a year. Even if only 10% reach someone who then spends 5 seconds reviewing and deleting them (many will spend more time reporting them, adjusting spam filters or reconfiguring servers), that amounts to nearly 58 years of time taken that could be used for other things.

Now a serial killer who murders 10 people may have denied society 400 years of life (assuming the victims had an average age of 32 and would otherwise have lived till 72). So the consequences of a major career spammer (sending out billions of emails per day over 5 or more years) in terms of time lost could exceed this by a factor of 10 or more. Spamming cannot generally be equated with mass murder, but this sort of calculation should provide an indication of its consequences to online society and the inadequacy of existing deterrents.

And spamming is just one of many online crimes that take advantage of inadequate online security.

Furthermore, there is an increasing trend with commercial software to use measures to track or restrict users (e.g. CD checks, online activation and even rootkits) so it is important to keep an eye on how things develop there. Here users have more power to deal with unacceptable conduct (via product boycott in the worst cases) but appropriate security software is often necessary to detect anything untoward.

Q.: Could you tell us a bit about yourself – how did you get started in security? Do you have any special skills or experience? What’s your education in relation to IT?

I’ve been into computers since early teens (started with an Apple II – still have it, still works) and did Computing Science at university but I picked up the most useful skills while a network tester. This involved using protocol analysers to view network traffic and required in-depth knowledge of network protocols, including the now ubiquitous TCP/IP.

Q.: Don’t you think that tweaking protection to the maximum creates an equally unusable environment where you have to answer a barrage of security dialog windows, making your work less productive and all these distractions intruding upon your everyday experience? How do you feel about this situation?

A.: There are several aspects to achieving “maximum protection”, each with different overheads.

The first is disabling any unnecessary features which could be abused – for example in Windows, services like Universal Plug and Play or Windows Messenger. This is a once-off adjustment which should involve no further prompts.

The second is blacklisting/whitelisting, checking programs against known lists (antivirus scanners come in here). Prompts here should be minimal (in most cases, only when a problem is identified) but constant scanning can affect system performance.

The third (which is where firewalls like Outpost come in) is behaviour tracking, alerting on specific actions (e.g. network access, registry modification, driver installation). Here certainly there can be problems with the quantity and quality of prompts – most security utilities only provide very low-level information which does little to inform the expert (let alone the novice) as to what to allow or deny.

To take an example with Outpost Firewall 2008, whenever I switch on (or off) the wireless interface on the notebook I run it on, OPF 2008 prompts me that Svchost is trying to modify Explorer. There’s no indication of what or why this is happening (I would *guess* that Svchost is prompting explorer to refresh its display to add or remove network drives) and Svchost itself is too easily hijacked to say “Allow” all the time. Here there is a need to provide more information about what is happening, either by looking at the circumstances triggering the event (a hardware addition/removal in this
case) or by looking more closely at the interaction (identifying the hook used, API routine called, etc.) and then providing a readable explanation of what is happening.

Whitelisting could reduce some prompts, but would not help here due to the wide range of actions performed by Svchost and the possibility of malware causing them. Some examples already use Svchost to access the Background Intelligent Transfer service (normally used by Windows Update) to avoid being blocked by firewalls.

A large number of prompts will be a problem, but this is solvable by making it easy to create rules (either temporary or permanent) covering a wider range of behaviour. For example, program installers typically create and modify many registry keys – System Safety Monitor (a “process firewall”) provides an Install Mode option that allows most subsequent registry changes, only alerting on critical ones like driver installation.

ZoneAlarm Pro provides a very simplified “trust” system where applications can be assigned one of four trust levels, but this is taken too far in my view since it does not separate network access from process or registry modification. However this could be taken as a starting point for an “application profile” system (as offered by Tiny Firewall) which would allow users to set appropriate permissions with, at most, 2 or 3 dialogs.

Q.: From the nature of your work, you deal with day-to-day PC gripes of your fellow forum members and other regular users. What are the common problems and how do you help resolve them?

I’ve not been doing as much troubleshooting recently – but the biggest challenge is getting the right information to start with, especially with novice users who may not know what is significant (e.g. error messages, system setup). Without this, it is all too easy to draw the wrong conclusions and waste time as a result.

Q.: How would you rate the overall level of security knowledge and awareness of regular PC users, what do you think they need in that regard?

A.: For most people, security knowledge is sadly close to zero – often just a simple awareness that it is needed. Here computer vendors could do far more by including a copy of instructions like http://www.cert.org/tech_tips/before_you_plug_in.html or something similar.

Currently all that most offer are trial versions of AV software that they receive commissions for, which can often cause further problems.

Q.: What Microsoft OS do you use? What, in your opinion, Vista lacks security-wise and what are its security benefits?

A.: I’m using Windows 2000 on my main system, having boycotted XP due to its online activation requirement. I do now have a system with an activation-free XP (via a BIOS lock – I spent over a week trying to install Win2K on it initially) but I have now become very cautious with Microsoft products. All too often the pain (online activation, limited compatibility, planned obsolescence, software dependencies) outweighs the gain on their recent offerings.

As for Vista, the increased level of Digital Rights Management (DRM) rules it out completely for me. Even without that, it offers almost nothing over a Win2K/XP system with an appropriate choice of third party software (firewall, media player, disk backup, etc.) while seeming to have a disproportionate cost in memory, CPU utilisation and money.

The most successful Windows versions were those that fixed clear problems – Windows ‘95 fixed hardware setup with Plug and Play, ‘98 fixed cluster issues on large hard disks with FAT32, Win2K largely solved program stability and resource (user/GDI/stack) limits. That leaves security and system maintenance (notably “digital bitrot” where the remnants of uninstalled applications cause slower systems). Vista if anything complicates such maintenance due to features like file/registry redirection and while UAC may have security merits, it seems to cause enough frustration to remove any benefit for most. On the other hand, Microsoft’s kernel lockdown has hampered security software providers, resulting in less choice for Vista users wanting to secure their system further.

Q.: To conclude, what advice would you like to share with our readers to keep their computers in a healthy, security-sound state?

A.: There are many ways to proceed so take the time to read and experiment to find what’s best for you! There are many vendors offering a different approach and visiting security forums like Castlecops or Wilders Security can provide a great deal of help and information. The basics (firewall and anti-virus) should be set up as quickly as possible but with these in place, you have time to consider what, if any, further measures are appropriate (consider the worst case – how much could you lose if your online accounts were hijacked?).

It is however better to have 3-4 security programs that you know well and have set up properly than 8 or more poorly configured and possibly conflicting with each other.

Q.: Thank you for your answers! And best luck in the world of security!

Q.: Hi David, the first question is: How did you get started? Could you tell us a few words about your team and its goals?

A.: Since high school, I have tried to establish or join a serious team for various projects many times. These attempts always failed. In the college, I have met more skilled people and decided to try to establish a team once more, this time with strict internal rules. It has been working better than before but still there have been quite a lot of problems with people who overestimate their spare time capabilities or enthusiasm.

From the beginning, we have focused on the security on the Internet, especially on the related software for Windows NT platform. We found out that any of the top desktop security products really achieved what its vendor promised. There always were easy methods to bypass some of its important functionality. And this was true not only for personal firewall products that we chose to focus on a bit more. We have decided to try to change this situation. So, our main goal has been to help to create solid security products. Another goal is to reveal which vendors really care about their customers and which care about the profit only. We would also like to help end-users to choose the best products for them.

Q.: What made you become a security researcher; how did you arrive at an idea of setting up a website that would measure up-to-date security programs’ performance and maintain current scores of their robustness? Was that a pioneering project?

A.: In the computer world, there are countless extremely interesting topics. Security and internet, however, are also very current topics that have real impact on many people today. Almost every computer owner deals with these topics. This is why one may become a security researcher.

Our website has been set up for various reasons. There are many factors connected to each other. We wanted not only to deal with vendors but also to offer something interesting to end-users. When you have something for end-users, you can get the attention, which is needed if you want to deal with the vendors. It is also an instrument that you can use to push on vendors in case they ignore you, because they may ignore you, but they can hardly ignore their customers who are interested in software they use, support or pay for. All these things are connected and work well together.

A good and extensible scoring system is what makes it manageable to compare as many products as we want to. I have to admit that we did not come with such a system at first. We have found a good way to deeply examine personal firewalls and related software but the main problem is that it is extremely time-consuming to test a single product with it.

We fully recognized this when we started with leak-testing, which converts to reasonable results much faster. Our original methods are good for extensive software testing and we still use them for commercial testing where they help us to find many security holes in every tested product. But these methods are not suitable for comparing tens of products. This is why we are working on a new testing system now, which should be ready in a few weeks.

The idea to analyze and compare security solutions was not new when we started but our approach was. Most of the comparisons available even today are ad-like reviews of people that do not understand the software they are testing deeply.

We go to the lowest level and that is what makes our research unique.

Q.: You conduct extensive research of firewalls’ functionality. Can you name the five top features that should be present in every firewall of choice?

A.: It should be noted that the products we mostly focus on are not common firewalls. We work with products that implement process-based security, we call them personal firewalls.

There are many software firewalls that do not do that and just filter packets. These firewalls are not worse than personal firewalls, they are just different kind of software – for different kind of users. We require personal firewalls to include host protection features too.

Now, if it is clear what kind of products we are talking about, we can discuss what we expect from them.

In our opinion, personal firewalls should prevent spying and data and identity theft.

Naming the top five features, personal firewalls should implement packet filter functionality to prevent direct online attacks – i.e. not to let malware get in. Personal firewalls should control software installed on the computer to prevent malware to integrate into the operating system.

Then the malware should not be able to get the user’s private data, thus anti-sniffing, anti-keylogging and personal data protection features should be implemented too. And even if the malware succeeded to collect the information it should not be allowed to send it outside the protected system and this means implementation of the outbound network traffic control.

To achieve all these is much harder a task than it seems. The protection system also has to prevent attacking trusted process and other components in the system. Otherwise, the malware would be able to use trusted parts of the system to integrate into the operating system, to collect or steal sensitive data and/or to send the data outside the system without being noticed. So the next feature that is required here is control of untrusted processes’ activities and that is the hardest task for personal firewalls. It also includes the implementation of self-protection mechanisms because the malware should not be able to terminate the protection, which implies some other features to be implemented and so on. It is very difficult to design and implement a solution that really works.

Q.: Do you have any other plans rather than assessing security programs for their protection, maybe operating system analysis roundup from the security perspective?

A.: Security software testing might be the most visible activity of our group but in the background there are many other activities. We closely work with several software vendors, for which we do the security research related to the software they develop, we also help to design security software, we provide consulting and we also do our own research including vulnerability discovering.

Q.: You told throughout your pages that you’re preparing a new slate of tests for the future, one of the most demanding and hard to pass. In this context two questions:

a) What’s the main goal of this change? Would you like to make the new ones more strenuous?
b) What kind of tests are they going to be, what kind of protection are they going to analyze?

A.: I have already mentioned that our original system was too heavy for testing tens of products. On the other hand, there is the leak-testing approach, which is very easy and fast.

We are to combine these two strategies into a solid testing system. We will base the system on small testing programs, very similar to leak-tests, but we will cover many parts of what our original system examined too. We believe that this approach would allow us to test as many products as with leak-testing and cover many more features than the leak-testing does.

Another thing is that the current leak-testing is no longer manageable. Many of the leak-tests do not work anymore without proper hacking. For example, some of them rely on the Internet servers that do not exist anymore. Then transparency is another reason for new tests. Many current tests are available in the binary form only and one could only guess what they really do. We want to recode all techniques from scratch and provide source codes for free. We will also try to unify the usage of the testing programs as much as possible. Recoding the tests has also another positive impact. Once we know how each test really works, we can remove duplicities and possibly improve the techniques of the tests.

This all should result in much easier, faster, more efficient and more transparent testing.

In the long term, we would like to cover as many features of personal firewalls as possible. Our new system should be flexible enough to allow adding new tests later. We will start with a set of leak-tests, probably supported with some self-protection tests. We would like to have stability tests, later also performance tests, sniffing, spying and keylogger protection tests etc.

We will be also open to ideas of other security researchers. If someone comes with a new idea for tests, we will be happy to implement it and include it into our system. In fact, we have already received a few new ideas.

It should be noted, however, that such generalized tests will never be able to examine all aspects of the tested products. So even if we try to cover as many features as possible, the vendors should always find testers who examine their solution more deeply and thus reveal details that can never be found using the generalized tests that we will use for our public testing.

Q.: What in your opinion are the most promising security technologies of the nearest future, how do you think the security industry should evolve to address the threats that are obviously getting out of hand?

A.: As for the desktop security products, we are involved in several projects, but I can not give you the names. Among these, there are a few brand-new ideas that might work against today’s malware very well. And this also is a good way to go in security industry in general – to implement and use new ideas and to get rid of old unsecure technologies. We should not be afraid of big steps that may hurt at first, but in long term, they may result in excellent results. Take IPv6 (Internet Protocol version 6) as an example of this.

On the other hand, there are many rooted technologies that are insecure by design and should not be used at all. Again, these are used because people are afraid of big steps. An example of such technology is today’s credit cards or today’s email service. The biggest security problems exist just because of using the old rooted technologies that we are scared to replace.

Q.: In your regular activity, do you personally use security software and what types of it?

A: Personally, I base my PC security on encryption, virtualization and use of alternative software products. There are many high-quality and often free products that can be used for this purpose. I also use various utilities for system monitoring including custom-made tools and, finally, I use a packet-filtering firewall. However, I would not recommend this configuration to anyone who is not familiar with the system internals.

Q.: Do you frequent other Internet security sites and forums, how much of collaboration does your team have with other prominent security groups?

A.: Unfortunately, there is no time left for this. Naturally, we are interested in results of other security-related sites including underground e-zines, and if a relevant content is published, we eagerly study it. But no regular contribution to other sites or forums is possible because of the lack of time.

Q.: Our site is for regular Internet users who want to know more about Internet security. What is your advice to them and where do you think they should look at to attain a better, more sound security stance?

A.: To understand Internet security topics it is crucial to understand how each part of the Internet works. Such knowledge should start with understanding the operating system.

This would help common users to use their computer more safely and would also help to mitigate many of false beliefs about the system security. Another important thing is to understand how the Internet as a network works, especially the Internet protocols.

A lot of good information is available freely on Wikipedia, which is also great for its objectivity and understandability. Usually, Wikipedia articles also link other information sources on the selected topic, so it is definitely a good site to start with.

I would also like common users not to be afraid to push on the vendors of software they use, especially in case of commercial software.

Q.: Thank you for your answers, David! And best luck with your security projects!

Vlad Borisenko, Malware Analyst at Agnitum, shares with us the ins and outs of his profession.

Tell us a bit about yourself, your education, what you do when you’re not working, etc.
Well, I think I’m a pretty ordinary guy, except that I happen to know something about computers and the threats that complicate our digital lives.

I graduated from St. Petersburg Polytechnic University with a degree in mathematics and have been involved with computer security ever since. I’ve been working at Agnitum for three years, initially supervising the expansion of the signature database for the Tauscan anti-Trojan software. Then, when we moved into spyware detection, I became a senior malware analyst. Now, it’s my responsibility to ensure that our customers get the latest malware definitions as quickly as possible. I also work on the ImproveNet initiative that helps users get newly-tested automated firewall rulesets.

When I’m not working, I’m a bit of a gadget-freak (no surprise there). I’m also a big fan of motor sports and reading. I like to travel when I can escape from the malware threats for a while, which has led to a strong interest in environmental issues. I don’t understand how a few people can own private jets while millions in Africa suffer from hunger and disease – maybe in the future I’ll participate in one of the UN’s programs to help people in need. But whether malware will be defeated in time for me to do this is still a big question.

How do you find time for all this, when you’re working night and day dissecting malware?
Everyone needs some balance in their lives. In this business, you need to be constantly on guard and active in order to stay ahead of the bad guys. Even though our team is on duty 24/7, I do try to dedicate my spare time to my personal interests and family. It’s always a challenge, because threats do tend to propagate on weekends when users’ vigilance is low, but knowing that we are helping to keep users safe online is the main thing that keeps me going.

There is an interesting TV program called “How It’s Made” that describes how products evolve from an idea to a finished product. Can you give us a “How It’s Made” overview of the anti-malware business?
Well, I could write pages about this subject, as you can imagine. But for simplicity’s sake, I’ll try to give a snapshot of the process without getting into too much technical detail (and without revealing Agnitum’s trade secrets, of course!)

The first step is the collection of samples – suspected malicious code for analysis and possible inclusion in our signature databases. We get samples from a variety of sources: user submissions through our website, partners, as well as other anti-malware vendors – whenever there’s an outbreak, everyone works together to make sure users can get detections as quickly as possible. We also use a system of automated web crawler tools that comb the web looking for traces of malicious code and embedded exploits and provide any such findings to our lab engineers for a more rigorous in-house evaluation. And if that weren’t enough, we also check our mail servers for incoming threats contained in spam. Every element of suspect code undergoes automated scanning and assessment procedures to enable us to verify unknown threats as early as possible in this complex process of threat analysis.

After this first stage is completed, the suspect code is checked for harmful activity and malicious behavior using Virtual Machines. These are copies of normal Windows installations placed on standalone test machines running special software that allows changes made since the execution of the code to be instantly rolled back. The researcher then tracks the changes made to a system and if malicious impact is found, the sample is immediately flagged as malware. More sophisticated malware authors have mastered the technique of “sensing” virtualized environment and reacting to it by suppressing their malicious intent so they can’t be immediately detected. In these instances, we in turn apply our own more sophisticated tools.

The researcher needs to take a look at the original “plain view” code that constitutes the payload of the malware. To do this, the file is converted to a form suitable for human analysis using one of the following methods:

• Unpacking. The code may arrive in a packed (archived) form that necessitates the use of specialized “unpacker” utilities to reveal its contents.
• Decrypting. If the file is encrypted, the corresponding decryption key needs to be recovered and applied to decrypt the file and render it accessible to the researcher.
• Decompiling/disassembling. Decompiling means getting down to the source code of an executable file – this may be in any of the high-level programming language, such as Delphi, C or C++. Disassembling means translating an executable file to a lower-level assembly language. This process enables the researcher to take a look at the “raw” code and manually analyze it.

Once malware has been definitively identified, the signature database must be updated. We use a proprietary editor to manage threat signatures and in some cases prepare a dedicated heuristics analysis module that detects threats by behavior rather than code.

After the definitions are compiled, they are tested with the help of machines running different versions of Windows, different builds of Outpost and a broad range of third-party applications to ensure users won’t experience any problems when they install the updated definitions. The new definitions are then placed on our servers ready to distribute fresh signature updates to our users.

Fascinating, what tools do you use to do all this?
Aside from the virtual machine applications, most of our tools were developed in-house by the research team and engineers.

How do you think the computer security industry will evolve?
We’re seeing an increasing volume of blended threats – for example, Trojans and keyloggers hidden by very powerful rootkit functionality that enables them to stay hidden on a system. We’re also seeing malware targeting specific software products, particularly security software, to disable the software and give themselves a clear passage onto the user’s machine. All of this is a constant challenge, both from a research perspective and from a customer care perspective. The only way that we can be more efficient is to do more to prevent malware from getting onto users’ computers in the first place, so we, along with the Agnitum engineering team, are focusing heavily on developing techniques to monitor and block suspicious application behavior.

You’re referring to some form of Host Intrusion Prevention System (HIPS)?
Yes, the type of protection that monitors program behavior and makes sure applications don’t behave badly on a system. Users will see more emphasis on this type of protection in future versions of Outpost software.

That’s a great note to end on – any final words of advice for our readers?
Thanks for giving me the opportunity to talk directly to our users. I wish them safe travels on the Internet, remembering always that a combination of knowledge, safe surfing practices, and robust security is the best defense.