How Anti-Virus Vendors Could Improve Detection

As argued in Fellow Malware Travelers, a person who reacts to malware detected in a web browser cache by inspecting related files in the web browser cache can frequently find undetected malware. When malware is detected, investigate the other files that arrived from the same location or at around the same time.

This is a tedious but rewarding activity, when done manually. Often, though, the machine is not available for inspection. Often, too much time has elapsed between alert and manual inspection. That is, manually it is tedious and delayed. This sounds like a good opportunity for a mechanized solution.

I am reminded of the Honeymonkey project.  Like a million monkeys typing for a million years, a laboratory of sandboxed machines would emulate user web browsing activity, crawling the Internet in an attempt to find malware that was previous not detected. Instead, I would expect actual users to be a more fruitful resource. They are crawling the web already; take advantage of their experiences to collect the malware that is passing undetected.

Allow the user to opt-in to th malware discovery process. Suppose realtime virus detection encountered a malicious file in the browser cache. It is not difficult to learn, mechanically, from the browser cache, what other files have arrived from the same location or same time. Preserve, in quarantine, copies of those files. When informing the user of malware detected, ask if they would like to submit these quarantined files for inspection.

If a small percentage of users opt-in, a large percentage of previously undetected malware should be found early.

Finding malware early cuts into the financial gain of malware developers. This approach, combined with criminal and civil prosecution, should discourage the growth of malware.


Comments are closed.