Sunbelt pioneers new anti-virus technology
Software debuts nifty virtualisation trick.
By John E Dunn | Techworld | Published: 16:11, 04 February 2009
US company Sunbelt Software is set to become one of the first anti-virus vendors to embrace a promising but as yet little-used new technique for malware detection known as ‘file emulation'.
Released this week to UK users after a US launch some time ago, the company's Vipre Enterprise anti-malware client is on the face of it just another program jostling for attention with the admin-friendly claim that it can protect PCs from malware without slaughtering performance.
The company also makes play of the fact that it has written the anti-malware engine at the heart of Vipre from scratch, rather than buying it in from one of the larger AV vendors, as do many of Sunbelt's independent security rivals.
Now company CEO Alex Eckelberry has revealed in his blog that Vipre will from mid-February be automatically upgraded to use the a new heuristic technique for spotting malware by running suspect programs in a virtual machine on the host PC itself.
Known in company jargon as ‘MX-Virtualization' (MX-V), Vipre effectively creates an emulated Windows PC in a sandbagged area of memory, mimicking API functions such as the Windows registry, file system, and communications interfaces to see what a file is trying to do. This contrasts with the various conventional pattern-based techniques, which try to identify malware using unique signatures.
Although this technology is not new, few have managed to get it to work without hitting performance - running virtual machines and emulating Windows itself has been seen as a recipe for a sluggish PC. Sunbelt, however, reckons it has upped the bit-churning possible with emulation by many times over what was previously possible, making it a practical possibility for the first time.
"Dynamic Translation [used by Vipre] is a technology which recompiles, on-the-fly, large parts of a program in order to boost performance up to 400 MIPS. It is the use of Dynamic Translation that makes Vipre's built-in emulation, and the MX-V layer that is an adjunct to it, capable of rapidly analyzing systems for the presence of malware," says Eckelberry in his most recent blog.
"The rapidly evolving sophistication of malware makes classic detection methods increasingly obsolete, as new strains of malware use highly complex obfuscation techniques designed to hide from even the most sophisticated analysis systems."
In a separate interview with Techworld, Eckelberry said that as far as he was aware the only other anti-malware products to have tried file emulation in anger were Microsoft and BitDefender.
Vipre Enterprise also boasts of its anti-rootkit protection - the program runs a special module called ‘firstscan in advance of Windows loading - and advanced kernel monitoring.
The company is planning further ‘suite' enhancements to Vipre for later this year, including endpoint protection, an integrated firewall, and intrusion protection, most of which are designed to appeal to enterprise users.