Zero day virus
From Wikipedia, the free encyclopedia
 |
This article or section is in need of attention from an expert on the subject. WikiProject Malware may be able to help recruit one. |
A Zero day virus is a previously-unknown computer virus or other malware for which specific antivirus software signatures are not yet available.[1]
Traditionally, antivirus software relies upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures generated. Because of this, signature-based approaches are not effective against zero-day viruses.
Most modern antivirus software still use signatures, but also carries out other types of analysis.[2]
Contents |
[edit] Code analysis
In code analysis, the machine code of the file is analysed to see if there is anything that looks suspicious. Typically, malware has characteristic behavior and code analysis attempts to detect if this is present in the code.
Although useful, code analysis has significant limitations. It is not always easy to determine what a section of code is intended to do; particularly if it is very complex and has been deliberately written with the intention of defeating analysis. Another limitation of code analysis is the time and resources available. In the competitive world of antivirus software, there is always a balance between the effectiveness of analysis and the time delay involved.
[edit] Emulation
One approach to overcome the limitations of code analysis is for the antivirus software to run suspect sections of code in a safe "memory box" and observe the behavior. This can be orders of magnitude faster than analysing the same code.
[edit] Generic signatures
Generic signatures are signatures that are specific to a certain behaviour rather than a specific item of malware. Most new malware is not totally unique, but is a variation on earlier malware, or contains code from one or more earlier examples of malware. Thus the results of previous analysis can be used against new malware.
[edit] Competitiveness in the Antivirus Software Industry
It is generally accepted in the antivirus industry that the signature-based protection of most vendors is identically effective. If a signature is available for an item of malware, then every product (unless dysfunctional) should detect it.
However there is a wide range of effectiveness in terms of zero day virus protection. The German computer magazine c't found that detection rate for zero day viruses varied from 20% to 68%.[3] It is primarily in the area of zero day virus performance that manufacturers now compete.
