Thursday, March 31, 2005

scanner decrepitude

a question that just keeps coming back is whether or not it's ok to use an old scanner if you apply the latest signature updates to it... this seems especially popular for NAV, and especially for NAV2002 (symantec take note, you were obviously doing something really well that year, maybe you should go back to that)...

the answer, of course, is no it's not ok... older scanning engines can't make proper, effective use of newer signatures so if you try this you won't be getting the full benefit you could be getting from an anti-virus product...

let's examine why... as new viruses are written, new techniques to confound anti-virus products are employed and so the anti-virus scanning engines need to be updated... it's not enough to just create new signatures, signatures only tell the scanner what to look for not how to look for it...

some people think this is fiction, but some people also believe the earth is flat... it's a demonstrable fact that over time older scanning technologies become obsolete and need to be replaced - the scanning engines in use before polymorphic viruses hit the scene were completely incapable of dealing with polymorphics, so too with macro viruses... those are the extreme examples; there are less critical circumstances where making modifications to the scanning technology is simply more ideal, where the existing technology could have done at least part of the job but to get optimal detection performance a change in the engine is needed...

of course they keep the engine backwards compatible so that it can use all (or at least most) of the old signatures, but there's no such thing as forwards compatibility - older scanning engines can't make proper use of new signatures written to take advantage of the capabilities of newer engines...

as such, you have to keep your scanner engines up to date as well as the signature databases in order to get the full protection the product is supposed to be capable of...

0 comments: