Generic Signatures and the Need for Zero-Hour Anti-Virus Protection
Back in May, I posted a note about a widespread spam campaign spoofing Western Union that included a malicious attachment that was harboring the Zbot Trojan - malware that tries to steal online banking information (see: High Volumes of Western Union Transfer Spam with Trojan Attachments).
Our anti-virus partner, F-Secure, was on the leading edge of detecting this particular threat and tipped us off to this blended threat. Now our zero-hour anti-virus partner Commtouch has an interesting report out about this general class of threats whereby Trojans are widely spammed with "aggressive" new variants.
See this Proofpoint/Commtouch Malware Outbreak Report for more detail, but the main theme of the report is that over May and June there was a sharp rise in the number of new viruses being distributed via email that were not caught in a timely fashion by many of the major signature-based anti-virus engines. (The illustration in this blog post shows a qualitative view of this trend.)
As we've seen in the past, messages like the Western Union spam that I noted are sent with many different Trojan variants -- an attempt by the malware distributors to bypass anti-virus engines. It takes time for anti-virus signatures to be updated to accurately detect each new variant and, during that time, email recipients are open to attack. One technique that signature-based virus vendors have been using to counter this problem is to use so-called "generic" signatures to block all variants of a given virus. The Commtouch report suggests that this isn't always effective.
I'm not going to argue the merits of signature-based A/V engines versus behavior- or pattern-based systems as both have their place in protecting enterprises from today's rapidly-changing malware threats. Proofpoint makes both types of protection available to customers. For signature-based anti-virus, the Proofpoint Virus Protection module can be deployed with a choice of two different A/V engines. For protection against emerging viruses (before signature updates are available), we offer the Proofpoint Zero-Hour Anti-Virus module, which is powered by Commtouch's Recurrent Pattern Detection technology.
Proofpoint's own recommendation as a best practice for malware defense is to have both signature and zero-hour virus protection in place at the email gateway. In fact, in our SaaS email security solution, Proofpoint ENTERPRISE and Proofpoint PROTECT, customers get both types of protection and we encourage our appliance customers to do the same.
As a reminder, our next live webinar (coming up Wednesday, July 15th at 2:00 p.m. ET / 11:00 a.m. PT) will cover some of the latest spam and malware distribution techniques. Please join us if you're interested in these topics! Register for "No Summer Vacation from Spam" here.



