Antivirus Apps Add New Tools

Global Hauri now fights spam, Norman tackles emerging threats.

Sean Captain, PCWorld.com

Two new programs are expanding the usual role of antivirus software, adding features that tackle spam and spyware, as well as ways to detect brand-new viruses. The new programs have been announced by Global Hauri and Norman Data Defense Systems.

Hauri's ViRobot Expert 4.5 adds a spam filter and a beefed-up spyware scanner. Norman Virus Control 5.6 promises the ability to identify new viruses, even before signatures are issued, by running the code in a virtual computer environment and observing its actions.

One-Stop Security

While PC users have been aware of viruses and worms for several years, many are just now learning about spyware. Spyware is defined as files or applications that allow companies to track a user's surfing habits in order to deliver targeted advertising or collect marketing data.

Hauri is adding spyware detection and antispam functions to ViRobot Expert 4.5, scheduled for release by the end of June. It will sell for $50 as a boxed desktop product and for $40 as a download from Global Hauri. The prices are the same as those for earlier versions of the software. The antispyware and antispam engines will be available as free updates to current licensed ViRobot customers.

"The current antivirus industry is out-of-date," because most antivirus products do not detect spyware along with the more traditional threats, such as viruses, worms, and Trojan horses, says Eric Kwon, president and chief executive officer of Global Hauri. Hauri was one of the first antivirus companies to add spyware to its signature database of threats, Kwon says.

"We treated spyware like a virus two years ago," he says.

In Version 4.5, ViRobot Expert expands that capability. The update moves spyware scanning into a separate software engine, speeding its performance and addressing particular aspects of spyware, such as its tendency to make more registry and.ini file changes than typical viruses and worms do.

The updated ViRobot also includes a spam-blocking engine. This was a natural addition, Kwon says, since spam-fighting relies on many of the same mechanisms used to detect and block viruses. He says that the combination is an advantage for users, who can purchase, install, and update a single product. Integrating these functions also avoids conflicts among separate applications competing for system resources, he adds.

Catch Viruses at Play

Norman Virus Control 5.6 addresses another shortcoming of antivirus software: the challenge of blocking a brand-new virus that isn't yet analyzed and described in a "virus signature" by antivirus experts.

Norman's solution is to run any suspect file in a simulated or virtual computer that emulates the system environment without letting the file affect the actual operating system, applications, or data. Files that take malicious actions in this environment are flagged as dangerous and handled as if they were confirmed viruses.

This feature builds on a technology called "sandboxing," in which a program observes a file as it "plays" in a quarantined environment, according to Carrie Collins, a Norman representative. However, Norman Virus Control 5.6 goes a step further, Collins says. A traditional sandbox only roughly approximates the real PC and doesn't let the suspect file execute fully.

"Norman's new technology completely emulates the environment that a potential virus was written for," Collins says. "This virtual, simulated computer is complete with BIOS; file shares and other network connections; pretend files; e-mail. The virus is given every reason to think this environment is real--but it is completely simulated."

Collins says Norman has been gradually introducing this feature in its antivirus product over the past year. Version 5.6 represents the first full implementation, and the first time the feature has been visible to users.

The program is aimed primarily at businesses. A two-year license for small businesses with five workstations costs $28 per seat. A one-year single-user license costs $60. Licenses are also available for corporate networks.

Suited for Servers

Norman's program may be most appropriate for implementation at the server level, because it imposes a load on systems, notes Andreas Marx, a manager at the independent antivirus testing organization AV-Test.org. The organization has evaluated Norman's simulated computer, which Marx calls "really great" from a technology standpoint.

"It's too slow for desktop systems," Marx says, adding, "It's really interesting for e-mail scanning [on mail servers] because it can stop new threats really fast, and the delay for [e-mail messages] is still acceptable."

Norman representatives haven't provided details on the software's resource consumption.

"Certainly, using the simulated computer will draw more overhead than to operate the product without it," says Norman's Collins. "Unfortunately, we don't have numbers. Overhead changes will vary depending on the environment [Norman Virus Control] is serving."