JulianL
05-02-2007, 11:06 AM
There are a couple of things that have puzzled me for a long time about the spyware/virus world so I've finally got round to asking my (probably stupid) questions.
1) The anti-virus and anti-spyware market has a lot of players and many appear to be quite small companies but they still create well-peforming products. It seems to me that it must be a major undertaking to constantly track the latest visuses and spyware on a daily basis and work out defenses, removal procedures, etc. Is some of this work done outside the companies, i.e. are there publicly accessible central databases (government or industry funded?) who accept reports of new threats and publish updated signature and other databases that the individual AV/ASW (anti-virus/anit-spyware) vendors then "feed off"? I just find it hard to imagine that, when a virus emerges, then 15 different AV vendors all need to independently get a sample of it and work out a detection procedure, how to safely remove it, etc. Just how much of this is centralised and how much is done in-house by each AV/ASW vendor?
2) What is the real technical difference between a virus and spyware? Why are these programs always marketed so seperately (i.e. an "anti-Virus" program, or an "anti-Spyware program" or even "anti-Spyware with anti-virus addon")? It seems to me that both a virus and spyware need a broadly similar delivery mechanism (the missile) in that they need to get code executed on the target system without the user knowing and presumeably any security vulnerability that one can use then the other can use (buffer overruns, embedded objects or whatever) and the first action of that initial code executed might be to create a persistent installation of something on the infected system. Similarly a scheduled scan is just looking for the same type of rogue persistently installed code but just the action the code takes (the payload of the missile) is different, i.e. a virus probably tries to damage the system and spyware spies. I'm just struggling to understand in technical terms why there seems to be this distinct division between anti-spyware and anti-virus offereings when to me they seem to be identical in that they're just different payloads carried by the same set of missiles.
- Julian
1) The anti-virus and anti-spyware market has a lot of players and many appear to be quite small companies but they still create well-peforming products. It seems to me that it must be a major undertaking to constantly track the latest visuses and spyware on a daily basis and work out defenses, removal procedures, etc. Is some of this work done outside the companies, i.e. are there publicly accessible central databases (government or industry funded?) who accept reports of new threats and publish updated signature and other databases that the individual AV/ASW (anti-virus/anit-spyware) vendors then "feed off"? I just find it hard to imagine that, when a virus emerges, then 15 different AV vendors all need to independently get a sample of it and work out a detection procedure, how to safely remove it, etc. Just how much of this is centralised and how much is done in-house by each AV/ASW vendor?
2) What is the real technical difference between a virus and spyware? Why are these programs always marketed so seperately (i.e. an "anti-Virus" program, or an "anti-Spyware program" or even "anti-Spyware with anti-virus addon")? It seems to me that both a virus and spyware need a broadly similar delivery mechanism (the missile) in that they need to get code executed on the target system without the user knowing and presumeably any security vulnerability that one can use then the other can use (buffer overruns, embedded objects or whatever) and the first action of that initial code executed might be to create a persistent installation of something on the infected system. Similarly a scheduled scan is just looking for the same type of rogue persistently installed code but just the action the code takes (the payload of the missile) is different, i.e. a virus probably tries to damage the system and spyware spies. I'm just struggling to understand in technical terms why there seems to be this distinct division between anti-spyware and anti-virus offereings when to me they seem to be identical in that they're just different payloads carried by the same set of missiles.
- Julian