C++ is Super Glue for anti-malware apps

In its 2006 survey of 616 U.S. IT security professionals, the Computer Security Institute found that 65 percent of companies represented had experienced a virus attack. In response to the consistently rising number of recorded viruses and malicious threats, many vendors have stepped into the security space, offering antivirus, anti-phishing, anti-spyware, personal firewall and other security technologies aiming to protect against these threats. Security solutions and applications number in the thousands; every year vendors release additional solutions designed to provide faster, better protection against evolving threats, increase product usability and support more platforms.

This market influx brings new challenges to vendors and system integrators tasked with classifying, identifying, managing and checking currency of anti-malware applications, whether the task is associated with an integration project to meet the needs of a specific customer or build a new security solution that must interoperate with one (or many) anti-malware applications.

The classification challenge includes figuring the exact features of the anti-malware application: Is it an antivirus, anti-spyware, anti-spam or anti-phishing solution? Is it a combination of some (or all) of these? Does the anti-malware software have built-in features such as real-time protection? Discovering all this is far from simple; it requires thorough testing and reading of technical documentation, as well as referrals from certification programs such as ICSA Labs, OESISOK, Virus Bulletin West Coast Labs and other organizations that target different aspects of application quality and classification.

The identity challenge includes the verification of anti-malware application binaries, especially those that could be compromised by malicious code. Malware accomplishes this by creating binaries and executables with identical names, by adding similar registry keys or by reporting to the operating system.

The challenge intensifies with the existence of rogue applications marketed as anti-malware applications. Such programs report to operating systems as anti-malware applications but do not provide proven anti-malware protection. Their vendors may leverage unfair, deceptive and high-pressure sales tactics to induce confused users to purchase.

The manageability challenge is a programmatic way to control common features of anti-malware applications. Although each anti-malware vendor may offer similar functionalities such as scan or update, managing these functionalities programmatically varies from one solution to another. Different anti-malware applications have different interfaces. Some anti-malware applications have API programs and others may have a well documented CLI, but interfaces are still not consistent across vendors. One vendor, for example, might expose definition update functionality; another might not. Integration interfaces also vary in quality from vendor to vendor.

And then there is the currency-checking challenge. Many anti-malware applications are signature-based. This means that in order to keep the anti-malware application effective, it must be current (provided with the latest definition update). Many anti-malware vendors provide an update mechanism for their anti-malware engines. Vendor update mechanisms follow different security schedules for their updates, ranging from hourly and daily to weekly or even monthly. This increases the complexity of currency checking because of the challenge of figuring out every update mechanism schedule and comparing it with the signature files on the local machines.

Using OOP

Object-oriented programming (OOP) is a great way to solve the anti-malware integration challenge. OOP is more than just a programming concept. It is a different way of thinking about applications: not as procedures, but as objects. Objects do things (via methods) and have attributes (properties) and are therefore logically grouped by the way they appear and behave.

If an object-oriented design and analysis for an antivirus application is performed, the antivirus application can be considered the object, and its methods could include scanning files, scanning memory, triggering an update and so on. Its properties could include its name, version, language and type.