‘Padded Cell’ Anti-Virus Concept

The concept is to release a potential virus into a 'Padded Cell' where the potential virus is allowed to infect. The 'Padded Cell' is a virtual machine for the potential virus to 'play' with. Once the virus has been released into the padded cell the new anti-virus software can watch the potential virus 'in action' while safely outside the padded cell. The symptoms are looked at rather than the virus itself.

There is one major problem with anti-virus software: It needs updating. Users cannot be relied upon to have even the anti-virus software in the first place, let alone be able or willing to pay for the updates. As every new breed of virus is conceived, created and released into the wild, another small change is made to the anti-virus software to combat the new threat. This works well for the anti-virus companies because this enables them to resell updates to consumers indefinitely. While the consumers still have to be vigilant and have to put up with ever increasing demands of the anti-virus software in terms of cost, time in updating and installing, Internet bandwidth for virus updates, along with many other niggles.

Solutions have been proposed in the past such heuristics, which in basic terms guesses if something is a virus through complex analysis and comparisons against known viruses. This type artificial intelligence can and does have good results, sometimes even finding and stopping new unknown viruses. But they are not perfect and still have an unacceptable failure rates. After all, just one virus on a computer is one too many. Even more likely, ‘good’ virus free programs and data are can be wrongly flagged as a viruses, costing time and money getting it ‘past’ the anti-virus software.

I’ve come up with what I believe is a new concept to stop viruses like nothing before. The idea is so unbelievably simple and straight forward I can’t see any reason why it would not work and requires no virus updates whatsoever. If you asked me a few months back, I would have told you this was impossible. I’ve focused the idea on e-mail viruses for the time being, simply because that’s the most common way viruses spread today. However the idea could be expanded to other areas, even beyond virus checking.

The idea is a relatively simple piece of software that creates a ‘Padded Cell’ which the potential virus is ‘released’ into. This safe area is very much like how VMware™ or VirtualPC™ creates a virtual machine on an existing machine. Everything in safe area is not directly related to the machine it is running on, it’s just a copy for the potential virus to ‘play’ with. Just like a spare machine to try it out on. This padded cell has a virtual drive, virtual files and a virtual operating system just like a normal machine. You can do anything on this virtual machine, even format the hard drive without effective the ‘real’ machine its running on in any way. If you have never heard of this notion of a virtual machine it maybe worth reading up on it.

Once the virus has been release into the padded cell the new anti-virus software can watch the potential virus ‘in action’ while safely outside the padded cell. If anything happens out of the norm, such as deleting, changing or adding to the files on disk (the virtual disk) or in memory then it’s flagged as a virus and quarantined. A normal e-mail would not change/delete/add files so it’s allowed through. After each virus detection the padded cell is totally deleted and a new one is created for the next possible virus. It’s that simple. Yes, this sort of detection would be more processor intensive than any other type of anti-virus detection, but with a few technological ace cards like caching it could end up being a better anti-virus product than is currently on the market.

This concept is not perfect and does have a few potential problems associated with it. Firstly the most complex part of the new anti-virus system is the padded cell itself. The software to create the virtual machine could be created from scratch however it would probably be more cost effective to agree licenses to use VMware™ or VirtualPC™. This alone may put it out of reach of the desktop market. There is also the cost of the operating system license for each padded cell. Microsoft and most other software makers regard virtual machines as separate machines in their own right and hence requiring another software license for each padded cell. Each operating system has it own flaws, weaknesses that viruses exploit. To cover every possible attack from a virus, the potential virus will need to be tested on different operating systems (in different padded cells). This unfortunately incurs extra license fees for each operating system tested on.

This new type of detection would also be more processor and memory intensive than current anti-virus solutions, but with a few technological ace cards like caching this probably won’t be a major issue. However we must not forget the virus writer. The fact that the method has an Achilles heal could be used to the virus writers advantage, creating viruses that slow the system down. Polymorphic viruses with their ability to ‘change’ are likely to be a big headache in this sense because caching will become useless.

It does not appear that the concept is suited to the desktop market because of the high initial costs, but lower running costs and the potential to find viruses before the traditional virus updates are available make it appealing. It has other potential problems associated with it that may have solutions. The only real way to find out if this concept will work is to get a prototype working and to test out the theory. Only then will the full potential become clear.

Good Points

• No Anti-Virus updates
• Possible improvements in accuracy
• Lower per user costs
• Handles currently unknown flaws in OS
• Will find viruses before anti-virus companies have been alerted

Bad Points

• May need OS license for every ‘padded cell’, hence may be priced out of desktop market
• Each virus check is processor and memory intensive
• May require more than one ‘padded cell’ for each check
• Each time a OS is release the ‘padded cell’ may need updating
• Good ‘symptom’ rules
• Virus writers may utilize its processor intensive weakness by producing polymorphic virus