||This article needs attention from an expert in Malware. (November 2008)|
A Zero-day virus (also known as zero-day malware or next-generation malware) is a previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available.
Traditionally, antivirus software relies upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained, signatures generated and updates distributed to users. Because of this, signature-based approaches are not effective against zero-day viruses.
Most modern antivirus software still use signatures, but also carry out other types of analysis.
In code analysis, the machine code of the file is analysed to see if there is anything that looks suspicious. Typically, malware has characteristic behaviour and code analysis attempts to detect if this is present in the code.
Although useful, code analysis has significant limitations. It is not always easy to determine what a section of code is intended to do; particularly if it is very complex and has been deliberately written with the intention of defeating analysis. Another limitation of code analysis is the time and resources available. In the competitive world of antivirus software, there is always a balance between the effectiveness of analysis and the time delay involved.
One approach to overcome the limitations of code analysis is for the antivirus software to run suspect sections of code in a safe sandbox and observe the behaviour. This can be orders of magnitude faster than analysing the same code.
Generic signatures are signatures that are specific to certain behaviour rather than a specific item of malware. Most new malware is not totally novel, but is a variation on earlier malware, or contains code from one or more earlier examples of malware. Thus the results of previous analysis can be used against new malware.
Competitiveness in the antivirus software industry
It is generally accepted in the antivirus industry that the signature-based protection of most vendors is identically effective. If a signature is available for an item of malware, then every product (unless dysfunctional) should detect it. However, some vendors are significantly faster than others at becoming aware of new viruses and/or updating their customers signature databases to detect them.
There is a wide range of effectiveness in terms of zero-day virus protection. The German computer magazine c't found that detection rates for zero-day viruses varied from 20% to 68%. It is primarily in the area of zero-day virus performance that manufacturers now compete.