Anti-spyware, anti-virus on collision course?

A software vendor’s new technique for snuffing out spyware is raising questions over whether products such as it could crash computers by clashing with anti-virus tools that have used such methods for a decade.

Aluria announced it has added what it calls Active Defense Shield to its software to intercept files and detect and eradicate spyware before it resides on a machine.

Also: Anti-virus, anti-spyware vendors differ on sharing specimens

This type of anti-malware technique is known as kernel-driver or on-access scanning. Many anti-virus vendors have embraced the method because it opens a file to wipe out malware before it lands.

But the drawback is that if two or more vendors’ products try to scan at once, the machine can crash.

As the new guys on the block, anti-spyware vendors have held back from using this scanning technique in order not to be accused of interfering with anti-virus scans. But with anti-virus vendors now pursuing the fast-growing anti-spyware market as well, pressure is on anti-spyware specialists to improve their products whatever way they can.

Aluria, which IDC says owns 7.5% of the approximately $97 million anti-spyware market, has tested its software on computers running anti-spyware and claims its scanning technique will not interfere with others’.

But participants in the $3 billion anti-virus market are not so confident.

Joseph Telafici, director of operations at McAfee’s Avert Labs research arm, says on-access scanning is part of virtually all anti-virus products today and helps explain why corporations do not try to run more than one anti-virus product on the desktop at the same time. “It’s not pretty,” he says. “It’ll lock up the system and crash it.”

McAfee will use on-access scanning, Telafici notes. McAfee also sells anti-spyware software as an add-on to its anti-virus software.

Vincent Weafer, senior director of Symantec security response, says it is quite likely a customer would experience compatibility issues, whether the scanner is for anti-virus or anti-spyware.

“We wouldn’t recommend running two on-access scanners,” he says.

Symantecs’s anti-spyware and anti-virus products use the same kernel-level drivers. “They’re one set of scanners and one set of agents,” Weafer says.

Anti-spyware vendor Webroot doesn’t use kernel-driver scanning to intercept files but plans to add that to its anti-spyware products in the first half of next year. Webroot’s technique scans files as they are loaded into memory so that spyware is prevented from running, says Mike Greene, director of product management. “We have the foundation to move into kernel-level detection,” he adds.

Greene says collisions between scanning software can present a problem, which could be solved if the industry came up with a technique to recognize a secure handoff to a second scan.

If collisions between anti-spyware and anti-virus products become a noticeable problem, the result might be to push buyers toward a single vendor for both.

Some anti-virus vendors girding for the anti-spyware battle acknowledge that possibility as a potential endgame.

“There’s no co-existence problem using our products,” McAfee’s Telafici notes.

Sam Curry, vice president of product management for eTrust Solutions at Computer Associates, says the company’s anti-spyware software does not yet use on-access scanning, though the anti-spyware SDK it licenses to developers does, and it has been tested to coexist with many anti-virus products.