Kaspersky Lab has announced they have received a U.S. patent for a hardware-based antivirus solution. The announcement emphasizes that the hardware operates below the level of rootkits and therefore can't be bypassed by them.
The patent, #7,657,941, is entitled "Hardware-based anti-virus system," is awarded to inventor Oleg V. Zaitsev (Technology Expert at Kaspersky Lab) and assigned to Kaspersky. The abstract reads:
An anti-virus (AV) system based on a hardware-implemented AV module for curing infected computer systems and a method for updating AV databases for effective curing of the computer system. The hardware-based AV system is located between a PC and a disk device. The hardware-based AV system can be implemented as a separate device or it can be integrated into a disk controller. An update method of the AV databases uses a two-phase approach. First, the updates are transferred to from a trusted utility to an update sector of the AV system. Then, the updates are verified within the AV system and the AV databases are updated. The AV system has its own CPU and memory and can be used in combination with AV application.
So it seems this device is an actual separate computer running an embedded AV application. While the press release and abstract emphasize that the AV functionality doesn't strictly need a software counterpart running in the host system, it does need host software in order to update itself, because the AV hardware won't have network access. This update application will need to be trusted and hardened against attack.
The difficulty of detecting rootkits once they have installed does call for unconventional measures. Whether a hardware approach is truly more effective remains to be seen. If the device is just an AV system running below the level of the rootkit then the improvement will be small, as it will still only operate as well as the signature process allows. If the fact that the device is running below rootkits allows it to run heuristic tests which are better capable of detecting rootkit behavior then the difference could be substantial.
There is another advantage to hardware-based AV: Because the device has its own CPU and memory and minimal software running on the host PC, the performance impact on the PC will be lessened. But in fact, this device can not be a complete security solution, since it can only monitor disk operations. Modern security suites also monitor network connections, for example.