We are told, in order to survive on the Internet, our computers need protection afforded by antivirus applications. If that's true:
Pondering those questions, I realized I may not have all the facts. So I began researching antivirus methodology. Here's what I found out.
Take note, the bad guys are motivated. Leveraging malware-infected computers to make money is easier and safer than any other illegal endeavor. That said, I'd like to think we (victims) are motivated as well, especially since it's our money they're after. So why do cybercriminals have the upper hand? For starters, they benefit from:
Example
I couldn't ask for a better example than what recently happened to Google. Attackers leveraged unknown (zero-day) vulnerabilities in Internet Explorer to gain a foothold in Google's supposedly-secure network. Check how close the exploit follows the three steps I outlined above:
Still not understanding why antivirus applications are failing to protect our computers, I pursued the matter with an experienced software engineer. He pointed out that it's hard to remove something you can't find. Talk about an understatement. I get it though; detecting malware is not as easy as we're lead to believe. My next step, find out why.
Malware detection can be divided into two methods; signature-based malware detection and behavior-based malware detection. Antivirus applications can employ one or both of the methods; depending on the sophistication of the program. Signature-based malware detection has been around for many years, so let's look at that first.
Signature-based malware detection
Signature-based malware detection depends on pattern recognition. Here's how it works. The AV application scans the file in question, comparing specific bytes of code against information in its malware-signature database. If the scanned file has a pattern duplicating one in the database, the file is considered malware. The antivirus application will then either quarantine or delete the file, depending upon the program configuration.
Shortcomings
Presently, signature-based malware detection is included in almost every antivirus program. That said, AV companies are trying to move away from signature-based malware detection due to the following:
These are valid concerns and why AV companies are investing a great deal of time and effort translating to behavior-based malware detection.
Behavior-based malware detection
Behavior-based malware detection makes sense because it monitors how programs act, not the software build. To explain, if abnormal behavior is detected, the program is flagged, regardless if the software seems correct. Behavior-based malware detection is broken up into two types; anomaly-based and specification-based malware detection.
Anomaly-based malware detection
The key ingredient to anomaly-based malware detection is determining what is considered normal behavior. Thus, any variation from the normal profile would be considered suspicious (anomalous). For example, normally a program, when executed, does not create any files. Then, all of a sudden, the program moves a file into one of the operating system's folders. That action would immediately be flagged by this type of antivirus software.
Anomaly-based malware detection can be further divided into:
As good as this sounds, anomaly-based malware detection has shortcomings. False positives are more common with this type of detection, simply because of the complexity of modern-day programs. Second, if an attacker makes sure his malcode behaves like a good program, it will not be detected. Threatfire Zero-Day Malware Protection is an example of anomaly-based malware detection software.
Specification-based malware detection
Right now, specification-based malware detection (Point IV-B) is our best hope for reducing malware problems. That's because, all actions taken by any programs (operating system and applications alike) are mediated by a predetermined policy. For example, if so configured, the policy would disallow execution of files downloaded from a Web site specified by the person in charge of the computer.
The advantage of specification-based malware detection is its flexibility and minimal false positives when compared to anomaly-based malware detection. One example of specification-based malware detection is NovaShield AntiMalware.
My findings
I seldom find quarantined malware on computers. I've noticed something else. Most infected computers protected with typical antivirus programs require specialized scanners to remove any offending malware. After writing this article, I know why that is.
Final thoughts
Being one of those “rather be safe than sorry” types, I will continue to suggest using an antivirus program. What I will change, is the type of antivirus program I recommend. They definitely will include anomaly and specification-based malware detection methods