Antivirus vendors are losing ground. Just last year the FBI Assistant Director testified in a committee hearing that every second roughly 18 computers are compromised by botnets and similar malware. Nation states and criminal groups alike are developing new malware to gain a foothold in corporate networks –despite the widespread prevalence of antivirus applications.  In this series of articles, we’ll be looking at taking a security analysis at antivirus and the many problems under the hood.

Malware refers to any piece of software that, when executed, conducts a malicious behavior on the system. While sometimes ambiguous “malicious” behavior is any action taken by the software that the user does not consent to or is unaware of. Often when malware is first executed, there’s no indicator of the compromise and the user is unaware of the attack. Antivirus (or AV) is our last line of defense against malware, in place only when user education, spam and web filters, and similar protections fail.

Antivirus was developed to combat malware and protect end users from threats – both known and unknown – defending against malicious code being run on your computer. Antivirus has several ways of achieving this and, when working in concert with another, combat the large majority of malware that exists today.

Signature based detection is the traditional –and most common – technique used by all AV vendors to detect malware. When an unknown file enters the system, AV will compare the contents of the file to a database of known malware. If a signature is found to match the software will then perform the necessary actions to clean the infection from your computer.

To demonstrate these signatures, I’ve created two files – test and test2. In the “test” file, the contents are “Signature 1”, while the “test2” file contains the text “Signature 2”. While the contents are nearly identical, the signature for each is completely different.

However, this technique only can be effective once a sample of the malware can be attained by AV, analyzed and updated. This technique falls short when protecting against the newest threats that have never been seen in the wild, but can protect you against simple, garden-variety viruses.

With the development of signature-based detection, malware has found ways to evolve and evade these signatures. A virus will start off as a single infection on a machine, and through either self-writing code or refinements made by the attacker remotely to create different versions of itself called variants.

The term “generic detection” refers to matching of several different variants using only one virus definition. This detection method will detect a virus family using a generic signature it’s compiled or through an inexact match on the malicious file’s signature. It creates this definition by finding common areas that a viruses in this family share to create this generic signature. The signature will usually contain non-contiguous code, using wildcards to detect variants, even if it was padded with meaningless filler.

For a simple example, suppose your brand of AV runs strings against a file you’ve recently downloaded. When parsing the results, it sees a windows API call to GetSystemDirectory, an API call to RtlMoveMemory with a string of “SOFTWARE\Classes\http\shell\open\…” and a call to CreateMutexA with a string of “evil.” Using heuristic detection, not one of these is bad by itself; however, when all three conditions were met the AV was able to identify this program as a part of the “Evil.exe” malware family. Using this method of detection, we can see that it did not matter if say the MD5 hash of this particular program was different, only that the parameters were met to flag it as evil.

Realtime protection monitors the system for any suspicious activity of processes while it loads data into memory. Typical suspicious behaviors include the unpacking (or decrypting) of malcode to be run, modifying the hosts file which maps hostnames to IP addresses, creating keystroke loggers, and more.

This method differs from heuristic detection methods, as heuristics require the file to be unpacked and unobfuscated to be effective. Since packing and compressing code is used for legitimate purposes such as reducing software package sizes, it usually is not flagged in heuristic based scans.

Some advanced products will execute these suspicious files within a virtualized sandbox to see if it performs these bad behaviors that a typical piece of malware exhibits. Using this approach helps AV catch some of the “known unknowns” in malware without compiling any sort of signature at all.

With advancements in cloud computing, cloud-based protection has become a new alternative to traditional AV approaches. This type of protection offloads analysis of suspicious files by having the agent machine sending details and its execution context to the AV vendor for further analysis. This allows the agent running the endpoint software to do very little, while the cloud creates new patterns and aggregates data from consumers running their software all while implementing several of the techniques above.

However, this protection suddenly becomes severely limited when no internet connectivity is available. Some will argue that this is an acceptable risk, as most malware is also limited if it cannot reach out to its command and control (C2) server.

While antivirus has come a long way in terms of detection methods and techniques, the very nature of security requires the defense to “always get it right”. Traditional signature detection methods are falling behind in comparison to real time analysis techniques. The latest and greatest AV software will integrate a “full stack” approach – watching malware in memory, analyze patterns, and match the behavior to a known malignant actions.

In addition, in a large enterprise environment, keeping software up to date for all machines can be a logistical nightmare. This challenge is where cloud-based solutions become more appealing. Instead of rolling out security updates to all machines on your network, cloud based solutions allow you to simply install the application once and remain up to date with the latest advancements in malware detection. It also offloads the burden of virtualization or sandboxing an appliance might use to cloud infrastructure.

While antivirus is a necessary line of defense, remember proper security posture goes far beyond technology and often rely on security policies and user training. Regardless of your AV solution, it is important to note that the best security solution is the one implemented properly – and in coordination with other layers of defense.

In the next post on antivirus and security, we’ll look at the limitations of various antivirus applications, how attackers create malware, and evading basic antivirus installations with custom scripts.