HOW TO DETECT MALWARE?
Antivirus is that tool that we constantly mention in our articles and security notices and whose functionality is essential to preserve the integrity of the information and the systems that manage it. We all have an idea of its working and how it protects us. In this article we will show you some details and characteristics of this basic cybersecurity tool.
What Does An Antivirus Do?
An antivirus is a type of software whose main objective is to
detect and block malicious actions on the computer, generated by any type of
malware and, in the event of an infection, to eliminate it. Currently, this
type of software is part of what are known as security tool suites that
incorporate other functionalities: password managers, Wi-Fi network analyzers
or blockers of malicious websites such as those used in phishing campaigns.
Malware Detection
Antiviruses incorporate a large number of functions. Today we
are going to focus on how malicious code is detected.
To do this, they mainly have two types of protection:
a)
Reactive, signature-based;
b)
Proactive or heuristic.
Signature database
The method, traditionally used by the best and updated antivirus
to detect malware, is based on signature databases (a way to identify malware
), generated by the manufacturer, also known as vaccines. The possible
malicious file is checked against the database and if there is a match then it
is malware.
Signature-based
detection issues
The main problem with this type of analysis is that it will
only detect those malware samples that have already been previously identified
and for which a signature has been generated that is in the database. If it
does not exist in the database that the user's antivirus has, the user would be
exposed to the threat.
Another drawback is the delay that exists between the
identification, generation of the signature and updating of the database, this
window of time leaves the user defenseless against the threat.
Finally, there are a large number of malicious files that are
created on a daily basis, rendering the detection, exclusively based on
signatures, obsolete.
Heuristics or Proactive
As a complementary method to signature-based detection and to
solve its deficiencies, proactive detection based on heuristics was designed.
This malware detection method responds to many situations where signature-based
detection does not arrive, such as:
The malware still does not have a signature;
The malware has been discovered but the company still has not
reached the user.
Heuristics is considered one of the parts of artificial
intelligence, designed under rules obtained from experience and a machine
learning system that make this method better and more accurate over time.
The operation of heuristic algorithms bases its behavior on
different criteria that will determine whether a file is malicious, such as,
for example, if the registry is modified or a remote connection is established
with another device. Each of these criteria is assigned a score. If it exceeds
a certain threshold, it will be considered a threat.
Types of heuristic algorithms
This type of proactive analysis can be carried out in
different ways, although the three most common are:
v Generic: This analysis compares
the behavior of a certain file with respect to another already identified as
malicious. If the analyzed file exceeds the similarity threshold, a variant of
the first one will be considered malicious;
v Passive: It analyzes the file
individually, without making any comparison with another identified as malware,
and tries to find out what it is doing, for example opening a port or
connecting to an IP address. If the actions are considered dangerous, it will
mark the sample as malicious;
v Active: This runs the sample in a
safe environment or sandbox that will determine its behavior and identify if it
is malware or not.
Heuristic-Based Detection Problems
The main problem with this type of detection is false
positives. That is, an application, without any malicious purpose, is
identified as malware. Heuristic algorithms tend to have different levels of
stringency. The more rigorous the analysis, the more likely it is that a false
positive will occur and vice versa;
Another drawback of this analysis is that the workload of the
team increases compared to the signature-based analysis, and the performance of
other tools may be affected.
Importance
of keeping your antivirus updated
This is a recommendation that we always give and now you know
why.
When an antivirus is up-to-date and the database with the
signatures and heuristic algorithms are in their latest version, the protection
will be the highest possible.
An outdated antivirus will not identify as many threats as an
updated one, so the risk of infection is higher.
To know more about the best and updated antivirus, read here.
Comments
Post a Comment