Does Your Antivirus Software Do This?
Antivirus software’s first job is to detect viruses and other types of malware before they do their damage. There are three ways to identify malware, and a number of variations on these basic strategies. Here's a plain-English description of how antivirus software gets the job done...
Three Different Types of Antivirus Software
Have you ever wondered how antivirus software works? In a nutshell, traditional computer security software hooks into your operating system, and inspects every file or program before it is allowed to be open or run. Some anti-malware technology keeps an eye out for unexpected system changes. Others maintain a "whitelist" of known-good programs. A combination of these methods will provide the best security. Let's crack open the nut, and look at these techniques in a bit more detail.
The first malware detection method is commonly called “signature-based detection.” Any program contains unique blocks of code that identify it as surely as passages from a book identify what book you’re holding. The patterns of code which uniquely identify a malware program are called its “signature.”
Antivirus vendors compile databases of malware signatures and distribute copies to their users regularly. The antivirus program scans files on a user’s system looking for matches between each file’s code and those in the signature database. Matches are flagged as malware and are blocked from opening.
There are a few problems with signature-based malware detection. First, only known malware is included in the signature database. New malware is created all the time, and there is a lag between its creation and its inclusion in signature databases. Second, malware authors create self-modifying malware that alters its own signature every time it runs. Signature-based detection is a basic but dangerously incomplete form of protection.
Your Behavior is Unacceptable!
The second malware detection method looks at what a program does rather than what it is. This “behavior-based” method assumes that certain actions indicate harmful intentions. A program that scans for other executable files on your hard drive is presumed to be looking for files it can infect, for instance. All sorts of “suspect behavior” may be deemed reasons to flag a program as potential malware. Some examples are programs that modify the Windows registry, or make changes to system settings.
“Heuristic analysis” is a fancy term for behavior-based detection. Heuristic programs may have many complex behavioral rules and run a suspect program in a virtual machine or sandbox, simulating what the program might do without allowing it access to the actual resources on your system. This sort of testing consumes a lot of computer resources, so it is typically reserved for user-initiated “on-demand” tests of suspect files.
On the plus side, behavior-based detection can stop even the newest or best disguised malware. On the other hand, it may have a high rate of “false positives,” frequently flagging innocuous programs that are behaving in suspect ways for legitimate reasons. The user has to look at a flagged file and decide whether to tag it as “OK” to run or “banned” as malware. These interruptions can be inconvenient, and often the user isn’t qualified to make that decision correctly.
Have We Met Before?
A third malware prevention method is the whitelist approach. Because of the potential for the signature-based and heuristic approaches to fail at detecting new or evolving malware, something else is needed to fill the gap. Whitelisting is the strategy of permitting a finite list of known “good” programs to run, and blocking anything that is not on the list. The trick lies in building a reasonable whitelist of allowed programs. All legitimate Windows components would be on that list, as well as hundreds of popular apps that are proven to be virus-free. That whitelist is dynamically updated over time, and users may add new programs they deem to be safe.
PC Matic is an example of a security tool that uses the whitelist approach, in conjunction with signature scanning and heuristics. PC Matic blocks polymorphic (evolving) threats and also catches emerging threats such as fileless malware and ransomware.
One criticism of the whitelist approach is that it may generate "false positives" when it encounters new software. I've been using PC Matic for over a year, and even though I download and test a lot of programs, I've only seen that happen once, when I tried to run a very old program that I've had since the DOS days. PC Matic flagged it, and gave me the choice to block it, or add it to my personal whitelist. One click and I was over that hurdle.
Got something to say about anti-virus software? Post your comment or question below...
This article was posted by Bob Rankin on 5 Dec 2019
|For Fun: Buy Bob a Snickers.|
Geekly Update - 04 December 2019
The Top Twenty
Why Do Spam and Malware Exist?
There's more reader feedback... See all 22 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Does Your Antivirus Software Do This? (Posted: 5 Dec 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved