Think of your antivirus protection like a game of cat and mouse. When you invest in it, you’re trying to hunt and kill the bad stuff on your machine.
This methodology has historically worked relatively well, especially back when new viruses popped up on occasion—where finding and hunting down new malware was feasibly done on a daily or weekly basis.
But as new threats or modifications of them started quickly popping up more persistently, antivirus’ ability to hunt and mitigate new threats has dropped.
With round the clock proliferation of newer and deadlier viruses today, the strategic role of antivirus in your security stack has definitely changed.
Signatures No More
Every virus contains a signature—a footprint of what is does and how it looks. Antivirus tools first scan for any signatures of viruses in their existing database to determine if something is not right. New viruses are often derivatives of older ones, meaning they might share some characteristic of the original virus.
The antivirus’ database typically contains definition files, which rely on continual updates to ensure they are detecting viruses out in the wild.
Viruses have become more slippery to catch. They can attach to legitimate files, email attachments and other downloadable formats. In the event that your antivirus software’s database is not updated with changing signatures, there is a high chance a virus might not be properly detected or classified.
Cross-referencing a database for known malicious software is definitely one way that antivirus software works to defend your machine. But that leaves you with obvious gaps in detection—what about those viruses that haven’t been added to the database?
Antivirus software will look for any remote signature related to those already discovered. The reason why your antivirus might not be triggered to some antivirus—or even pieces of software that could be malicious is that there is no definition in its system appearing to act or look similar to that software.
Because of the reactive nature of antivirus software, hackers successfully evade AV detection by sidestepping already defined malicious signatures.
Hackers try to obfuscate the virus’ signature through encryption to reach a point where your antivirus has trouble even detecting it.
In other instances, hackers will mutate the virus to the point in which an antivirus software would also have a hard time identifying it (similar to how viruses evade our immune systems).
So why are we still using antivirus software in 2020?
While detection by antivirus software is not perfect, AV software designers have tried to keep up to detect and predict signatures of viruses.
They have developed heuristic detection and analytics to go beyond simply identifying and stopping a virus. They combine signatures and classify malicious software by a more broadly by virus family.
Newer directions for antivirus: behavior-based solutions
Rootkit— checking to see which actions a specific program is attempting to execute, antivirus software is able to determine whether a program is malicious and how to successfully stop it.
Sandboxing—another prevention technique is sandboxing suspicious programs. What this means is the antivirus tests a new file or run a new piece of software and see what happens and what the program is trying to do—in a safe isolated environment before it is allowed to work on your computer or network. Essentially AV software helps quarantine new files before they are deemed safe.
Sandboxing and rootkit protections are considered behavior-based detection methods, which help defend against malware much more today than simply using a signature-based detection method.
On top of simply using behavior-based detection, most antivirus software also use machine learning to predict the most likely behaviors indicative of a virus. This allows the software to speed up its evaluation of a software and identify suspicious files or programs without having to completely vet the program’s behavior.
Keep in mind that hackers are designing viruses to avoid detection. That means designing them to evade sandboxes.
Another concern with behavior-based detection methods is that they can severely impact computer performance. Constant scanning and monitoring in the background can impact the speed of your computer and frustrating users. In some instances, we’ve seen users request from technicians to turn off an antivirus’ heuristics to speed things up.
Antivirus is NOT foolproof and allow for many malicious software to enter and operate on machines.
The take home: you might be depending too heavily on your antivirus software to detect threats on your systems.
While it does help react to known threats, it is by no means capable of defending your network from evolving attacks. If you’re not regularly testing it, you’re probably putting too much faith in your AV platform.
