In the early days of the Internet, viruses and worms ran rampant. If you didn’t have an anti-virus application to protect you, your PC would soon be overrun with all sorts of nasty malware. “But it’s 2018 now, I have Windows Defender/Symantec/McAfee installed, and I can’t remember the last time I had a problem. I’m good to go, right?” Eh, not quite.
All Anti-Virus Protection is the Same, Right?
At a high-level, there are two distinct types of anti-virus (or anti-malware) solutions available, but the two differ in both detection rates and effectiveness against certain threats. Let’s discuss the anti-virus you’re likely thinking of (“traditional” anti-virus) versus the newer form of anti-virus (“next-gen”), and give you an idea of which you should deploy and when.
What Is Traditional Anti-Virus/Anti-Malware?
Historically, traditional anti-virus products (such as AVG, Symantec, McAfee, Sophos, etc.) have followed a very simple formula:
- Users report a virus or malicious file in the wild (“BadThing.exe”)
- Anti-virus vendors add the code (signature) for BadThing.exe to their list of known viruses (signature list)
- BadThing.exe starts being detected by anti-virus scans
- Bad guys modify BadThing.exe to create BadThing2.exe
- As long as the bad guys have made even a slight change to BadThing2.exe, it will now have a new signature, meaning it won’t be detected until anti-virus vendors catch up and add BadThing2.exe’s signature to the list
This model has an obvious flaw; if malware is frequently changed or modified (as is most current malware/ ransomware), it will easily bypass the signature-based detection. Luckily, all is not lost.
What Does Behavior-Based (Next-Gen) Anti-Malware Mean?
A more recent development in malware prevention and detection is behavior-based (also called heuristic or “next-gen”) detection. Some of the more well-known products in this space include CarbonBlack (formerly Bit9), Cylance, and CrowdStrike. Behavior-based products differ from traditional signature-based products by inspecting the behavior of suspected malware, rather than checking the file signature against a known list of malicious files.
Behavior-based anti-malware scans the code of a file or application before the program is executed and determines the object’s intention. If the intended behavior of the code is suspicious, abnormal, or clearly malicious, the execution of the code is stopped before the file has a chance to run. Examples of suspicious behavior include disabling active security controls, installing other files (like rootkits), self-registering the program to auto-start, or modifying trusted programs.
Behavior-based anti-malware wins where traditional, signature-based anti-malware does not. The modern attack vectors of malware are far too great to be handled by signature-based anti-malware. However, traditional anti-malware programs still have a place as a part of a layered-security strategy.
Is Traditional Anti-Virus Useless?
As a reminder, zero-day vulnerabilities (unknown vulnerabilities, i.e. vulnerabilities for which there is no patch) will not be detected by traditional A/V. Behavior-based A/V is one of your few good options for automatically detecting and stopping threats arising from zero-days. Traditional A/V has no chance to catch these types of threats, by definition (no pun intended).
However, just because signature-based detection is flawed doesn’t mean it’s not still critically important to protecting your endpoints (desktops, laptops, servers, mobile devices, etc.). Overall threat detection rates may be in the 50-60% range, but it’s still a relatively cost-effective solution that will allow you to easily catch standard threats. Many experts recommend a hybrid approach, utilizing traditional signature-based anti-virus as the front line of defense, while also implementing a behavior-based system to catch anything that falls through the cracks. In addition, many traditional A/V vendors such as McAfee and Symantec are developing and releasing hybrid “endpoint protection” products that combine the benefits of both signature-based and behavior-based detection, while also including features such as host-based intrusion prevention (IPS) and data loss prevention.
So How Should I Deploy A/V?
Make sure you have anti-virus/endpoint protection installed on any endpoint devices. If you’re a business or corporate environment, it would be prudent to consider implementing a solution which incorporates both traditional (signature-based) and next-gen (behavior-based) threat detection. You’ll want to make sure it’s a centrally-managed solution, so that you can effectively distribute updates, modify configurations, and monitor your entire environment. At the end of the day, there’s no need to throw the baby out with the bathwater. There’s no “one perfect solution” in the real world, so make sure you’re assessing the risks and needs of your organization to make the correct decision.
Written by: Dan Klosterman
Information Security Consultant, SBS CyberSecurity
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.