Yes, it’s true. The once trusted and highly revered anti-malware software that has been protecting businesses since the late 1980’s no longer qualifies as an all-encompassing ‘security solution’, and it probably never has. While many agree it’s a tool with a degree of utility– that’s all it is, a tool. To understand why this is the case, we need to discuss how anti-malware software works and what its limitations are. From there, we’ll be able to assess the security gaps anti-malware software leaves and develop the knowledge required to create a well-rounded security strategy. Let’s dive in.
How does anti-malware software work?
Anti-malware software uses three core detection methods, signature-based detection, heuristic analysis and sandbox environments. Although each method has its limitations, together, this malware hunting trio can be quite effective. We’re going to start where anti-malware software itself began, with signature-based detection. Signature-based detection As an application is made up of ‘bits’ (binary digits), and each application compiles into the same sequence of bits each time it is run, it is possible to record this sequence and enter it into a database - this is known as a ‘signature’ in the virus world. Once a malicious signature has been detected, it can be added to the anti-malware software’s database. If the malicious software tries to run itself, the anti-malware software can detect its unique ‘signature’ and deny it from running.
The issue with this type of detection is that it’s unable to detect new malware, it will only block the set of malicious signatures it is already aware of. Not helpful. Furthermore, signature-based detection can be avoided just by changing the original sequence to something slightly different, making it entirely possible to reuse malicious software with the smallest change. This method alone can only detect well-known, unchanged malware that will be used in the weakest forms of cyber-attacks. You don’t want this to be one of the only solutions protecting your business from the diverse array of modern cyber-threats.
Heuristic analysis Heuristics takes it up a notch and looks to study rules, algorithms and patterns of applications. This allows the anti-malware software to discover new malware entering the market and doesn’t rely solely on an existing database of virus signatures. Well surely this is all your problems solved, you now have an existing database of historical malware and the ability to detect new malware? Unfortunately, that isn’t the case. Not only does heuristic analysis tend to produce a large number of false positives, it can be avoided by attackers. More on that later. Sandbox environments A sandbox, as it is for children, is a safe environment where you’re able to play. Although unlike children, you’re not playing with spades and buckets, you’re playing with malicious software. Sandboxes allow anti-malware software to run the malicious code in a safe environment to see how it reacts within the system. If the malware begins to perform malicious activity, the anti-malware program will block the file, if it doesn’t, it won’t. Simple.
Out of all three detection systems, sandbox environments are the most thorough. However, they’re both performance intensive, time consuming and, you guessed it, it’s possible to evade sandboxes with the right type of malware.
As we’ve already mentioned, it’s possible for attackers to develop malware designed to evade anti-malware systems. This is not only possible, but highly likely. Looking back to ‘signature-based detection’ we learned that virus signatures are stored in a database for the anti-malware program to refer to when deciding whether to run a program or not. Security researchers found that they were able to evade 25% of anti-malware systems tested just by compressing a file. That’s right, make the file smaller and give it a different extension and voila! You’ve just managed to send your malicious software to a bunch of unsuspecting users who thought they were protected. Researchers didn’t stop there though, 25% wasn’t enough. Instead, they packaged their malicious software using a program called ‘Metasploit’ into a file that ended up looking like a notepad executable, namely, ‘notepad.exe’ and through this simple method, they managed to evade 100% of anti-malware systems tested. Yes, it was that easy. Next up is heuristic analysis. Now heuristics detects patterns in applications, so how can this be avoided? It turns out that if you have a trusted ‘digital signature’ at the bottom of your code, a kind of ‘hey, I’m safe to use’ statement that’s provided by third-party businesses, anti-malware software will let the program run, evading heuristics altogether, the process looks like this:
Well thanks heuristics, you were a lot of help… Lastly, we move on to sandboxing environments. Evading an environment that runs your entire application and analyses the entire system effects, all before allowing the program to run should surely be impossible? Not quite. Attackers have developed certain types of malware that is ‘aware’ of its environment. It can detect whether it is within a sandbox or a real machine. If it detects it is within a sandbox, the application won’t run, if it detects its within a machine, it runs. Once the sandbox has seen no malicious activity take place, it will allow the software to run on the real machine and ultimately achieve its goal of infecting the endpoint. Brilliant. We’ve now established that it is entirely possible and highly probable that malware can evade each detection method and infect our machine. Now that’s not to say that anti-malware systems won’t block are large amount of malware, because they will. We just can’t rely on anti-malware alone to defend our endpoints.
What can we do?
Now we know that anti-malware systems alone aren’t enough to protect your business, looking for security systems and processes that will compliment your anti-malware software is the next logical step. Security awareness training There’s no better place to start the security journey than with the users themselves. Empowering users with the knowledge they need to combat attacks such as phishing emails will dramatically decrease the amount of malware downloaded to your endpoints. After all, 91% of all cyber-breaches begin with human-error. Train your staff with automated phishing campaigns designed to test how they react to fake and malicious emails and use security awareness training videos and quizzes to reinforce their learning. Web content filtering Most people are aware the internet is a dangerous place with malicious files lurking around every corner. If you’re able to block malicious websites automatically, you considerably reduce the chance of downloading malicious software. Web content filtering does exactly that. Trusted software lists If your business doesn’t already have one, get one. Knowing what software can be downloaded onto your PC’s is incredibly advantageous. If one of your staff members would like to download a piece of software outside of the list, it will be subject to an approval process, giving you and your IT department the time to check its legitimacy and safety.
If you’re currently in a position where anti-malware software is your only line of defence, don’t panic, at least it’s a start - It’s where you go from here that counts. Anti-malware alone can’t protect you and you will need multiple layers of security to truly defend your business from modern cyber-threats. The solutions we’ve discussed above are only a small fraction of the security measures you will need to stay ahead of cyber-criminals. If you are interested in discussing what else can be done, Total IT Security is just a phone call away.
Maurice Duro - Cyber Security Analyst