When I first got into Cybersecurity there wasn’t much talk about all these complex password requirements and next-generation firewalls. The advice from experts was simple – ensure that you have an up to date anti-virus application and make sure that you patch your computers on a regular basis.
Now the advice is much different and the prevailing thought is that anti-virus is largely ineffective at stopping some of the more advanced threats out there. This means that we as individuals have to be more cautious about what we download and what we install on our computers. So let’s take a little bit to understand how anti-virus works and why it’s sometimes ineffective.
One of the most common ways that anti-virus finds and stops viruses, malware, and ransomware is by using what’s called “signature-based” detection. Signature-based detections is exactly what is sounds like – the anti-virus vendors create signatures for new viruses and the software and then scan your computer for those signatures.
There are two problems with this type of threat detection. The first is that these signatures are usually looking for something very specific in the virus. This could be some code they know will be in the virus or a specific file that is placed on the system when the virus is run. While these signatures can get very complicated, they are also easily broken by many tactics.
So let’s look at what a very simplistic signature would be. Say you have a virus and once it’s installed it runs the following code “printf (“hello world”)”. Now, this is a very simplistic line of code and the likelihood of this being in any virus is low. However, for this demonstration, let’s pretend our virus runs that. The anti-virus application will be looking for that particular piece of code running on your system.
As a malware author, all I have to do is add some random characters into that line of code to tamper the anti-viruses signature. So if I change that line before to “printf (\x90 “hello world”)”, I have effectively defeated the anti-virus signature.
As a seasoned professional in the industry, I will be the first to say it’s not as easy as I just made it out to be. The anti-virus vendors are very good at creating signatures. However, the virus authors have been largely successful at getting past anti-virus applications thus far, so we can’t rely on anti-virus as our only means of protection.
The other pitfall of anti-virus applications is that many of them rely on having seen the virus before. By this, I mean that if the virus that gets installed on your computer is new to the internet, then the likelihood that any anti-virus vendor has a signature for it will be slim to none.
Anti-virus vendors have teams that are dedicated to finding new viruses on the internet. They use a highly-trained team of cyber analysts to scour the deep dark places of the internet where viruses are born, find new viruses, and put in protections against them. They also rely on outside people to submit what they think might be viruses to their team to be analyzed.
The problem with this is that if a new virus is released on the internet, it may take a while before their team finds the virus or someone submits it to them. The time between the virus release and the creation of a signature could be days or even weeks. What this means for you, however, it that your anti-virus software isn’t protecting you against this new virus. If you download and install it before a signature comes out, you could have your data stolen or held for ransom.
All hope is not lost. I don’t want you to think after reading this article that anti-virus is awful and that you should uninstall it. anti-virus is a very important part of your layered security model. You just need to understand what anti-virus is good at defending you against and where it is lacking.
Anti-virus vendors pride themselves on being able to block a lot of what I call the “broad-based” viruses and malware. This means that you are protected from many of the common viruses and malware on the internet today. Nevertheless, you cannot open every file and click on every link sent to you and feel 100% protected by your anti-virus system.
My final advice to you is to make sure your anti-virus tool is set to automatically update and stay vigilant when you open links and documents from people you don’t know. With these tips in mind, you will be more secure than many people out there, and that is our ultimate goal – be harder to hack than the next person.
Kyle Slosek is a security practitioner with 10 years of experience in enterprise Information Technology environments. Through out his career Kyle has performed everything from certification and accreditation to penetration testing and forensics. He holds a Bachelor of Science in Information Technology, a Master of Science in Information Assurance, as well as several industry certifications.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.