Open in app

Sign in

Write

Sign in

How antiviruses are getting overpowered?

Kenji Gaillac
9 min readJun 18, 2019

--

Co-authored by : Thibault Allançon, Léane Duchet, Kenji Gaillac, Arielle Lévi

Introduction

This paper will first explore basic defence mechanism (antivirus, anti-malware, firewall) and explain their differences. Then, multiple methods to detect viruses will be considered along with an overview of their pros and cons. Finally, the question on effectiveness of antiviruses needs to be dealt with, to better understand the constant battle between viruses and antiviruses.

General information

Antivirus

A virus is a type of malware (among others like Trojan, spyware, adware, etc.) that is able to replicate itself. Does this mean that antiviruses are underdeveloped anti-malwares? In fact, it does not, because antiviruses actually fight multiple kind of malwares and do not specifically target viruses. However, they do not necessarily protect you against all kinds of malwares; they often target the classic malwares like viruses, worms, Trojans, keyloggers or adwares. Antiviruses regularly scan files in your computer to try to detect commons threats and eliminate them. On the other hand, the behaviour of an anti-malware is slightly different.

Anti-malware

Anti-malwares are different as they scan deeper into your files and search for more various kinds of malwares. They try to find any malicious software that antiviruses cannot detect (or the one they struggle to detect). Obviously, it is also supposed to detect the ones antiviruses recognize. Therefore, it is usually recommended to use both antivirus and anti-malware to protect your computer: antivirus for an everyday use and anti-malware from time to time. In addition to these “local” protection software, there is an equally important element that helps a user to protect himself: firewall.

Firewall

A firewall is a network security system. Its role is to monitor the Internet traffic of your device or network. Basically, a firewall follows a set of rules you have defined. These rules indicate which packets are allowed to pass and which packets are to be blocked because it represents a potential threat. Usually, firewalls are used to monitor incoming as well as outgoing packets. In the case of protecting your system against threats, we are interested in monitoring incoming packets because the danger comes from the outside world. Nevertheless, monitoring outgoing packets can help protect others on your network or on the Internet, which can help stop the spread of a virus, for example.

Antivirus design

For an antivirus to be as effective as possible, it needs several components. It first needs to be able to protect various potential sources of malwares’ attack. Here are some of them:

  • Processes
    The antivirus should prevent malicious processes to start. Therefore, whenever a process is created, it should check whether this process will cause harm or not. If it will, the process’s main thread will not be started and the process will be killed, else the process will start its execution.
  • Threads
    New threads are quite similar to new processes, they need to be checked to make sure their code will not provoke dangerous behaviours. Similarly to processes, the antivirus will prevent the thread from executing if it is considered harmful.
  • Files
    The antivirus should be able to scan files when the user enters a folder, that is to say, before any of the files are even executed.
  • User protection
    While this is not considered mandatory in all antiviruses, it is useful for keeping the user’s information (such as passwords) private.

A good antivirus also has to protect itself, so that it will not be easily defeated by malwares. It should protect its installation and its persistence at reboot. To do so, it needs to keep his files, registry keys, processes/threads and memory safe. The file and registry protection are ensured by drivers that also protect user processes/registry. As the antivirus uses kernel level threads, they are automatically protected (the system would crash if they are modified).

For a commercial antivirus, the Graphic User Interface is also important as it is what most user will be attracted by, since this is what a user will interact with.

Antiviruses have two ways of dealing with an infection by a virus. First it can just remove the file containing the virus and rollback the computer to its state before the infection, or it can quarantine the file to let the user decide what should be done with that file.

Once the antivirus knows where to search, what to protect and how it should deal with the agression, it needs a way to detect the viruses, which leads us to the next part: the different methods of detection used today by antiviruses.

Detection methods of antiviruses

In this paper, we will take an interest on the signature-based method, the behaviour based method as well as the heuristic analysis.

Signature-based

The signature based method works only on known viruses. The principle is easy, each virus has a signature, like a print, which is unique and can be used to identify this specific virus. This algorithm is used for its simplicity of concept and implementation. In order to spot an already known virus, it is enough to make a comparison with a list of known signatures, if it is recognized, then the program is treated as a virus and deleted from the system.

There exists several ways to implement this algorithm, for example you can create a blacklist, a file containing many characteristic binary sequences of some unwanted viruses in their source code, which would be flexible but not efficient against brand new viruses. Another solution is to create a white list, which on the contrary contains the only patterns allowed, which is very strict. By using this method one needs to make sure to find a good signature for every virus, because using one overly generic or on the contrary too specific could lead to errors such as false positives or false negatives.

Most antiviruses are not open source to prevent hackers from making them useless. Unfortunately, the signature-based method cannot compete against the breakthrough in terms of viruses and some other techniques.

Behaviour-based

This type of antivirus, rather than searching for a special pattern in some binary code, tries to understand the “behaviour” or the “potential behaviour” of a certain program (hence its name), and determines from there if it is likely to be some malicious program or not. From here, one needs to determine when a behaviour is considered as suspicious and how to determine it. Several ways are possible.

The first anomaly detection technique is described like so: one possesses a model of what a normal behaviour is (a base behaviour), any behaviour too different from it is found to be suspicious. This method is similar to the algorithm used for credit card fraud detection, for example if some client uses drastically its credit card in a region of the world he does not live in, it is considered as an uncommon and unexpected behaviour, therefore a suspicious one. Here lies again the problem of creation of false positives or false negatives. For complex programs, one might have to find a very complicated base behaviour. Another problem is that if the reference behaviour happens to be known by the attacker, this antivirus can be bypassed and the virus changed in order to trigger a false negative. This virus will thus never be detected unless the base behaviour is modified.

Second, one can analyse the sequence of command to execute, which can reveal some system calls or requirements that should not be allowed for such a program. For example, observing keystrokes or asking to read or modify some specific files containing passwords can be perceived as a highly suspicious behaviour. The suspicious code can be run into sandboxes in order to determine whether it should be considered as a virus or not.

Heuristic analysis

The heuristic analysis relies on the search of specific keywords that would not be found in a typical application. It is quite similar to signature-based detection as it uses the program’s code to know whether or not a suspicious program is indeed a virus. Heuristic analysis was made to compensate for the main limit of signature-based detection: new viruses cannot be recognized using their signatures.

Heuristic analysis can be implemented in three ways: dynamic scanning, file analysis or genetic signature detection.

The dynamic scanning, also known as file emulation uses a virtual machine. The antivirus using it will run the suspicious file in a virtual machine to observe its behaviours, for example if it replicates itself or executes the payload of a trojan (this is similar to the a behaviour based antivirus).

For static heuristic analysis (or genetic signature detection), the application is first decompiled so that its source code can be verified. That code is then compared to that of known viruses. If the source code of the analysed program is too similar to those viruses, it is considered a potential threat and thus quarantined (or the administrator of the network is informed).

Lastly, the file analysis relies on the analysis of the purpose of the code. If the purpose is to delete some files or if its destination is abnormal, it might be considered as a virus.

While this method of detection is better than the signature one as it detects patterns in the behaviour and not the direct signature of the viruses and so can detect more viruses, it is still lacking compared to the behavioural detection. Heuristic detection might not detect if the pattern of the code is slightly changed compared to the known viruses. False positive might also happen and it usually takes more time for a heuristic antivirus to scan the files compared to an antivirus using behavioural detection.

Those three methods can be used alone or together to have a more effective antivirus.

Effectiveness

Research about effectiveness

Overall, antivirus software effectiveness started to decrease since 2007 because of multiple reasons. The virus authors trend switched from amateurs and geeks to organized professional criminal industries. On top of this, new attacks and viruses were discovered: zero days attacks, ransomware, polymorphic code, etc. The many antivirus solutions could be easily tested against new viruses to be sure of low detection rate. Signature based anti-detection is now deprecated, considering how fast viruses techniques are evolving. Behaviour based are still heavily used but not as effective against most modern viruses.

In 2014, a senior vice president at Symantec (the company that created McAfee antivirus software) publicly announced that antivirus software was “dead.”

EICAR Antivirus test file

In 2006, the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO) created a file to test the response of antiviruses. The text file is a real DOS program, and prints the message ”EICAR-STANDARD-ANTIVIRUS-TEST-FILE!” when run. The goal of such technique is to test the antivirus capacity without having to use actual computer viruses. The antivirus needs to flag the EICAR string as a verified virus, usually using one of the text file known hashes:

However, this method has some serious limitations, and does not emulate correctly many types of viruses (polymorphic or ransomware). According to malware researchers, adding support for the EICAR test in a database of an antivirus tool takes “time away from malware research, and proves nothing in the long run”.

Conclusion

Attackers are becoming stronger and smarter, so much that antivirus softwares, which have not evolved much in recent decades, are increasingly overpowered. There are only a few methods to detect malware and none of them has proven to be perfect. Antivirus software still protects against some malwares and it is important to use one. However, it is important to remind that they are only ”better than nothing”, they cannot be the only protection of a system. The user must also be its own protection.

Sources

Security
Antivirus
Firewall
Virus

--

--

Kenji Gaillac

Written by Kenji Gaillac

0 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams