Antiviruses are the first line of defense for the corporate perimeter and the endpoints enclosed within it. Understanding how they work is also useful to understand their limitations and to choose the one that best suits your needs. Here's a helpful reasoned guide
What are antiviruses?
With the birth of computers, viruses appeared almost immediately in the first half of the 1980s (it was Fred Cohen, in his 1984 essay Computer Viruses – Theory and Experiments, who defined the concept of "computer virus" for the first time).
In most cases, they were conveyed through floppy disks, which in those days represented the main means of data exchange. Not long after, antivirus arrived, starting the eternal struggle between guards (security analysts and researchers) and thieves (criminal hackers) that has always characterized the world of computing.
The first such product was marketed by the German company G Data in 1987 and later by John McAfee.
Over the years, both viruses and antiviruses have evolved enormously, but since then it was immediately clear that it would have been impossible for any antivirus to be able to recognize all the possible viruses that were constantly being born and modified.
Today, the term Antivirus is often replaced by Anti malware, which is basically a synonym for it because the term malware ("malicious software") broadly includes any type of malicious software, including viruses.
Antivirus and Anti-malware are basically software aimed at detecting and subsequently eliminating various types of malicious code.
In addition to viruses, malicious software includes a wide variety of malware (spyware, keyloggers, trojans, adware, ransomware, rootkits, worms, and so on). We won't cover them here, focusing instead on the Anti-malware software useful to counter them.
How antiviruses work
Understanding how antivirus works is also helpful in understanding their limitations.
The first antiviruses performed a substantially "mechanical" check based on checking the signature of viruses (they are called "signature-based"). The "signature" is generated through a hash algorithm, i.e. a sequence of bits (or a string) that represents the data from which it derives, due to its uniqueness, it is comparable to a fingerprint that uniquely identifies a file. In fact, it is referred to as "fingerprint".
With this operation, they were able to detect known viruses, because they were already present in their virus definition database, but they could not intercept new attacks, because they were not yet classified.
Each new virus must first be detected and analyzed in order to determine its signature and then added to the list of known viruses. Database updates are sent to users, with a frequency that – depending on the provider can be daily or even several times a day.
This detection methodology is inevitably delayed, because there will always be a time window (perhaps even just one day...) within which the antivirus will not be able to recognize the malware.
This problem is further exacerbated by the phenomenon of polymorphism, which is widely used by attackers. They don't need to build malware from scratch, just change the signature of the existing one.
A polymorphic malware is able to encrypt its signature in a different way each time, so that it looks different in each attack. Basically, malware transforms a block of code into another block of code with the same functionality as the previous one, but with a different fingerprint. The first polymorphic viruses appeared in the early 1990s.
One of the most well-known and malicious polymorphic malware was Emotet, a banking trojan first identified by security researchers in 2014. It is mainly spread through spam emails containing malicious JavaScript files.
Thanks to polymorphism, the effectiveness of antiviruses is significantly reduced: according to a study by Malwarebytes (2017), a traditional antivirus fails to protect the user in almost 40% of malware attacks.
Bottom line: The signature-based threat detection method is useful, but it has limited effectiveness. For this reason, modern anti-malware also uses more innovative methods, which aim to analyze malicious behavior. In this way, they are able to detect attacks that are not yet known. This technique is called heuristic analysis.
In other words, comparing antivirus to a police investigation, traditional antiviruses detect the criminal because they have his fingerprint, heuristic antiviruses can understand that he is a criminal – even if they have never seen him before – because they search him and find a weapon or see him perform suspicious actions.
Heuristic analysis to identify viruses
Heuristics are a set of strategies, techniques and inventive procedures useful for researching an argument, concept or theory suitable for solving a problem (from the Treccani dictionary).
In the specific case of antivirus, it is a feature to be used in addition to the one based on viral signatures.
The heuristic analysis used by antiviruses allows you to scan an executable file to analyze its structure, behavior, and attributes.
This dissects and examines its source code. If there are typical malware instructions in the code, or if a certain percentage of the source code corresponds to something that has already been identified as malicious, the code is flagged as a possible threat.
In some cases, for more advanced anti-malware, a dynamic heuristic analysis is also performed: the suspicious file is run in a sandbox (i.e., an isolated test environment), to determine without risk whether a program is safe or not. Sandboxing allows you to understand how your software behaves and what threats it might bring.
Heuristic analysis can be very effective in identifying new threats, but it can produce false positives by blocking harmless code, or vice versa let through malicious code if not properly set up.
This problem is not present (or to a much lesser extent) in signature-based antiviruses, which have an on/off behavior, so much more automatic.
The Next Generation of Antivirus
Despite being a step ahead, even signature-free heuristic analysis software has proven insufficient to curb increasingly advanced cyber threats. Proof of this is the ongoing explosion of ransomware since 2013.
The frequency of ransomware attacks in recent years, with targets hit at all levels, and the enormous economic damage created, for example, by the infamous WannaCry, show how ransomware can be very difficult to detect.
Very often they are conveyed through "dropper" files, i.e. small trojan files that do not contain the malicious code and therefore are more easily able to "go under the radar" (evading the antivirus).
Typically downloaded through a phishing email, once they enter the target system, they are programmed to download the actual malicious code, connecting with the C&C (Command & Control) servers operated by the attackers.
To combat these attacks, antiviruses have evolved into real "security programs", which can no longer be defined as just antivirus, but which it would be more correct to call Anti-malware.
The new frontier of cybersecurity is artificial intelligence (AI) and machine learning (ML).
AI is not limited to simply performing a limited set of checks; Instead, it analyzes certain behaviors and spots anomalies to identify, for example, a ransomware attack.
Machine learning, on the other hand, is able to recognize new behaviors and patterns in order to classify them to "teach" them to the defense system, which will become increasingly evolved.
These technologies represent the future (already the present, actually) and are the ideal solution for cybersecurity, especially since signature-based or other manual methods are not able to handle the number and variety of threats today.
In short, these are complex security systems, called IDS (Intrusion Detection System).
How to choose antivirus
IDS protection systems require significant investments and can only be implemented in the presence of systems with Client-Server architecture.
The installation of an antivirus program can generally coexist with IDS systems and in any case is necessary in the Windows environment in the absence of these and especially when you do not have a Client-Server architecture (in which the antivirus can also be installed server-side). The convenience is of course maximum if you opt for a free PC antivirus solution.
The market offer is very wide and with some common features: in almost all cases, vendors offer a free basic software with limited functionality and paid packages that can be variously configured with a choice of more advanced options.
The evaluation and comparison of the different offers can be complicated, so we believe it is useful to refer to a third and authoritative organization such as Virus Bullettin or AV Comparatives.
Virus Bulletin does not produce antivirus, but is a security portal with a magazine (Bulletin, which has been published since 1989) in which leading security researchers publish the latest research on the latest threats, new developments and techniques in the security landscape.
Virus Bullettin is also an independent testing and certification body that, since 1998, has published periodic test reports analyzing anti-malware (in the VB100 section), email security (VBSpam) and Web (VBWeb) protections at the enterprise level.
Antivirus products that can detect at least 99.5% of the malware samples listed in the "In the Wild" section of the WildList Organization and generate no more than 0.01% false positives earn VB100 certification. Currently, testing is carried out on Windows 10 and Windows 7 systems.
Antivirus for Mac too
Let's start with a fact: Macs are not immune to attacks, even though they are a much less attractive target for malware and viruses.
The reason is due to the lower diffusion of Apple computers: according to Netmarketshare, Windows, in the various versions, holds about 87.5% of the world market, MacOS has 9.7% and Linux 2.2%. It's only natural that attackers would aim for the big target of Windows.
But the question is: do you need an antivirus on your Mac?
The first and main answer is that "the main antivirus is the user himself", because it is true that there is malware for Mac, but their success typically depends on an action on the part of the user: generally the download of a software from an unsafe source or from an attachment to an email, or the communication of credentials (username and password). These improvident actions risk frustrating any means of protection.
The Mac is a pretty robust system, but no security door can be effective if we are the ones who open the door to the thief.
Sources
Your opinion matters
What do you think of this article?
If you've made it this far, let us know what you think of the article by leaving a comment.