Antivirus Software Overview | Hacking ArticlesAntivirus software has evolved significantly in the last 20 years. Early implementations of this software relied on crude and ineffective detection mechanisms but in order to meet the challenges presented by modern malware, most tools now boast advanced capabilities.
At a basic level, most antivirus software runs on an endpoint machine. Local users can interact with the software to run “on-demand” scans against files on the machine. Additionally, most products offer “real-time scanning”, in which the software monitors file operations and scans a file when it is downloaded or an attempt is made to execute it. In either case, if a malicious file is detected, it is either deleted or quarantined. Most detection is signature-based. Antivirus vendors use automated processes and manual reverse-engineering efforts to create these signatures, which are stored in massive databases. While signature algorithms are often close-held secrets, most rely on MD5 or SHA-1 hashes of malicious files or on unique byte sequences discovered in known malicious files. If a scanned file matches a known hash, or contains a malicious byte sequence, it is flagged as malicious. In addition to signature scanning, some software performs heuristics or behavioral analysis that
simulates execution of a scanned file. Most implementations execute the scanned file in a sandboxed environment, attempting to detect known malicious behavior. This approach relies on extremely sophisticated, proprietary code and is significantly more time-consuming and resourceintensive than signature-based detection methods. The success rate of this approach varies widely from vendor to vendor. A new heuristic detection approach leverages cloud computing along with artificial intelligence to improve the speed and accuracy of detection. However, this approach is more costly and is not nearly as widely-implemented as signature-based and heuristic-based endpoint solutions. In this module, we’ll primarily target the free-to-use ClamAV and Avira antivirus products.
Although these products do not offer top-tier detection rates, they do employ signature and heuristic detection. We will also use online resources to verify our bypass techniques against other antivirus products. In the following sections, we will demonstrate methods we can use to attempt to bypass signature-based and heuristic-based endpoint solutions.
How An Antivirus Works
Just like we humans can get infected and fall ill, our computers can also get infected while they are connected to the Internet. Viruses can get into our computer via things we download from the Internet like emails or files that we copy online. A virus can destroy our data by wiping it out or making it unusable and can also affect the performance of our computer by slowing it down strikingly. A virus can also transmit our confidential data back to someone else or let someone take control of our computer remotely and use it for their own purposes.
Antivirus is the most essential software to be on Windows computers to prevent them from viruses.
How The Antivirus Detects Virus❓
Signature detection is a method by which antivirus keenly scans files that are brought into a system to analyze more likely hazardous files.
In essence, antivirus applications come with a directory of already checked-viruses and match the codes and patterns in files and web pages to unique bits and patterns that make up the code of a virus. If they match, the file is quarantined, means that it is moved to a new and safe location so that it does not infect any other files on the system.
Antivirus programs also checks for any malicious behavior on a system such as suspicious registry entries or executing an unknown program automatically upon system startup thus protecting our computer against encrypted viruses or viruses that are still unidentified.
Following is a list of the different virus detection methods an antivirus can use to protect our computer.
Different Ways Of Detecting Virus:
💠 Virus Definitions :This is essentially the first method conventional antivirus software utilize to identify virus.
The programs look for signatures to detect new malware. The antivirus companies analyze and extract an exact signature of the file and keep them in a database to which threats are compared and devices are then protected in case the signatures match.
💠 Heuristic-based detection : This is the most common form of detection that uses an algorithm to compare the signature of known viruses against a potential threat. An antivirus packed with this type of detection can also detect viruses that have not yet been discovered and released as a new virus but it can also generate false positive matches which means an antivirus scanner may report an uninfected file as an infected one.
💠 Behavior-based detection :If a virus passes the above detection methods, the antivirus then observes the behavior of programs running on the computer. The antivirus triggers a warning if a program begins to perform strange actions listed below:
-Settings of other programs are changed.
-Dozens of files are modified or deleted.
-Remotely connecting to computers.
This is a useful method for finding viruses or any other type of malware that attempt to steal or log information.
💠 Sandbox Detection : This is a type of detection method in which antivirus software run programs in a virtual environment and record the actions it performs to identify whether the programs are malicious or not. If the program is found safe, it is then executed in the real environment.
This technique is rarely used in consumer antivirus solutions as it is both heavy and slow but antivirus solutions designed for corporate and network use offer this.
💠 Data Mining : Data Mining is the recent development in malware detection that security companies now provide with their antivirus products to detect and eliminate forms of malware that has just been released. First, a series of features of files are extracted from files and then data mining and machine learning algorithms are used to determine the behavior of a file to detect whether the file is malicious or not.
Types of Scans:
Apart from the detection methods explained above, the types of scans an antivirus offers is an equal measure of how successful it is.
💠 On-Demand Scan : The term ‘On-demand’ scanning itself means that this feature either runs when the user wants to scan his computer on suspecting any abnormal behavior or the user schedules it to run at a specified time. It searches the contents of the disks, directories and files and boot sectors and system components as well. These are used either as a preventive maintenance activity or when a virus is suspected.
💠 Real-Time Protection : Almost all modern antivirus programs offer this type of automatic protection that runs in background thereby increasing chances of catching malware before it does damage. Thus, these types of scans are also known as ‘background guard’. It basically monitors the system for any suspicious activity in real time while data is loaded into the active memory. For example, when a USB drive is inserted or a downloaded file is executed.
💠 Smart Scans : Under Smart Scans, an antivirus only scans the selected files that are more suspicious to be infected. This type of scanning lowers the need of system resources while protecting against the more common types of viruses, threats and risks.
What Is a False Positive Detection❓
Because of the large amount of software out there, it’s possible that antivirus programs may occasionally say a file is a virus when it’s actually a completely safe file. This is known as a “false positive.” Occasionally, antivirus companies even make mistakes such as identifying Windows system files, popular third-party programs, or their own antivirus program files as viruses. These false positives can damage users’ systems — such mistakes generally end up in the news, as when Microsoft Security Essentials identified Google Chrome as a virus, AVG damaged 64-bit versions of Windows 7, or Sophos identified itself as malware.
Heuristics can also increase the rate of false positives. An antivirus may notice that a program is behaving similarly to a malicious program and erroneously identify it as a virus.
Despite this, false positives are fairly rare in normal use. If your antivirus says a file is malicious, you should generally believe it. If you’re not sure whether a file is actually a virus, you can try uploading it to VirusTotal (which is now owned by Google). VirusTotal scans the file with a variety of different antivirus products and tells you what each one says about it.