Your browser is obsolete!

The page may not load correctly.

The rules of ”basic hygiene”

Правила гигиены

Other issues in this category (61)
  • add to favourites
    Add to Bookmarks

Anti-virus ABCs

Read: 952 Comments: 15 Rating: 42

A truism is a statement that is obviously true and says nothing new or interesting.

It is common knowledge that an anti-virus engine is a component that exposes malware but doesn't catch it (for more information, please refer to the issue titled “An anti-virus is a complex organism”). To detect malicious code, the engine uses the following tools:

  • Virus database entries (signatures);
  • Information about features typical of known malicious programs;
  • Heuristic technologies.

Thus, an anti-virus engine can detect malware that was previously examined by a virus analyst or is similar to previously analysed malicious samples (in which case, it will be detected by the heuristic analyser).

Anti-virus companies have to update their virus databases constantly. Getting samples of new malicious programs from users whose systems have been compromised by unknown malware is one way to expand the Dr.Web virus database. People submit new malware samples to help those whose machines haven't yet been attacked. But here lies one big problem.

Experience shows that most users and system administrators don't know what to do if a virus incident occurs.

And we're not even talking about the established procedure (which often doesn't exist) that administrators are supposed to follow in the event of a virus-related computer incident (VCI).

Encryption ransomware has been ravaging user data for years (find out more in Encrypt everything)! But, even now, the vast majority of system administrators don't have a clue as to what files they need to submit to the anti-virus laboratory so that Doctor Web’s analysts can unscramble their encrypted files. For example, how many encrypted files are required and what requirements must they meet?

Sad but true; many of them submit for analysis screenshots showing ransom demands!

People do things like this because they don't know what to do, and we can hardly blame them, but screenshots won't get definitions added to the virus databases.

Furthermore, attackers try to cover their tracks: they erase log files, and delete malware components they no longer need (e.g., droppers) from infected systems. As a result, often only active malware components get into the anti-virus laboratory rather than those components that facilitated an infection.

Why is that important? Here is an example. An anti-virus for Android doesn't have elevated privileges and can't access system components. To access them, the devices must be rooted (privilege escalation), which is not good from a security point of view (for more information, please refer to the issue A fish rots from the head down, and a smartphone from the root). But those are the rules established by Android’s developers. Criminals are aware of this, so once a device gets infected, the modules that have “done all the dirty work” are removed. If root access is not available in a system, it is only information about these harmful modules that can help an anti-virus prevent infection.

#anti-virus #encryption #encryption_ransomware

Dr.Web recommends

Prepare for malware attacks in advance!

  • Malicious programs are usually successful at causing infections when someone violates basic security rules, e.g., when users or programs have access to files, applications, or system components they don't normally need, or are allowed to launch and install new software (which is a different problem).
  • Store log files in a secure location and make sure they can't be deleted.
  • Pay attention to what software is being installed or removed.
  • To make sure that Doctor Web's virus analysts can assist you in recovering your data, understand what we need in order to analyse your system’s pre-infection state.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments