Anti-virus ABCs
Wednesday, September 21, 2016
A truism is a statement that is obviously true and says nothing new or interesting.
It is common knowledge that an anti-virus engine is a component that exposes malware but doesn't catch it (for more information, please refer to the issue titled “An anti-virus is a complex organism”). To detect malicious code, the engine uses the following tools:
- Virus database entries (signatures);
- Information about features typical of known malicious programs;
- Heuristic technologies.
Thus, an anti-virus engine can detect malware that was previously examined by a virus analyst or is similar to previously analysed malicious samples (in which case, it will be detected by the heuristic analyser).
Anti-virus companies have to update their virus databases constantly. Getting samples of new malicious programs from users whose systems have been compromised by unknown malware is one way to expand the Dr.Web virus database. People submit new malware samples to help those whose machines haven't yet been attacked. But here lies one big problem.
Experience shows that most users and system administrators don't know what to do if a virus incident occurs.
And we're not even talking about the established procedure (which often doesn't exist) that administrators are supposed to follow in the event of a virus-related computer incident (VCI).
Encryption ransomware has been ravaging user data for years (find out more in Encrypt everything)! But, even now, the vast majority of system administrators don't have a clue as to what files they need to submit to the anti-virus laboratory so that Doctor Web’s analysts can unscramble their encrypted files. For example, how many encrypted files are required and what requirements must they meet?
Sad but true; many of them submit for analysis screenshots showing ransom demands!
People do things like this because they don't know what to do, and we can hardly blame them, but screenshots won't get definitions added to the virus databases.
Furthermore, attackers try to cover their tracks: they erase log files, and delete malware components they no longer need (e.g., droppers) from infected systems. As a result, often only active malware components get into the anti-virus laboratory rather than those components that facilitated an infection.
Why is that important? Here is an example. An anti-virus for Android doesn't have elevated privileges and can't access system components. To access them, the devices must be rooted (privilege escalation), which is not good from a security point of view (for more information, please refer to the issue A fish rots from the head down, and a smartphone from the root). But those are the rules established by Android’s developers. Criminals are aware of this, so once a device gets infected, the modules that have “done all the dirty work” are removed. If root access is not available in a system, it is only information about these harmful modules that can help an anti-virus prevent infection.
The Anti-virus Times recommends
Prepare for malware attacks in advance!
- Malicious programs are usually successful at causing infections when someone violates basic security rules, e.g., when users or programs have access to files, applications, or system components they don't normally need, or are allowed to launch and install new software (which is a different problem).
- Store log files in a secure location and make sure they can't be deleted.
- Pay attention to what software is being installed or removed.
- To make sure that Doctor Web's virus analysts can assist you in recovering your data, understand what we need in order to analyse your system’s pre-infection state.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
vasvet
19:13:50 2018-07-02