Other issues in this category (32)
One step ahead of criminals
Monday, January 16, 2017
Heuristic is a problem-solving approach based on a practical method that can be sufficient to achieve an immediate goal.
An anti-virus heuristic analyser is perceived by many to be a magic bullet. Typically, an explanation as to why anti-viruses fail to detect malware (or more precisely, why they can't detect all of it) is countered with the question: "And what about heuristics?" Let's try to answer it.
In order to detect malware, an anti-virus uses the signatures (also called definitions) in its virus databases. Heuristic technology also uses some of the entries in the databases. However, these entries contain information about entire groups of malicious programs. For example, if malware is generated using a special malware construction kit, all the applications spawned by the kit are likely to be detected with the aid of just one entry.
From this we can draw an important conclusion.
Heuristic technology can't detect malware programs about which it has no information.
This is not some sort of artificial intelligence but rather a sophisticated filtering rule with certain parameters. All the programs that do not match the filtering criteria are allowed to exist and operate in the system.
Is it possible to get around heuristic technology? In theory, this is relatively easy. Create new malware samples and test them on VirusTotal, or purchase and install all the popular anti-viruses and see if they detect the malware. As soon as anti-viruses cease to detect it, the malware can be deployed on target machines.
Is there a way to stay protected? Greed and complexity give advantages to security software.
First, criminals may not understand how certain anti-virus features work. Yes, some of them aren't high profile hackers but just people who want to make easy money. By submitting their malware to VirusTotal, they assume that they are guaranteed to find out whether their new malicious file will be detected. In reality, VirusTotal doesn't use all anti-virus features—there, files are only examined using virus databases. That is, in fact, essentially the way to test heuristic technologies. However, an anti-virus is no longer limited to virus databases and heuristic technologies—it can now scan scripts, make use of behaviour analysis, and much more.
Those who use just an anti-virus do so at their own peril. That’s because products of this kind do not incorporate features that supplement the capabilities of an engine. And if an anti-virus doesn't include a behaviour analysis feature, it won't be able to neutralise unknown threats; its developers are merely taking advantage of the myth that a good anti-virus can detect 100% of malware. Creating malware that will bypass its protection is not difficult at all. Criminals don't even need to buy anything—VirusTotal will suffice.#anti-virus_scan #Dr.Web_technologies
The Anti-virus Times recommends
Crafting malware that won't be detected by any anti-virus is a feasible task. However, anti-viruses that can neutralise malware of this kind (malware that evades heuristic technologies) exist, too.
As a matter of fact, criminals don’t just want to bypass anti-virus protection, they want to do it quickly and get an instant profit. If they realize that crafting malware that won't be detected by a specific anti-virus won't yield much profit, they'd rather try their luck with machines protected by other anti-virus solutions.
Creating malware that will target machines protected with Dr.Web is not a profitable business, and here’s why:
- The FLY-CODE technology facilitates detection of malware that has been disguised with packers that aren't known to Dr.Web. The easiest way to conceal a file is to compress or encrypt it. Virus makers assume that in order to detect such a file, an anti-virus will need a corresponding malware signature. Until it receives the corresponding update, the system will be unprotected and malware will be able to do whatever it wants. But with Dr.Web that's not the case!
- Dr.Web HyperVisor intercepts system calls on the lowest possible system level. An unknown malicious program can't dive deeper than Dr.Web, and, therefore, it will be eliminated as soon as the corresponding update arrives.
- The Dr.Web behaviour analyser controls security from the inside. Using the Dr.Web ShellGuard technology within it, it detects attempts to exploit system processes. If a traditional behaviour analyser springs into action after 5-10 files have already been corrupted, Dr.Web ShellGuard doesn’t give encryption ransomware that chance.
- Dr.Web Anti-spam filters out up to 98% of malicious attachments, and that’s just with the anti-spam technology!
- ScriptHeuristic prevents any malicious browser scripts and PDF documents from being executed, without disabling the features of legitimate scripts.
And, don't forget that when properly configured, Parental/Office Control and the behaviour analyser (including restrictions for processes) can significantly reduce the risk of infection.