Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (35)
  • add to favourites
    Add to Bookmarks

Daily operation of a checkpoint

Read: 680 Comments: 6 Rating: 9

Every now and then we hear about malicious programs bypassing anti-virus protection. Indeed, this can happen but not always the same way.

The most common approach is to encrypt an already-known Trojan or another malicious program. The file is encrypted or packed to prevent an anti-virus from extracting the contents and thus recognise the threat. This can be achieved by using packers that create files whose format is alien to anti-viruses.

Fly-Code technology ensures the high-quality scanning of packed executables and virtualised file execution to unpack any (even non-standard) packers; this makes it possible to detect viruses unknown even to Dr.Web anti-virus software, without extracting the archived file(s). This technology also enables Dr.Web to perform its tasks with a smaller virus database.

But one way or another, the Trojan gets analysed. There is no way of getting through a security routine undetected. .

Let's use an example from the real world. Imagine you are a security guard; people walk by your post, and your task is to expose offenders and troublemakers. You do so using formal criteria (the presence of an ID/security pass) or by assessing people's appearance (is the person walking normally or are they crawling on all fours and barely able to speak?). Visual inspection is an interception technique, and only an “invisible man” can enter unnoticed. In real life that’s not possible, which is why all you need is security staff guarding the entrance.

But how can an intruder dodge a security check? Well, they could dig a tunnel or sneak in through an open window.

Is there a way to prevent that? Sure; order a security team with dogs to patrol the premises.

An anti-virus controls applications that are being launched (e.g., the file monitor), which is analogous to what a checkpoint security guard does. Even if an unpatched vulnerability exists in a system, for an exploit file to be launched, the file must be present in the system (this is how WannaCry infected machines). And should the file appear on the disk, a security check will determine whether it matches any existing profiles.

And the anti-rootkit works as a system patrol and examines running processes regularly. It should also be noted that some malicious programs don't exist as files. These are fileless viruses, and malicious code can also be injected into a legitimate process without creating another file on the disk.

So it turns out that one way or another an anti-virus will scan the file and there is no way to bypass the protection. But why are Trojans being launched and the media is still reporting that malware is bypassing detection?

Here we won't discuss incidents occurring when an anti-virus was disabled or wasn’t updated. The problem is that the file monitor and anti-rootkit detect malware using "profiles", i.e., database entries. If no match is found, a program can be allowed to launch. Is this right? Well, imagine police grabbing everyone entering a house (a thief as well as a neighbour who just dropped by to say "hello").

An anti-virus could "shoot" everyone in sight, but it mustn't do that.

Is there another solution? Yes, track everyone who has entered the protected area. So the preventive protection monitors the actions of running programs.

But what about circumvented protection? In most cases, that becomes possible because of the “stingy landlord” guarding the territory. An ordinary anti-virus looks for malware using only signatures in its virus databases. And if no signature is present, it obeys the law and lets the intruder pass. Meanwhile, a comprehensive solution such as Dr.Web Security Space will cut down the intruder as soon as they do something suspicious.

In conclusion. If you read a news post telling you about malware evading detection, most probably incorrect terminology is being used to speak about a file whose signature is not yet present in virus databases. The signature will appear within a maximum of two hours after the first attack has commenced. And if the anti-virus had been configured properly, the incident would never have happened.

#Dr.Web #FLY-CODE #anti-virus #Dr.Web_settings #preventive_protection #Dr.Web_technologies

Dr.Web recommends

On June 15, a Wednesday, Europol reported that six crypter-service customers were arrested in European countries. Code-named Neuland, the operation was ongoing for a year. It started in April 2016 when a 22-year-old German national was arrested by police. The unidentified resident of Koblenz was accused of creating a crypter service and a counter-antivirus testing platform. Europol provided no information regarding the actual site addresses involved.

This is the first large-scale campaign we’ve heard of that targets those enabling malware to circumvent anti-virus defences, rather than those engaged in spreading malware.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.