The Anti-virus Times

Wednesday, January 31, 2018

Every now and then we hear about malicious programs bypassing anti-virus protection. Indeed, this can happen but not always the same way.

The most common approach is to encrypt an already-known Trojan or another malicious program. The file is encrypted or packed to prevent an anti-virus from extracting the contents and thus recognise the threat. This can be achieved by using packers that create files whose format is alien to anti-viruses.

But one way or another, the Trojan gets analysed. There is no way of getting through a security routine undetected. .

Let's use an example from the real world. Imagine you are a security guard; people walk by your post, and your task is to expose offenders and troublemakers. You do so using formal criteria (the presence of an ID/security pass) or by assessing people's appearance (is the person walking normally or are they crawling on all fours and barely able to speak?). Visual inspection is an interception technique, and only an “invisible man” can enter unnoticed. In real life that’s not possible, which is why all you need is security staff guarding the entrance.

But how can an intruder dodge a security check? Well, they could dig a tunnel or sneak in through an open window.

Is there a way to prevent that? Sure; order a security team with dogs to patrol the premises.

An anti-virus controls applications that are being launched (e.g., the file monitor), which is analogous to what a checkpoint security guard does. Even if an unpatched vulnerability exists in a system, for an exploit file to be launched, the file must be present in the system (this is how WannaCry infected machines). And should the file appear on the disk, a security check will determine whether it matches any existing profiles.

And the anti-rootkit works as a system patrol and examines running processes regularly. It should also be noted that some malicious programs don't exist as files. These are fileless viruses, and malicious code can also be injected into a legitimate process without creating another file on the disk.

So it turns out that one way or another an anti-virus will scan the file and there is no way to bypass the protection. But why are Trojans being launched and the media is still reporting that malware is bypassing detection?

Here we won't discuss incidents occurring when an anti-virus was disabled or wasn’t updated. The problem is that the file monitor and anti-rootkit detect malware using "profiles", i.e., database entries. If no match is found, a program can be allowed to launch. Is this right? Well, imagine police grabbing everyone entering a house (a thief as well as a neighbour who just dropped by to say "hello").

An anti-virus could "shoot" everyone in sight, but it mustn't do that.

Is there another solution? Yes, track everyone who has entered the protected area. So the preventive protection monitors the actions of running programs.

But what about circumvented protection? In most cases, that becomes possible because of the “stingy landlord” guarding the territory. An ordinary anti-virus looks for malware using only signatures in its virus databases. And if no signature is present, it obeys the law and lets the intruder pass. Meanwhile, a comprehensive solution such as Dr.Web Security Space will cut down the intruder as soon as they do something suspicious.

In conclusion. If you read a news post telling you about malware evading detection, most probably incorrect terminology is being used to speak about a file whose signature is not yet present in virus databases. The signature will appear within a maximum of two hours after the first attack has commenced. And if the anti-virus had been configured properly, the incident would never have happened.