Other issues in this category (32)
The border guard stands strong!
Friday, May 15, 2020
Attackers have learnt to bypass conventional security mechanisms. For example, they obfuscate malicious code and sign it with legitimate certificates to evade anti-virus detection.
Because this issue's author has a bit of a perfectionist streak, statements about obfuscated code bypassing anti-viruses particularly irritate him. One comes across this wording or variations of it quite often—and it is totally incorrect.
If in this situation an anti-virus fails to detect malware, two scenarios are possible. The first: Malicious code is hidden in a process that an anti-virus can't access (in “ancient” times, there was a proof-of-concept program whereby one CPU core processed only its code). And the second: when a known malicious program has been modified to change its signature. To accomplish this, attackers can compress it, obfuscate (re-arrange) its code, etc. And in such cases, one can speak about malware bypassing anti-viruses.
But, in fact, nothing gets bypassed. An anti-virus sees a program whose signature has been changed, examines it, and does nothing else. And you'll probably object: What's the difference? One way or the other, malware remains undiscovered. But, there is one difference, even two.
First, failure to detect a new modification of a well-known program can easily be remedied by updating the virus databases—something an anti-virus does routinely without interfering with the user experience. And to equip an anti-virus with a new monitoring and detection routine, one needs to upgrade it to a newer version. And that is something users don't like to do (and do not do).
Second: Code modification can only help circumvent detection routines that use virus databases. But once a program is examined against known signatures, it will remain under the anti-virus's scrutiny. From that moment on its activity will be monitored by behaviour analysis routines (Preventive Protection).
This technology doesn't rely on conventional signature databases even though it gets updated too, albeit somewhat less often. In this case, preventive protection and process behaviour analysis routines and the trusted application database are updated.
The Preventive Protection watches over certain system areas and running processes, and follows what code is being executed, how, and in what sequence. Who starts a process, what parent and child processes are associated with the execution of a certain file, who has launched the file and from what location, etc. This is a complex mechanism that utilizes a comprehensive approach to system security. It prevents malicious code that can't be detected by its signature from being deployed in a system.
I can't go into details because, first of all, we are talking about a trade secret and, second, because the algorithms are so many and diverse that describing each and every one of them briefly is impossible.
Yet, there’s even more.
An anti-virus may take no action when you run a .bat file if you have downloaded it to a location on your computer and then opted to run it as administrator. In this situation, the sequence of actions indicates that an administrator has taken it upon themselves to perform all these actions with the file and supposedly knows about the file's origin and content.
Meanwhile, if the file is downloaded by some process into a temporary folder, the anti-virus may prevent it from running. This situation can be regarded as suspicious behaviour and, depending on the subsequent actions taken, may be flagged as malicious.
Therefore, the way something is being run can be more important than what kind of code is being executed. And it also matters whether the action is being performed by you or by a system routine.
A reply from Doctor Web’s Technical Support Service
So everything's under control. The border guard stands strong!
The Anti-virus Times recommends
Do not disable Preventive Protection—it is an important line of defence against disguised malicious programs.