Other issues in this category (37)
On the frontline: Doctor Web’s security researchers at work
Wednesday, March 3, 2021
It’s common knowledge that any anti-virus’s effectiveness is based on its virus databases being kept up to date. The more signatures—digital "fingerprints" of various threats—that are in an anti-virus module's memory, the fewer chances malware has to remain undetected when it tries to access a protected device. For the protection to be reliable, the time between when new threats emerge and their signatures get added to the database must be minimised, so Dr.Web receives updates every hour. Keeping up such a pace requires a great deal of work, especially given the continuous stream of new malicious programs in the digital space. After all, every day the Doctor Web anti-virus laboratory receives nearly a million malicious samples for analysis!
In this issue, we will lift the veil of secrecy and tell you about the guards on the frontline—those without whom the work of any anti-virus product is inconceivable: the virus analysts and their laboratories.
But first, some statistics. As noted above, every day, our laboratory receives up to one million samples for analysis. "How can they process this amount of data in a single day?", you'll probably ask. It is worth mentioning that not all of the received samples a priori are malicious. However, they all are potentiallymalicious, so each must be analysed. For example, every day, our analysts identify nearly 40,000 new threats for Android.
Of course, the automated system helps tremendously in this process. Nearly 93%-95% of all samples are successfully processed by a special, unique virus-flow processing system. The remaining portion are processed manually by analysts, and the software system mentioned above helps them greatly in their work.
A virus laboratory is divided into several teams, and each is responsible for specific tasks.
- Internal development and analysis automation.
This group is responsible for the development of the automated analysis infrastructure, "honey pots", and Dr.Web vxCube.
- Flow processing, user requests, and technical support.
This group is responsible for processing the incoming stream of threats that cannot be processed automatically. In addition, this department deals with all customer and technical support requests.
- Research and complex threat analysis.
Here our specialists study complex and unknown threats, botnets, and cyber-attacks. This department is also responsible for decrypting files that have been corrupted by encryption ransomware, and it also investigates various virus-related computer incidents.
- Mobile threat analysis.
Specialists in this department focus on different mobile device threats.
There are two ways to analyse a threat. The first is using a so-called "test sandbox" that is based on Dr.Web vxCube and modified to carry out our tasks. The second method is manual testing using virtual machines and emulators.
How much time does it take to analyse samples manually? It is worth noting that an analyst does not always need to resort to dynamic testing to determine whether a software program is dangerous. An experienced analyst requires up to 5 minutes to examine a suspicious file, analyse its source code, and determine its status. If the file is malicious, the analyst adds it to the virus database.
However, when our specialists carry out a full investigation of complex threats and the goal is to understand how they work, a sample’s analysis can take up to one week, which includes time spent creating a "raw" technical description for internal use. How long this task takes highly depends on the amount of code that is to be analysed.
It should be said that all samples are classified using a variety of algorithms. If the laboratory finds previously unknown samples (for example, an entirely new trojan family), the analysts conduct their own research.
Where do virus researchers get all these samples? There are several sources, for example: virus aggregators, "honey pots" and spam traps, our own telemetry system, and, of course, users themselves. We are constantly exchanging virus samples with other anti-virus vendors.
The Anti-virus Times recommends
Thus, behind the scenes of regular virus database updates and an effectively working anti-virus system is a single, well-oiled machine keeping guard over digital security 24/7. Virus makers never rest, so Doctor Web's analysts never cease their watch—this is a technology race that has no end.
We think that it is logical to finish this issue with a simple recommendation: trust Dr.Web! We have first-rate specialists.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
A feature film popped onto my server and I could see this feature film was not a feature film and I could see that I was feeding it to others from my server the feature film was not an MP4 it was a .exe believing nobody could possibly be stupid enough to click on a .exe thinking it was a feature film MP4 i allowed it to linger.
So i waited for Doctor Web, to pop up a message and nothing. So i figured oh well Doctor Web, is drunk and I decided to manually delete the file so i paused it and Doctor web popped up telling me it was malware.
Now was Doctor Web drunk? or a bit punched around punch-drunk on that day who knows?
The moral of the story is you have to use common sense and not do silly things believing that a virus scanner can do everything for you because you have got to work together.
There is no perfect security and silly people like me who run a server with a Xfce, interface GUI exist all over the world in their millions.
Now if my Doctor Web can stay off of the alcohol? to allow me to continue for another 5 years or so running my Xfce GUI like an idiot that would be great. Now normally Dr Web, stops them from being uploaded long before they get to me. And this primitive .exe was such an old one.
Let us try to work together.
But this is an awful lot! Is it really so?
It seems that the work of antivirus companies will never decrease. Unless the psychology of virus writers changes ...
But there is little hope for that. Business, however, is nothing personal.
P.S. Or maybe they (virus writers) should be choked, drowned, quartered?