Other issues in this category (38)
On the frontline: Doctor Web’s security researchers at work
Wednesday, March 3, 2021
It’s common knowledge that any anti-virus’s effectiveness is based on its virus databases being kept up to date. The more signatures—digital "fingerprints" of various threats—that are in an anti-virus module's memory, the fewer chances malware has to remain undetected when it tries to access a protected device. For the protection to be reliable, the time between when new threats emerge and their signatures get added to the database must be minimised, so Dr.Web receives updates every hour. Keeping up such a pace requires a great deal of work, especially given the continuous stream of new malicious programs in the digital space. After all, every day the Doctor Web anti-virus laboratory receives nearly a million malicious samples for analysis!
In this issue, we will lift the veil of secrecy and tell you about the guards on the frontline—those without whom the work of any anti-virus product is inconceivable: the virus analysts and their laboratories.
But first, some statistics. As noted above, every day, our laboratory receives up to one million samples for analysis. "How can they process this amount of data in a single day?", you'll probably ask. It is worth mentioning that not all of the received samples a priori are malicious. However, they all are potentiallymalicious, so each must be analysed. For example, every day, our analysts identify nearly 40,000 new threats for Android.
Of course, the automated system helps tremendously in this process. Nearly 93%-95% of all samples are successfully processed by a special, unique virus-flow processing system. The remaining portion are processed manually by analysts, and the software system mentioned above helps them greatly in their work.
A virus laboratory is divided into several teams, and each is responsible for specific tasks.
- Internal development and analysis automation.
This group is responsible for the development of the automated analysis infrastructure, "honey pots", and Dr.Web vxCube.
- Flow processing, user requests, and technical support.
This group is responsible for processing the incoming stream of threats that cannot be processed automatically. In addition, this department deals with all customer and technical support requests.
- Research and complex threat analysis.
Here our specialists study complex and unknown threats, botnets, and cyber-attacks. This department is also responsible for decrypting files that have been corrupted by encryption ransomware, and it also investigates various virus-related computer incidents.
- Mobile threat analysis.
Specialists in this department focus on different mobile device threats.
There are two ways to analyse a threat. The first is using a so-called "test sandbox" that is based on Dr.Web vxCube and modified to carry out our tasks. The second method is manual testing using virtual machines and emulators.
How much time does it take to analyse samples manually? It is worth noting that an analyst does not always need to resort to dynamic testing to determine whether a software program is dangerous. An experienced analyst requires up to 5 minutes to examine a suspicious file, analyse its source code, and determine its status. If the file is malicious, the analyst adds it to the virus database.
However, when our specialists carry out a full investigation of complex threats and the goal is to understand how they work, a sample’s analysis can take up to one week, which includes time spent creating a "raw" technical description for internal use. How long this task takes highly depends on the amount of code that is to be analysed.
It should be said that all samples are classified using a variety of algorithms. If the laboratory finds previously unknown samples (for example, an entirely new trojan family), the analysts conduct their own research.
Where do virus researchers get all these samples? There are several sources, for example: virus aggregators, "honey pots" and spam traps, our own telemetry system, and, of course, users themselves. We are constantly exchanging virus samples with other anti-virus vendors.
The Anti-virus Times recommends
Thus, behind the scenes of regular virus database updates and an effectively working anti-virus system is a single, well-oiled machine keeping guard over digital security 24/7. Virus makers never rest, so Doctor Web's analysts never cease their watch—this is a technology race that has no end.
We think that it is logical to finish this issue with a simple recommendation: trust Dr.Web! We have first-rate specialists.