The Anti-virus Times

Wednesday, December 15, 2021

The Dr.Web virus library is a huge repository of "fingerprints" of various threats. Here, the malicious files sent in by you, our users, as well as those found by virus analysts, are collected. IIn many ways, it is namely the virus library that allows Dr.Web products to work the way they do. In today's issue of the Anti-virus Times, we will dispel all the myths about the virus library and answer the most popular questions: how the collection is filled, where the threats come from, and why the anti-virus needs to be updated so often.

How the virus library is filled

Every day, the Doctor Web virus laboratory receives over a million potentially malicious samples. A specially designed robot-analyst continuously investigates hundreds of thousands of threats. If a threat turns out to be real, it lands in the virus collection.

An analysis of the technologies used by cybercriminals allows us to draw conclusions about the virus industry’s possible vectors of development and more effectively confront future threats.

Some of the files we receive aren't malicious. In addition, some samples may be sent repeatedly. The automation of the scanning process frees virus analysts up so that they can spend their time examining only complex samples of malicious programs that cannot be processed automatically. This is one more reason why Dr.Web products are distinguished by a very high level of curing quality.

Each new threat is entered into a library that is available for general viewing. There, malware is sorted by the date it was added. Any user can find a threat that interests them in our virus library. They can view more details about a threat by clicking on the "Details" link. Not all threats are described in detail—and, of course, the robot is to blame for that. The fact is that many threats remain outside the view of a “living” specialist since they have simply either already been examined or are of no particular interest.

In turn, the threats that appear in our investigations or news posts are described in as much detail as possible. As an example, let's use the description of BackDoor.PlugX.38, which was carefully compiled by a team of virus analysts. In general, as you can see, the description is quite unified: the date it was added to the virus database, the presence of a packer, the SHA-1 hash and a detailed disassembled principle of operation. Of course, this information is provided mainly for savvy specialists, but a less sophisticated user can find curious facts about already known threats.

Where threats come from

Most threats are sent in by users, but special objects also exist—they are processed by virus analysts. For example, recently malware was discovered on AppGallery. This is due to one of the modifications of Android.Cynos.7.origin. The malicious applications collected information about device owners and displayed ads.

It is important to note that if we found something similar, it means that because of us, another criminal illegal earnings scheme has failed. Criminals deliberately launch and promote malware, knowing in advance that law enforcement officers will be interested in them. Each country has its own cybercrime laws, but the fact remains—Doctor Web employees recognised how the scheme worked, analysed it and added a corresponding description of the threat to the virus library. After that, the corresponding authorities will focus on the cybercriminals' activities. You will only have to update the anti-virus on time manually if you have disabled automatic updates.

Everything we talked about before this pertains to signature anti-viruses. This is a rather outdated detection method based solely on threats contained in the database. We move forward, keeping pace with technologies, so we've designed Dr.Web KATANA—a non-signature anti-virus that even protects systems from zero-day vulnerabilities. KATANA saves systems from those threats that simply have not yet been processed by our virus laboratory. Among them may be encryption ransomware, injectors, blockers, and other representatives of malware.

Why an anti-virus should be updated

We sincerely hope that every reader, by the time they read these lines, has already formed an opinion about the importance of updating an anti-virus. Despite this, we will explain once again why all programs (especially anti-viruses) need to be updated regularly. Using the classical traditional signature Dr.Web anti-virus, the user agrees to install updates automatically, but many users subsequently disable this feature or endlessly click on "update later". Every time you postpone an update, your device stays unprotected.

Imagine such a situation: a brand-new threat appears, it gets to our laboratory less than 24 hours after its appearance, and within a few hours a record about the new threat is added to the virus database. Users who have enabled the automatic update option will be protected as soon as the threat is processed in the virus laboratory. In the opposite case, a device may become infected and then only Dr.Web CureIt! will help.