The Anti-virus Times

Monday, May 2, 2022

From the moment they appeared more than 30 years ago, anti-viruses have applied two fundamentally different approaches to detecting threats: signature-based and non-signature-based.

The signature-based method involves identifying certain features of a particular malicious program — signatures — and detecting files or processes that correspond to them on a protected computer. The very first anti-viruses used signature detection to recognise malware. That was quite justified since at the turn of the 1980s and 1990s, relatively few viruses existed, and the operating systems in use were predominantly single-task — they could perform only one task per unit of time, which made it impossible for anti-viruses to exist in their modern sense. Users had to run a media scan each time to scan a computer or a floppy disk. The traditional representative of a signature anti-virus of that era is the legendary Aidstest designed by Dmitry Lozinsky.

However, polymorphic viruses appeared in the early 1990s. Such malware modified its code every time it infected a system or was being executed, which made detecting them via signature-based methods ineffective or even impossible. In our country, the Dr.Web anti-virus became a pioneer in the use of non-signature methods for detecting malware, by using code emulation and heuristic analysis.

Over the next three decades, non-signature methods were actively developing, and deservedly, Dr.Web took its place in the cohort of leaders that were implementing application behavioural analysis methods and computer preventive protection against unknown threats.

Today, most anti-virus products use a combination of signature and non-signature methods to detect malware. This makes it possible to achieve a high level of protection, but it is still necessary to understand that no matter how well anti-viruses detect malware, they cannot detect absolutely all malicious programs, especially when it comes to new and unknown threats or situations when an anti-virus is operating in non-standard conditions — for example, when it cannot regularly receive signature database updates because Internet access is unavailable.

The logical solution seems to be to have a plan B… and that is to install one more anti-virus. Anti-virus solutions from different manufacturers use different methods to detect malware and signatures, which means that the chances for success are higher. But our readers probably know that using two anti-viruses in one system is not a good idea.

First, this approach will inevitably cause conflicts between the two anti-virus programs, each of which can classify the actions of the other as malicious activity.

Second, two signature anti-viruses installed in one system will inevitably overload a computer due to the simultaneous access to scanned files and the total consumption of resources.

One day we thought: why not make an anti-virus that will not conflict with other developers’ solutions and will not consume a lot of resources, but, at the same time, will be able to significantly enhance system security by using the most advanced non-signature tools that have been tested in Dr.Web Security Space? This is how Dr.Web KATANA, a lightweight, non-signature anti-virus, designed to be an indispensable assistant of your main defender, was born.

Dr.Web KATANA usage scenarios differ from those for a traditional anti-virus. It won't help scan the flash drive, and it won't pay attention to a file infected by a trojan lying idle in a folder on a desktop. But it does not need this: the aim of "katana" is to detect active threats by analysing all the processes running in a system and discovering anomalies. And file scanning is the concern of your main protection tool.

As long as a trojan file is just located in a folder, it is only a potential threat. But if a user decides to launch it, the threat will move to the active category. In this case, Dr.Web KATANA will immediately respond to attempts made by the program to implement one of its malicious scenarios and block their execution. An equally prompt response will be given to other types of incidents, such as network worm intrusions, including those exploiting OS or application software vulnerabilities that are not yet known, as well as deviations in the operation of legitimate processes or their modification. In addition, Dr.Web KATANA protects against the unauthorised modification of information, whether it involves an attempt to encrypt your files or to distort some information in the clipboard or browser window.

Dr.Web KATANA’s operation is fully automated and as invisible as possible. In fact, all the user needs to do is simply install the anti-virus. In the process, it will block all detected threats and notify you about this. At the same time, if necessary, you can fine-tune it based on your own needs.

There is nothing to prevent you from installing Dr.Web KATANA as your only anti-virus, but, in most cases, using it this way is not justified. Effective system protection requires a set of solutions, one of which can be Dr.Web KATANA. You will probably agree that in addition to a katana (sword), a samurai also needs armour.

That is why it is incorrect to compare Dr.Web KATANA with comprehensive anti-virus products. Let's talk about an example with a trojan on your drive. Let's say a file you run is a Trojan Downloader. This is one of the most common types of trojans. With its small size, it is designed to download, unzip and activate the malicious modules it needs on your computer. If this trojan downloader build has already been found by anti-virus company specialists, a traditional anti-virus can detect it by signatures, and "katana" will expect further actions from it.

Let's imagine that the downloader cannot contact its control server and download malicious packages. Will such actions pose a threat? Potentially — yes, in practice — no. It’s another thing if the downloader has successfully downloaded the required module and tries to integrate it into the system, unpack it into the system folder, register it in the autoloader, run it for execution, or embed it into the system process. Dr.Web KATANA can easily detect and stop such activity by neutralising malicious modules and the downloader itself.

In April 2017, the company MRG Effitas, at the request of a major vendor, conducted a study to determine the effectiveness of anti-viruses. We’ve already mentioned many times before the reason why we deliberately do not participate in such tests and do not see the benefit of them, but it is worth taking a closer look at this particular study. The fact is that in the comparative analysis of corporate anti-virus solutions that protect workplaces, its organisers included Dr.Web KATANA, rather than Dr.Web Enterprise Security Suite, which corresponds to this class.

The testing process was carried out by sequentially placing a malicious file on the test machine and launching it in various ways. Despite the fact that Dr.Web KATANA, a lightweight anti-virus, had to compete with multi-purpose anti-virus systems that include many different tools and have up-to-date virus signature databases, it was able to detect and neutralise more than half of the malicious samples. We dare to assume that the remaining portion was not detected only due to the lack of activity of the test samples – the study does not contain data on whether the test samples were tested for performance at the time of the specific testing.

And, if Dr.Web KATANA is capable of doing this on its own in non-standard working conditions, imagine what it will do when it teams up with your signature anti-virus!