Anti-Virus/Anti-Malware Technology
Malware and computer viruses
Malware is program code, either self-contained or inserted into piece of legitimate software (a.k.a., a "Trojan horse"), that is specifically designed to perform malicious activity as designed by its programmer. This activity could include anything that the logged-in user can do. If the user can delete files, so can the malware. If the user can read sensitive data files, so can the malware. If the user can run software to encrypt the hard drive, so can the malware making it inaccessible. The purpose of this discussion is to familiarize you with the types of malware, how they work and how their threat can be reduced.
A computer virus is form of malware that was so named because, like its biological counterparts, the malicious code is carried within an otherwise legitimate carrier (i.e., an application program) and has the ability to replicate itself into other programs to which your computer has access. Even though, technically, a computer virus is defined by its ability to replicate, the term “virus” is commonly used to refer to any form of malware. However, there is a form of malware that is very different in its method of delivery that we will discuss separately, i.e., a computer worm.
Computer worms
A computer worm is a program that delivers malicious software to computers on the Internet that have software installed that contains a vulnerability that has not been corrected. Unlike a virus that depends on the user doing something to activate it, a worm depends on the user not doing something, i.e., not applying vendor updates to correct vulnerabilities in their software products.
When a worm is executed by the malicious individual on a computer that he or she controls, the worm probes the Internet looking for computers that have unpatched, vulnerable software installed. The program especially looks for software that by its nature must run with full administrative privileges so that the worm can make modifications to any area of the system. When the worm finds an unpatched software flaw, it injects its malicious code into the system to perform its programmed tasks when it is activated.
Since computer worms use a different delivery method than other malware forms, the way they are addressed is also different. The key to stopping the effects of computer worms is to ensure that you apply vendor software updates to each piece of software on your system as soon as possible after they are released. Information about this topic can be found on the Updating Software in a Timely Manner page.
Some common malware "payloads"
Regardless of how malware is delivered, its purpose is to deliver malicious program code or “payload”. Below is a sampling of these categories:
- Payloads designed to capture data
- "Key logger" - a payload designed to capture the keystrokes entered into your system via the keyboard, primarily targeting passwords, account numbers, social security numbers and other sensitive personal information.
- “Spyware” – program code that is designed to capture your behavior patterns as they relate to computer use.
- “Adware” – a specific form of spyware whose purpose is to track your interests for targeted advertising.
- Payloads designed to destroy data or attack systems
- “Time bombs” – a payload that remains dormant until a specific date and time.
- “Logic bombs” – a payload that remains dormant until a specific condition occurs, e.g., the creation of a specific file, the receipt of a specific message from a specific computer.
- “Botnets” – a type of logic bomb that is designed have thousands of computers simultaneously launch an attack on a specific computer or set of computers to disrupt an organization's services.
- “Ransomware” – malicious program code designed to encrypt any computer storage to which you have access and to demand a ransom from the user to obtain the decryption key.
How malware is contracted by your system
For all forms of malware except computer worms, malware is contracted when the user takes a specific action, such as:
- Opening an infected executable program or document that was attached to an e-mail message
- Clicking a link on a web site that downloads a program or document containing malicious program code and executes it
- Clicking on any area of an unsolicited web popup message
- Inserting into his or her computer a DVD, USB or other storage device that is set up to automatically execute malicious code
- Opening a program or document on a piece of removable media that is infected
Anti-virus/anti-malware detection techniques
Signature matching
Signature matching is basically scanning the code of every program and document on your system to look for snippets of known malware program code, called “signatures”. This technique requires the anti-virus/anti-malware software to maintain a file of thousands of malware signatures. Since new viruses are created every day, the signature file used by the anti-virus/anti-malware software must be updated regularly – in most cases, daily.
The success of this technique is completely dependent upon the accuracy and completeness of the signature file. So, if your anti-virus/anti-malware software is set up to download a new signature file every day at 8:00 a.m., at 8:01 a.m. a new virus may hit the Internet that your software may not recognize. But it is actually even worse than that. Even if your software downloads new anti-virus/anti-malware signatures every hour, the download at 9:00 a.m. probably would not include the signature of the new piece of malware because it takes time for the vendor to learn about the new virus, to analyze how it works and to create the new signature. In fact, it could take as much as a day or more from the time a piece of malware hits the Internet to the creation and distribution of the new signature. Malware that takes advantage of this signature window of opportunity are called “day zero attacks”.
Heuristics
Heuristics is a technique that involves scanning the code of every program and document looking for sequences of program commands that are commonly used by malware. Because this technology doesn’t require exact signature matches, heuristics can be very helpful in detecting day zero attacks. But heuristic analysis is just as much an art as a science, and is far from perfect.
When does anti-virus/anti-malware software screen for malware
Virtually all anti-virus/anti-malware products can screen programs in the following ways:
- Each program and document may be scanned every time it is executed during the time when the program is being loaded into the computer's memory.
- All programs on your hard drive may be scanned in batch mode either on demand or at a scheduled time.
- All programs on removable media, e.g., DVDs, USB devices, may be scanned when media is inserted into the computer.
All of the above methods are options and must be activated through the product's configuration settings. Most products turn these methods on by default, but it is important to check the product's configuration settings to ensure they are still active. Some forms of malicious code can turn these options off.
What happens when malware is found?
It depends upon how the anti-virus/anti-malware software is configured. The products typically provide the following options for responding to malware detection:
- Delete the program or document that contains the malware
- Quarantine the program or document that contains the malware
- Attempt to remove the malware from the program or document
- Ignore the malware (definitely not recommended)
In all cases, information about the detected malware is captured to the system log.
Since anti-virus/anti-malware technology is not perfect, what can help reduce the risk?
Even though it is imperfect, anti-virus/anti-malware can be very effective in preventing millions of varieties of malicious software from exposing data, damaging your system or using your system to attack others. Signatures will always be incomplete and heuristics will always be imperfect, but you can help by following the computer security best practices that are described in the Information Security Basics section, especially topics concerning web and e-mail safety and avoiding the use of an administrator level account to perform your day-to-day computer work.
If you use an anti-virus/anti-malware product on your personally-owned computer that you purchased on an annual subscription basis, you must pay the annual subscription fee when due or you will not receive any further signature file updates. If that occurs, your anti-virus/anti-malware software will rapidly become ineffective since it will not be able to detect any of the new viruses and other malware forms that are created daily.