Antivirus is that tool that we constantly mention in our articles and security notices and whose functionality is essential to preserve the integrity of the information and the systems that manage it. However, so far, we haven’t discussed what it does, exactly, to protect our devices. In this article we will show you some details and characteristics of this basic cybersecurity tool.
What Does An Antivirus Do?
An antivirus is a type of software whose main objective is to detect and block malicious actions on the computer, generated by any type of malware and, in the event of an infection, to eliminate it.
Currently, this type of software is part of what are known as suites of security tools that incorporate other functionalities: password managers, Wi-Fi network analyzers or blockers of malicious websites such as those used in phishing campaigns .
Antiviruses incorporate a large number of functions. Today we are going to focus on how malicious code is detected. To do this, they mainly have two types of protection:
- reactive, signature-based;
- proactive or heuristic.
The method, traditionally used by antivirus to detect malware , is based on signature databases (a way to identify malware ), generated by the manufacturer, also known as vaccines. The possible malicious file is checked against the database and if there is a match then it is malware .
Also Read : Everything You Need To Know About f-commerce
Signature-based detection issues
- The main problem with this type of analysis is that it will only detect those malware samples that have already been previously identified and for which a signature has been generated that is in the database. If this does not exist in the database that the user’s antivirus has, the user would be exposed to the threat.
- Another drawback is the delay between the identification, generation of the signature and updating of the database, this window of time leaves the user defenseless against the threat.
- Finally, there are a lot of malicious files that are created on a daily basis, rendering the detection, exclusively based on signatures, obsolete.
As a complementary method to signature-based detection and to solve its deficiencies, proactive detection based on heuristics was designed. This malware detection method responds to many situations where signature-based detection does not arrive, such as:
- The malware still does not have a signature;
- The malware has been discovered but the company still has not reached the user.
Heuristics is considered one of the parts of artificial intelligence, designed under rules obtained from experience and a machine learning system that make this method better and more accurate over time.
The operation of heuristic algorithms bases their behavior on different criteria that will determine if a file is malicious , such as, for example, if the registry is modified or a remote connection is established with another device. Each of these criteria is assigned a score. If it exceeds a certain threshold, it will be considered a threat.
Types of heuristic algorithms
This type of proactive analysis can be carried out in different ways, although the three most common are:
- generic: this analysis compares the behavior of a certain file with respect to another already identified as malicious. If the analyzed file exceeds the similarity threshold, it will be considered a malicious variant of the first one;
- passive: it analyzes the file individually, without making any comparison with another identified as malware , and tries to find out what it is doing, for example opening a port or connecting to an IP address. If the actions are considered dangerous, it will mark the sample as malicious;
- active: this runs the sample in a safe environment or sandbox that will determine its behavior and identify if it is malware or not.
Heuristic-based detection problems
- The main problem with this type of detection is false positives. That is, an application, without any malicious purpose, is identified as malware . Heuristic algorithms usually have different levels of stringency. The more rigorous the analysis, the more likely it is that a false positive will occur and vice versa;
- Another drawback of this analysis is that the workload of the team increases compared to the signature-based analysis, and the performance of other tools may be affected.
Also Read : All You Need To Know About Best Subwoofers