Recently I took my five year old daughter to the doctor for a general wellness check-up and her dreaded kindergarten immunizations. They were the standard immunizations children receive at various points in life. When the nurse was finished, she mentioned that we both needed to get the flu vaccine in a couple of months. I began to think about the flu vaccine. Each fall we hear about it from media, doctors, and pharmacies. The Centers for Disease Control and Prevention website states that the seasonal influenza (flu) vaccine is designed to protect against the three or four influenza viruses research indicates are most likely to spread and cause illness among people during the upcoming flu season. Some years the flu vaccine is very effective since the prediction of flu viruses that would be circulating was right. However, other years the vaccine is not effective at all, resulting in flu outbreaks across the country.
I have had multiple customers ask recently if antivirus software is necessary. This is a difficult question that must be carefully answered. Antivirus software originated in the late 1980’s. Since then, the antivirus industry has exploded both in size and amount of revenue generated. The number of malicious programs detected has also exploded with many antivirus vendors estimating that over 100 million new malicious programs were discovered in 2016.
How Antivirus Works
Typical antivirus software contains many programs that make up a “suite” of functionality such as host intrusion detection/prevention, web and email filtering and host-based firewalls. This article focuses on the basic function of antivirus software; analyzing executable files to determine if they are malicious. There are several ways to determine if an executable file is up to no good. Over the last twenty years the predominant method has been to compare the file to a dictionary of known “definitions” of malicious executables to see if it matches a definition or comes close to one.
Many antivirus definitions or signatures rely on a fingerprint of a malicious executable to compare to an executable being analyzed. Often these fingerprints are comprised of items like a hash value, compile date and time, file size, strings contained within the file, and what certain pieces of code might be doing within the executable. However, all of these items can be easily manipulated by attackers to make a malicious executable not match the known fingerprint. This is done by changing the code in a minor way, recompiling the executable and obfuscating it with methods such as encryption or software packing. The result is that a previously known piece of malware can run on a system with up-to-date antivirus software. The reason is that while the code has the same function, it looks completely different.
Luckily antivirus software is not like the flu shot. We are not limited to getting an antivirus update once a year and that update covers many more than just three or four malicious executables. Often antivirus definitions are updated many times a day and contain multiple new fingerprints for malicious executables each time. What amazes me most about antivirus software is the global network that works to get new malicious executable samples in the hands of many antivirus companies based all around the world. One example that end users can access is the website VirusTotal (https://www.VirusTotal.com). Files uploaded to VirusTotal are run through over sixty antivirus programs to determine if the file is malicious. If it matches as malicious, the user who uploaded the file gets detailed information on what was detected. All files get shared with the antivirus vendors who then do further analysis to determine if the uploaded executable is a new variant or totally new malicious file.
Antivirus software has drawbacks and can be bypassed. However, it is still an essential piece of a defense-in-depth strategy. One program can protect you from millions of pieces of malware and can quickly update to protect against new malware. Antivirus software vendors have also begun to introduce some newer functionality that seeks to determine abnormal behavior of executable files. This coupled with traditional signature or definition based analysis, should make you pro antivirus.