This holiday season, there are bound to be millions of electronic gadgets and gizmos waiting to be unwrapped. If you have a fancy new device or two waiting for you — maybe some smart tech from LG’s new home line or a top-of-the-line laser projector to optimize your home movie theater — you should be careful to keep it protected from the moment it turns on. That means installing and running trustworthy antivirus software.
However, how do you know whether you can trust one antivirus program over another? The answer requires you to pay attention to how the protection works. Here are four virus detection techniques used by the best cybersecurity firms that you should look for in your antivirus software.
The most effective and the most common method of identifying known viruses, the signature-based method of detection searches for virus signatures. To function properly, most viruses execute a specific set of instructions, which must always be in the same order for the virus to complete its designated task. Each virus has a unique instruction set, and that set is unlikely to be present in other, uncorrupted programs. Thus, the instructions, which appear as strings of bytes, function as signs of a virus’s presence.
Once researchers recognize and identify a new virus, they usually pull out a signature string. For example, a file containing the Stoned virus will include the string: 0400 B801 020E 07BB 0002 33C9 8BD1 419C. Also called string scanning, signature-based detection requires a catalogue of known virus signatures, which software can use to periodically search your system for malicious code. More efficient and effective antivirus programs have larger catalogues and can complete string scans in shorter periods.
Unlike the previous method, heuristic analysis attempts to detect malware without the use of virus signatures. While the most common viruses do rely on signatures, there are some types that encrypt or alter their code to avoid detection, like encryptor-decryptor and metamorphic viruses. To protect against this type of threat as well as emerging malware, high-quality antivirus software employs heuristics-based techniques, which requires observation of binary files for suspicious characteristics.
There are two methods for determining whether an unknown file is dangerous. The first is searching for junk code or rare instructions, which is call static analysis. By comparing unique code against code known to cause harmful effects, programs can identify potentially malicious files. Then, software should attempt the second method, dynamic analysis: In a virtual environment, the antivirus program will emulate running the file to understand what effects it will have.
Sometimes, heuristics-based detection flags files that are not malicious. However, without heuristics, it is nearly impossible to detect new and unknown viruses, making the possibility of reviewing and unflagging safe files worthwhile.
Due either to the complexity of the malware or the insufficiency of initial investigations, some antivirus programs are unable to flag viruses before they execute. Still, thanks to behavioral detection, antivirus software can observe program execution, identify suspicious behavior, and stop the process before the malware causes damage. Abnormal behavior from a file might include:
- Unpacking malicious code
- Altering host files
- Sending out multiple emails
- Modifying or observing keystrokes
- Generating autorun.inf files on drives or removable media
Typically, malware will perpetrate several of these behaviors, which triggers an antivirus to act. Not all antivirus software includes behavioral techniques, and those that do are relatively advanced. Previously, these methods were only available in separate software, called intrusion prevention systems. Their introduction into widely available antivirus products marks a step up for consumer and business protection suites.
The cloud offers outstanding data collection and processing power, which can be used to help every device user become more secure. Cloud-based detection allows antivirus programs to operate minimally on local devices by collecting and sending relevant data to the tool provider’s cloud infrastructure. There, software can process details about flagged files, using an abundance of correlating data from multiple systems. The newest method of antivirus software, cloud-based detection is the socialization of virus knowledge and protection. A bonus of this technique is that local antivirus agents expend less effort processing files, which means you get faster and higher quality use from your own devices.