What Does the Future Hold for Antivirus Security?

A lot has changed since the first antivirus software emerged in the late 1980s.

In the intervening three decades, threats and methods of transmission have totally changed, as has the pace of consumer tech, the pervasiveness of IT in modern life, and the rise of high-speed internet. And as we’ll explore shortly, the would-be malware “industry” has grown exponentially too.

But what do small businesses need to know about keeping their operations safe from malware – both now and into the future? 

The Current Virus Landscape

Rather than being the realm of stereotypical basement-dwelling hackers, malware production and propagation is now big business – a lucrative industry in its own right.

For an alarmingly small fee, anyone with access to cryptocurrency and the dark web can contract with organisations who will put together and deploy malware on the purchaser’s behalf. Some ransomware providers will even operate call centres for the purchaser so victims can make their ransom payments! Knowledge of brand new, unpatched vulnerabilities in known software can be bought and sold for a pretty penny on the dark web as well. It’s scary stuff.

New, unresolved vulnerabilities are commonly known as “zero-day” threats. New zero-days of all kinds are being set loose every day from a myriad of sources and for a myriad of reasons. It’s a real challenge for anti-malware developers to stay ahead.

The simplest way to detect viruses is called “signature-based” detection, but as we’ll learn, it sometimes leaves a lot to be desired in terms of zero-day threats…

What is Signature-Based Detection?

Signature-based detection works by scanning files and comparing their individual characteristics to a central database of known threats – nowadays, that database is often global, collectively sourced, and cloud-based. Every single file in existence has a “signature”, which is kind of like a unique fingerprint. If a signature of a known malicious file is detected, the antivirus program will alert you that a virus is present.

Your current antivirus program may occasionally let you know that it has updated its virus definitions – this is basically your software getting the latest signature database from the internet. These databases are regularly kept up to date in order to keep users safe.

The Problem with Signature-Based Detection

Don’t get us wrong, signature-based detection is a valuable practice. It forms the backbone of many modern antivirus functions and continues to serve the industry well. But on its own, it’s far from perfect. The reason for this is two-fold.

Firstly, with zero-day viruses popping up all over the place, it can be days – sometimes even weeks – before an exploit is correctly identified as dangerous and added to major antivirus databases. An untold number of devices can become infected during this latency period, with malware simply sailing under the antivirus program’s radar. Those that use a purely signature-based anti-malware system wouldn’t know their device is infected until the virus definition database catches up; and even then, there may be further delay while a fix for the vulnerability is engineered.

Secondly, it’s in any malware creator’s best interest to make their virus evade detection for as long as possible. And unfortunately, purely signature-based systems are easy to fool. Many zero-day threats are simply repackaged into different files with a different “clean” signature, meaning they can stroll on past signature-based defences unflagged until the threat is detected and the global database catches up.

Solely signature-based antivirus tools are still far better than nothing, but you should be aware that they struggle to keep up with the modern, fast-paced digital threat landscape. But all is not lost! The majority of major antivirus packages now also include some kind of heuristic analysis.

What is Heuristic Analysis?

Heuristic analysis refers to a number of smart virus detection practices that are designed to hunt down files that contain malicious or unexpected commands, regardless of whether the file’s signature is classified as a known threat or not.

Heuristic detection techniques include breaking down and analysing a program’s code or using sandboxing to observe how the file behaves in a separate, virtual environment. Dangerous files may try to replicate themselves, overwrite crucial system files, use network resources in an unexpected way, and can be capable of much more. So, if the heuristics engine picks up any malicious behaviour, the file will immediately be classified as unsafe and its characteristics logged for future signature-based reference.

This makes heuristics analysis an invaluable weapon in the fight against zero-day threats.

Some heuristic analysis tools are enhanced with signature-based knowledge. This way, they can try to identify viruses that are practically the same as known threats, but have been altered substantially so as to evade detection.

The Problem with Heuristic Analysis

In our view, heuristic analysis is a much more proactive way of protecting your network when compared to signature-based detection alone. Heuristic analysis looks at a file’s code and behaviour to judge whether it’s dangerous, rather than relying on virus databases that become outdated pretty quickly after release.

However, the main downside of heuristic analysis is that totally benign files and programs can easily be flagged as “false positives”. Additionally, it’s possible that a criminal has done such a good job of disguising a malicious file that it even evades heuristic detection.

Heuristic analysis also needs a lot of processing power, which can make it much slower than the more immediate “true or false” nature of signature-based detection. If a heuristics engine is set to/decides to sandbox a file before a user is allowed to access it, then they will have to wait while it is tested; great for security, not so great if you’re in a hurry!

The Future of Antivirus Protection?

Both signature-based and heuristic detection methods have their benefits, but as we’ve seen here, they’re far from perfect. It’s not always easy to foresee how things are going to pan out in IT, but thankfully anti-malware protection seems to be progressing in a very productive direction.

It’s important for modern, future-focused anti-malware solutions to harness the strengths of signature-based detection and heuristic analysis, but much more is needed to keep up with the fast and chaotic pace of new cyber threats. Antivirus providers are bolstering their solutions with numerous “heuristic-adjacent” tools to keep both known and unknown threats at bay, most notably using behaviour monitoring, cloud-based sandboxing, content filtering and deep-packet inspection.

Let’s investigate these additional four virus-blasting factors:

• Behaviour Monitoring – Builds a complete picture of normal file, process, and network activity for every PC or server (“endpoint”). This way, unusual behaviour and commands can be immediately identified and halted.
• Cloud-Based Sandboxing – Automatically runs suspicious files through an online, virtual sandboxing engine which uses global, up-to-the-minute threat intelligence.
• Content Filtering – Lets you set limits on the external URLs and resources your network can access to pre-emptively disallow known sources of malware. It can also do wonders for productivity!
• Deep-Packet Inspection – Due to the increase of encrypted web traffic, vulnerabilities can sometimes sneak in under cover of SSL encryption. DPI decrypts incoming web data and examines it for malicious code.

What We Recommend: SonicWall Capture Client

SonicWall Capture Client is a versatile and comprehensive anti-malware platform that’s ready to roll with the punches of modern enterprise cyber threats. It provides totally scalable PC and server malware protection which pairs SonicWall’s leading network security expertise with SentinelOne’s singular antivirus technologies.

Capture Client maintains a real-time connection with SonicWall and SentinelOne’s threat intelligence databases in the cloud, so it’s always working from the latest, up-to-the-minute signature and heuristic data, sourced from around the world.

• Each installation of Capture Client continuously monitors endpoint behaviour, creating a full profile of what is “normal” for that device in terms of file, network, access, and application activity.
• Capture Client uses SonicWall’s industry leading Capture ATP cloud sandboxing engines to rigorously test new, unknown files for malicious code.
• There’s no need for pesky periodic updates and scans – Capture Client keeps you safe at all times without hindering productivity.
• Capture Client is easy to manage at scale with SonicWall’s handy cloud-based management and reporting interface, providing complete, simple visibility across all Capture Client-enabled endpoints.
• Capture Client’s functionality seamlessly integrates with SonicWall’s range of next-generation firewalls to provide granular deep-packet inspection and a peerless, joined-up approach to cybersecurity.

This rich feature-set is completed with post-incident roll-back support. So, in the highly unlikely event that something untoward does sneak through, you can effortlessly roll back any Windows PC or server to a previous, safe state.

Want to ramp up your defences against malware and advanced threats? Reach out and claim your free Just Firewalls cyber health check today! You’ll only need very basic knowledge of your network, up to an hour of your time, and an open mind. We’ll never pressure you to buy anything – it’s our goal to keep the UK’s businesses secure in whichever ways best suit them. Get in touch today on 0808 1644414 or book a call back.