Understanding Antivirus – Signatures, Scans, and Schedules

Antivirus, when used properly, can provide great protection for an organization if used effectively.  Although antivirus may appear to be a set-it-and-forget-it software, diligence in managing antivirus can pay off.

Understanding Signatures

As you probably know, antivirus software works off of signatures of known malicious files.  These signatures are distributed periodically to all antivirus clients, usually from a server hosted either by the antivirus software company or on an in-house server.

When signatures are created there is exceptional detail to ensure that the signature doesn’t create false positive detections.  A false positive detection, in the antivirus world, is actually much more damaging than a false negative (missing a malicious file).  False positive detection occurs on occasion and is usually a newsworthy event (such as this instance where McAfee accidentally detected an important system file as being malicious).

Another important concept to understand in the antivirus world is utilitarianism.  An antivirus product is usually judged based on its ability to safely detect and remove the most potential threats to a computer.  Because of this, antivirus vendors commonly focus on writing signatures for the most common and prevalent threats in the world at that moment.

Dodging Antivirus Detection

It is common for an attacker to try to determine what type of antivirus is running on a system shortly after initial infection.  This is done so that all future attacks can be tested against that antivirus product to ensure that their new toolset is not found.

In addition, a targeted attacker is likely to capitalize on the previously mentioned utilitarian view held by antivirus vendors.  By creating a somewhat unique toolset designed specifically for a target, the attacker is able to avoid detection due to lack of prevalence, while enabling them to customize the attack for the target (separate command and control channels, embedded credentials, etc.).  In many cases, code obfuscation utilities (referred to as packers) are used to make disassembly difficult for antivirus software and reverse engineers.

Finally, an attacker can continue to modify their appearance and test the implant against a machine using the same antivirus software used within the target’s enterprise.  The version that doesn’t get detected is likely to be the version sent to the target.

Realtime Protection and Scheduled Scans

A core feature of antivirus software is real time protection.  Realtime protection is designed to prevent malware from infecting a machine by scanning any files that are accessed from or written to disk. Many organizations think that enabling realtime protection on their clients allows them to avert scheduled scans because (in theory) all files which touch the machine will be scanned, therefore preventing malware from ever entering.

Although an effective form of defense from known threats, antivirus software is only able to protect against malware which it has a signature for.  When compounded with the need for tight signatures (to avoid false positive detections) and a constantly changing threat landscape, it is likely that your machine may encounter malware for which there is no signature. In addition, targeted attack tools which are not detected by realtime protection may be detected during a subsequent scheduled scan.

Reviewing the Results

Threats detected both from realtime protection and scheduled scans warrant attention to prevent outbreaks of commodity malware and targeted attacks.  In addition, as I mentioned in a previous post, there are a lot of ways to analyze the results of a detection to determine whether the detection is pure commodity or something you may want to be concerned with.

Leave a Reply