Anatomy of the Traditional Antimalware

In the previous article, we had a comparison between the traditional antivirus against the modern antimalware technologies. We learned the evolution of these technologies and the need for an organization to have visibility of their endpoints. It is important to understand that in the past ten years attacks have been evolving from traditional malware and phishing attacks to advanced persistent threats. The cyber threat landscape has been increasing daily and the average cyber-attacks occurring daily have multiplied.

Attackers have therefore devised techniques to infiltrate organization’s networks through their weakest links. Most organizations set-up secure working environments but they fail in basic cybersecurity awareness and endpoint protection. The traditional antivirus came to bridge the gap and provide visibility and endpoint protection to the organization. This protection spanned all devices which ensure that all mobile devices could be protected in and out of the organization.

The traditional antivirus had 4 important components which enabled the prevention and detection of malware. Signature detection was the main component of the traditional antivirus. The technique identifies malware signatures (digital fingerprint of the malware) and matched it against the malware database. This technique checked the malicious artifacts strings and the whole file to ascertain there is no malicious component attached to it. The technique was quite effective for the malware embedded in applications, MS-Office documents, and PDFs.

Heuristics was another component that identified the file properties. These properties were how large the file was, the executable components, permissions required by the file. The heuristic approach was a rule-based approach which required the administrator of the antivirus to write and edit existing rules, to ensure that legitimate applications and files were not blocked and deleted. This approach helped organizations be able to restrict users introducing malicious files through flash disks. The stringent rules enforced ensured all staff complied to organization’s policies and procedures.

Behavioral analysis was introduced to add on to the heuristics approach. This approach checked for the behavior of the file regarding access, processes, and network. The approach was used to mainly mitigate spyware, trojans and worms which covertly embed themselves in legitimate processes and access user data and send it out to the command-and-control servers. The last component was hash matching where hashes are fixed common values of a file which serve as unique identifiers. This technique however was not suitable because attackers would change a single bit in a file and the whole hash would be totally different.

The traditional antivirus was not a 100% proof against malware attacks and that is why it continued to evolve as the threats evolved too. In the recent ransomware attacks experienced, we have observed several techniques incorporated in the ransomware components. These techniques if not addressed can be able to bypass the current antimalware technologies. In addition, we have also identified fileless attacks where these attacks do not require to be executed on disks, they are capable of exfiltrating organization’s data remotely.

Exploits nowadays use lateral techniques to escalate their privileges and move covertly in the network. A proactive approach to fight against the current cyber threats is the best way to go. Organizations should establish a cyber resilience program that provides guidelines for both administrative and technical approaches to secure their environment. As an organization/individual don’t wait to get hit by ransomware to implement a solution.