Signature-based anti-virus (AV) is dead – and organizations are suffering the consequences.
Traditional antivirus has been known to be ineffective for years. Reliance on malware signatures—something attackers actively change or reinvent to avoid defenses—means traditional AV is essentially useless against new and advanced malware attacks. So why are organizations still using it?
Trust in a well-known AV name, integrations, and cost are some of the reasons many cite when explaining why they haven’t switched to a more effective solution. Business users and IT departments especially place high value on integration with an RMM (remote monitoring and management) tool when backing their decision to continue using a specific AV solution.
But is easy integration really worth the cost of incident recovery, your data, or your business?
Every year, a large majority of the ransomware-specific Incident Response (IR) services Infogressive provides share ONE common factor: traditional AV software, often a well-known brand, failing to catch the malicious files.
So, what can you do to make sure this doesn’t happen to your organization? First, it helps to understand how different types of AV solutions work so you can choose the right security for your needs. To do this, we need to start with malware signatures.
What are malware signatures?
Malware or virus signatures can be most easily understood using the “fingerprint” metaphor: a signature is like the fingerprint of a malicious software or virus, a unique identifier. More specifically, a signature is a unique set of data or hash (a number derived from a string of text) within the software that differentiates it from other software or viruses.
The way malware signatures are identified or calculated involves a numerical value of a unique snippet of code that is unique to the malware or virus, and once calculated, that value is referred to as the “signature” or definition file. As new viruses emerged over the years, some have shared signatures with existing viruses, while others are completely new.
Early on, experts discovered that these unique identifiers could be collected as viruses emerged and then used to detect malware or viruses in a computer system—leading to the inception of the first anti-virus programs in the format most commonly used for decades (and even to this day). This form of anti-virus and virus detection, commonly referred to today as “Traditional” AV, is signature-based malware detection.
How does signature-based protection work?
The majority of AV or malware prevention programs developed since 1987 operate using a growing database of malware signatures as a reference list. These signature-based technologies present in firewalls, email security platforms, and AV programs are best described as protecting against known threats.
When a malicious file attempts to enter a network or is downloaded to an endpoint, a signature-based security solution will check that file’s identifying details against the database of malware signatures looking for a match. If there is a match to an existing threat or family of threats, the file will be blocked, quarantined, or otherwise prevented from executing its malicious actions.
When new malware emerges and is documented by experts, its signature will then be added to malware databases by the organizations or officials who manage them. Then, AV vendors must create, release, and communicate a signature database update out to their users to ensure that the new threat can be detected and blocked. These updates increase the program’s detection capabilities and are released, in some cases, as often as multiple times per day.
What are the drawbacks of signature-based protection?
Now, you may already see where this is heading. With an average of 350,000 new instances of malware registered every day, and around 10 million new malware variants logged each month, that’s a lot of signature database updates to keep up with. While some AV vendors update their programs throughout the day, others release scheduled daily, weekly, or monthly software updates to keep things clean and simple for their users.
But convenience comes at the risk of real-time protection. During the time those AV programs are missing new malware signatures from their database, they are completely unprotected against new or advanced threats. By the end of 2019, 2/3 of malware could evade signature-based AV solutions.
Not to mention, how many users fail to keep their programs secure due to the “hassle” of frequent updates? We’ve all hit the “Remind Me Later” button at least once before on our computers, smartphones, or tablets. It’s easy to see updates as a low-priority inconvenience, and many users don’t realize that pushing off AV updates can be a dangerous game. Not only do signature-based solutions remain ineffective against zero-day threats, they also decrease in efficacy at the hands of user error.
All too often, traditional AV solutions provide a false sense of security to organizations who rely on them.
What is Next-Generation AV?
Enter Next-Gen AV. While signature-based detection has been the default in traditional AV solutions for years, the drawbacks were enough to get people thinking about how to make AV more effective. Today’s next-generation malware prevention solutions use advanced technologies like behavior analysis, Artificial Intelligence (AI), or machine learning to detect threats based on their intention rather than looking for a match to a known signature.
One way to think of this is to compare it to your credit card company and the way they detect fraud. These days, it’s a common experience for a credit card holder to be alerted of fraud before they would have even been aware of it. How are companies catching fraud so quickly? The answer is in behavior analysis. Your purchasing habits are monitored by credit card systems to establish your “profile”—essentially confirming you live/work/use your card in a certain area, for certain types of purchases most often, and so on. When a purchase doesn’t match your “norm”, the system will be on high alert for other behavioral indicators that could mean your card or card number has been stolen. A common fraud indicator that these systems watch for is the presence of a small, unassuming purchase immediately followed by a major purchase. This is a common tactic for criminals holding stolen cards or card numbers: a quick test to ensure the card is active before they use it for something larger.
Behavior analysis in threat prevention is similar, although admittedly more complex. Instead of only cross-checking files with a reference list of signatures, next-gen AV can analyze the actions (or intentions) of malicious files and determine when something is suspicious. This cautious approach proves to be about 99% effective against new and advanced malware threats, compared to signature-based solutions’ average of 60% efficacy.
Source: AV-TEST Institute – an independent provider in anti-virus research that conducts monthly tests to evaluate the effectiveness of leading AV vendor solutions against zero-day malware attacks. This chart shows the results on the Business Windows Client for the month of October, years 2012 through 2019. Complete results and individual vendor scores can be found at: https://www.av-test.org/en/press/test-results/
Protect your organization: Dependable AV and Layered Security.
Make the jump from 60% to 99% today with a more dependable malware prevention solution, backed by expert security analysts. But don’t stop there—while no security solution can ever provide 100% protection against evolving threats, layers of security can be the difference that keeps your organization from becoming compromised.