Why Antivirus Doesn’t Work and What to do About it?
In a previous article, I talked about how cyber crime is continuing to get more sophisticated, and how the offenders are getting away with larger amountsIn this article, we’ll look at AntiVirus software why it’s not always effective and what can be done to overcome this ineffectiveness.
Antivirus software is designed to prevent, detect and remove malicious software.
The obvious solution to removing malware and viruses is to have an updated version of AntiVirus to catch and remove them. AntiVirus works well for existing and known malware and virus’. But these are not so effective against new viruses, also known as “Zero Day” viruses. Depending on your version of antivirus, they can be from 0% to 65% effective. So, if you have the best antivirus on the market, 35% of the Zero Day malware will go undetected.
To take a random example from this week. We were called to repair a WordPress website that had been hacked. Here we found most of the files has been altered to have a piece of malware quietly infect computers visiting the site. As shown below only 8 out of 55 AntiVirus systems recognized this as malware. The missing offenders included some of the biggest names like Trend Micro and McAffee.
So, if AntiVirus is so ineffective what can one do?
Fortunately, there are many tools on the market to combat these kinds of threats.
Unfortunately, they tend to be lesser known and often expensive solutions.
Let’s start with finding malware.
Since most AV systems work by trying to identify bad files or processes, detection needs to be rethought to be effective. One way to do this is to analyze processes in memory and identify ALL of them instead of just some. Identifying a process in memory means that the file is actively running and using memory, therefore it presents a danger. An idle file cannot cause harm.
Secondly, one can not find a malicious process on its own. Trying to find a malicious process is like trying to find a needle in a haystack without knowing what a needle looks like. This is why AntiVirus companies have such a hard time catching everything. Every single process must be identified as: good (previously seen and known), bad (previously seen and known to be bad) and unknown (not previously seen and need to be forensically investigated).
One such AntiVirus company that takes this approach is Cyfir. Through this approach, they were able to detect a breach at the Office of Personnel Management in the US Government, that was previously undetected by multi-layered security systems
With a solution like this in place, you can rest assured systems and data will be much safer.
With that said, not all attacks involved malware. Stay tuned on how to thwart further would-be attackers beyond using the traditional firewall systems and password security.
If your systems are only protected by AntiVirus, and there is concern about unknown processes running, perhaps it’s time to look into the next level to secure your most important data system?