While the media have extensively covered the recent spike in malware, a certain aspect seems to have been downplayed. The truth is, not only have cyber-attacks grown significantly during the pandemic (in March alone, 832 million records were breached through malware), but their complexity has also visibly increased as well.
The fact that business transactions had to be performed online by remote employees created a lot of vulnerabilities that incident response teams could not thoroughly cover. This allowed cyber criminals to grow both more sophisticated and bolder in their approaches.
Clop ransomware can now disable basic system security; Gameover Zeus uses P2P networks to literally broadcast your data, while multiple cyber-criminal groups started writing malware in Golang to avoid conventional detection. And if the spike in global attacks on healthcare systems wasn’t a surprise, the Netwalker ransomware group took an extra step and attacked an entire Austrian city with multiple phishing e-mails.
It is now clear that the age of classic virus infections is long gone, and that conventional detection tools are incapable of tackling advanced malware. So, what can your security team do to make sure no threat escapes them?
Aside from a solid combination of conventional detection, network security and threat intelligence, you must keep an eye out for a few anti-malware capabilities when choosing a provider.
1. Efficient File Parsing and Analysis
Scanning files is a functionality common to all antimalware engines. Even so, not all file scanners are born equal, with dedicated file analysers and parsers clearly differentiating leaders from laggards.
In general, parsing a file means being able to correctly extract the different pieces of data present in the file. In other words, parsing allows the anti-malware engine to scan all of a file’s relevant data (such as the scripts and macros from an MS-Office document or a .pdf file, for example) and deciding whether that data poses a threat.
This improves both detection speed and precision and allows the detection of hidden threats (some .pdf files can have additional files attached or have embedded scripts). A fault-tolerant parsing also allows the antimalware engine to parse and scan damaged or incompletely downloaded files, which a simpler engine would ignore. Even incomplete files sometimes can be opened and infect the user, so this security feature is highly important.
2. Archive Analysis
Archives have been a long-time favorite attack vector for cyber criminals. This is because archived files are extensively used at an enterprise level and can usually avoid e-mail server detection. Furthermore, the term ‘’archive” covers a wide range of formats (pretty much any file that contains other files can be one – such aș emails with attachments, ISO images or software installers) and these formats are not always covered by classical scan engines.
While scanning within archives is not a new feature, scanning through multiple types of archives as well as through damaged ones should be high on your priority list.
3. Unpacker Analysis
Much like archive analysis, unpacker analysis is a ‘’must’’ for any antimalware solution. Unlike archives, unpackers are used to unpack the single executable which has been packed with one or more free or a commercial packer/obfuscator, thus all the binary parameters (code, size, text strings, signatures) are changed.
This makes packed executables a common vehicle for Trojans and backdoor malware. Not only does it reduce the executable size, making it faster to download malware, but it also completely changes the binary. This means any detection that targeted the original binary – including machine learning detection – would not work against the packed content unless it is unpacked.
Since unpackers tend to be more diverse than archives, your provider should offer a way of unpacking them, either by using a relevant unpacker or by executing them in a safe environment and checking their contents, through emulation.
Speaking of emulation, this feature is vital when fighting polymorphic malware, as every single sample of this malware is different from all others. The ability to simulate the execution of the malware is vital when detecting the malware.
Emulation can also be incredibly useful when dealing with files whose binaries have been obfuscated (deliberately made too complex for humans to understand) or simply written in less-common languages (such as the Golang threat mentioned above). With these files, it’s always faster to just execute them in a controlled environment, rather than trying to deobfuscate the code, especially when the scan is time-sensitive.
5. Heuristics-based detection
While detection algorithms and signatures are vital to any successful solution, heuristics-based scanning should also be included. Rather than relying on existing information, heuristics relies on a combination of behavior and pattern analysis, as well as emulation, analyzing any abnormal activity of both known and unknown software.
Efficient heuristics lead to not just the blocking of malicious files, but also to the discovery of uncharted threats.
6. Machine Learning Algorithms
Since the threat landscape changes continuously, detection algorithms are also constantly evolving. Machine learning ensures that your solution has been and is constantly exposed to a wide variety of security-threatening situations, minimizing false positives and improving incident response.
Advanced solutions use wider, network-based machine learning algorithms such as neural and deep learning networks.
7. Cloud-based detection
Local filters are your first line of defense but your provider has to offer access to cloud-based updates and to Threat Intelligence to ensure novelty threats are reported in real-time.
The main advantage of such a system is that it allows the detection of new threats in seconds, without downloading engine updates.
Aside from these features, an efficient malware detection suite should be platform-agnostic and have a small footprint, allowing it to act faster than threats, regardless of the system.
Bitdefender’s award-winning Antimalware Engine offers protection against all commonly encountered malware, from Trojans and worms to ransomware and spyware, as well as against less common enemies such as advanced persistent threats, zero-day threats and many others.
With a 99.9% detection-rate, high speed scanning and quick integration into partner applications and services, our antimalware solution can adapt to any enterprise, SOC or MSSP.
However, you should not take any vendor’s own words for it. Our products have been constantly tested and awarded by independent analysts, to the point where our antimalware engine has won more awards than any other product in AV-Comparatives’ history. In fact, we’ve just won their Product of the Year Award.
If you want to find out more about what our solution can do for your company, read our extensive tech brief: Technologies used in the Antimalware Engine