Antivirus or behavioural analysis (reactive vs. proactive)

Since the birth of computers, it has been an accepted risk that devices can fail when executing program code with errors. The scientists, mathematicians, and programmers of that era did not know that one day, code would be intentionally written to create errors. As computers became a part of everyday life, pranksters, criminals, and governments created viruses so they could steal data or simply to cause havoc.

The first computer virus was named, “Creeper”. In 1971, it spread across the Internet’s predecessor ARPANET, copying itself from one mainframe to another. Creeper didn’t destroy data or hinder operations; it simply printed the phrase “I’m the creeper: catch me if you can”.

12 years after Creeper’s rampage, Dr. Fred Cohen coined the term “computer virus”. Over this period, malware had grown more complex and capable of creating greater damage. Demand grew for tools to identify and prevent infection.

The first antivirus (AV) product was launched in 1987, and AV operates using the same basic techniques to this day. AV software contains a database of ‘signatures’ for viruses. Signatures are generated from basic information about a virus, such as unique lines of code or file names. Engineers at AV firms write “definitions” for new viruses, including multiple signatures. Most AV software is configured to automatically update with the latest definitions.

AV software scans files, checking if they match signatures in the database, and deleting or quarantining those that do. This type of protection is deployed on computers, firewalls, email spam filters, and other gateways. Whilst operating on the same principles, AV software is often differentiated by the quality of the database or by implementing quicker algorithms for scanning. As AV applications are reliant on the database of known malicious signatures, they will only ever act as a reactive tool.

Like any protective measure, threat actors research AV to better circumvent it. Most attacks carried out today use a Frankenstein’s monster of existing viruses or malware. Writing new malware is difficult; it is easier to alter signatures by editing existing malware.  Authors can change signatures by “packing” malware, encrypting the instructions and then decrypting as needed. Code can also be rewritten to get a new signature while still having the same result. For example, the instruction “divide by 2” is the same as “multiply by 3, then divide by 6” - this technique is polymorphism.

“Packing” and polymorphism can trick AV into thinking it has not seen that file before. While tedious to do manually, these techniques can be automated. A savvy threat actor can send thousands of phishing emails, each with unique (but functionally identical) payloads that evade AV.