Article

Antivirus or behavioural analysis (reactive vs. proactive)

June 9, 2020 · Authored by Bernard Regan, Dennis Stewart

Since the birth of computers, it has been an accepted risk that devices can fail when executing program code with errors. The scientists, mathematicians, and programmers of that era did not know that one day, code would be intentionally written to create errors. As computers became a part of everyday life, pranksters, criminals, and governments created viruses so they could steal data or simply to cause havoc.

The first computer virus was named, “Creeper”. In 1971, it spread across the Internet’s predecessor ARPANET, copying itself from one mainframe to another. Creeper didn’t destroy data or hinder operations; it simply printed the phrase “I’m the creeper: catch me if you can”.

12 years after Creeper’s rampage, Dr. Fred Cohen coined the term “computer virus”. Over this period, malware had grown more complex and capable of creating greater damage. Demand grew for tools to identify and prevent infection.

The first antivirus (AV) product was launched in 1987, and AV operates using the same basic techniques to this day. AV software contains a database of ‘signatures’ for viruses. Signatures are generated from basic information about a virus, such as unique lines of code or file names. Engineers at AV firms write “definitions” for new viruses, including multiple signatures. Most AV software is configured to automatically update with the latest definitions.

AV software scans files, checking if they match signatures in the database, and deleting or quarantining those that do. This type of protection is deployed on computers, firewalls, email spam filters, and other gateways. Whilst operating on the same principles, AV software is often differentiated by the quality of the database or by implementing quicker algorithms for scanning. As AV applications are reliant on the database of known malicious signatures, they will only ever act as a reactive tool.

Like any protective measure, threat actors research AV to better circumvent it. Most attacks carried out today use a Frankenstein’s monster of existing viruses or malware. Writing new malware is difficult; it is easier to alter signatures by editing existing malware.  Authors can change signatures by “packing” malware, encrypting the instructions and then decrypting as needed. Code can also be rewritten to get a new signature while still having the same result. For example, the instruction “divide by 2” is the same as “multiply by 3, then divide by 6” - this technique is polymorphism.

“Packing” and polymorphism can trick AV into thinking it has not seen that file before. While tedious to do manually, these techniques can be automated. A savvy threat actor can send thousands of phishing emails, each with unique (but functionally identical) payloads that evade AV.

The increasing prevalence of ransomware attacks has increased the risk of malware slipping through the cracks. If AV applications cannot identify, react, and protect against these threats, then a different solution is required. This has necessitated a new way to protect against malware: behavioural analysis (BA).

BA is often considered the next generation of proactive protection for computers and devices. It works by monitoring the actions of files rather than comparing signatures against a database. For example, a Word document has no need to access system files or the registry and an Excel sheet probably shouldn’t run cryptography libraries. In both cases, BA would identify the file as malicious and prevent execution.

BA is resource intensive, and is not possible on less powerful devices. Some BA tools can perform limited analysis locally, but this comes at a steep hardware and infrastructure cost. As a workaround, many BA programs will upload files to a powerful “sandbox” in the cloud for deep analysis, which introduces a delay.  

The largest drawback to this method of analysis is that uploading files for review requires an internet connection. When offline, files are either allowed to run, increasing the risk of infection, or users are required to wait until an internet connection is restored.

Further, advanced malware developers have caught on and now try to determine if the program is running in a sandbox. If the malicious program knows it is being analysed, it can act normally to evade detection. Fooling the BA application is one of the latest steps in the conflict between threat actors and the defensive security community.

It should therefore be clear that protection is not as simple as using one or the other. Both AV and BA have their strengths and user cases in a network environment. Most often, the best option is to utilise both types of solution. The biggest pain point of this is the cost of purchasing both solutions; this has led to some vendors developing tools incorporating both methods. BA can detect new threats, and AV can protect against threats that evade analysis.

To those outside of IT, adopting a second endpoint solution may seem unnecessary and expensive. Like most security products, if they work well, they go unnoticed. While there is little or no visible return on investment, the cost of endpoint security solutions fade in comparison to the business interruption cost of ransomware or legal, regulatory, and reputational costs from a data breach. AV and BA best eliminate risk when working in concert.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.