In the never-ending cat and mouse game of virus vs antivirus, understanding how AV software identifies specific targets and prevents them from infecting your operating system can help better protect your computer from infiltration.
With hackers and other bad actors working ‘round the clock at spreading newer, deadlier viruses, essential to their malicious strategy is keeping them undetected for as long as possible.
Before we can deep-delve into the inner-workings of an antivirus, let’s first look at how a computer virus spreads quickly across networks, undetected.
What is a Virus and How Does it Work?
Viruses operate pretty much like any other program installed on your PC. The main difference, however, is the intent behind the program and exctly what the software has been programed to do. Viruses are meant to harm, harvest, erase, eavesdrop, capture, or destroy important data on your PC or mobile device – sometimes all at the same time.
Every virus contains a signature, which is like its fingerprint. It’s the distinguishing feature that sets it apart from other programs running on your computer, and it also makes the virus recognizable, and therefore a potential target for antivirus software.
Seeking out the viruses’ unique signature, antivirus software first scans for any signatures that contain similar patterns to what’s already stored in its existing database. New viruses are often derivatives of old ones, which means they might still share the same underlying DNA that’s easily identifiable. The database for each antivirus software contains definition files, and must constantly be updated to catch all new strains (or variations of the original virus’ DNA) that frequently pop up.
Looking Beyond Your PC
While most people fear that their personal desktop, laptop, or mobile devices could be infected, many viruses steal your personal data indirectly, by targeting the companies you do business with on a daily basis.
One example is when malware infected Target’s point-of-sale system and allowed hackers to siphon off 56-million credit card numbers. The infection is believed to have happened in either April or May of 2014. But no one actually knew about it until well into September of that same year.
Part of the problem is that viruses are slippery. They can attach onto completely legitimate files like email attachments or other downloadable formats like MP3 or movie files for a stealth breach of your system. This is why it’s imperitive to have antivirus software constantly running in the background.
To make matters worse, viruses can shapeshift depending on the their nefarious objectives. For example, phishing scams camouflage themselves as legitimate communication (like emails or instant messages) to fool their victims.
This was the method of choice in targeting five employees at Anthem, one of the largest insurance companies in the world. Stealing the individual’s data, one person at a time requires a big investment of time and resources. Instead, infecting corporate devices gives bad actors a backdoor to steal 80-million medical records. This included sensitive data like social security numbers and dates of birth. And it happened a full year before anyone ever realized it.
The primary reason for these attacks are pretty self explanatory – money. Target, Home Depot, and Anthem were all targeted because they held A LOT of sensitive customer data that could be siphoned off for months on end without anyone even realizing.
What is Ransomware?
Ransomware attacks are a little more blunt. They get into your device and lock it down. The only way to get your data back is to meet their demands, forking over anonymous payments so they can bounce around to the next host.
The worst part is that these hackers don’t just target large multinationals who can easily spare a few bucks, but even nonprofits that work to benefit the needy.
Little Red Door, out of Indiana, is one such example. Hackers were able to hold their member data hostage until Little Red Door forked over $43,000 to make this little inconvenience go away quietly.
There are so many virus permutations that manual protection is impossible. Worms, trojans, ransomware, keyloggers, adware, phishing,and many, many more, also don’t just prey on negligence. They’re clever and crafty.
Therefore, the best method of securing your PC and devices is prevention from the start, which is the main purpose of antivirus software.
How Antivirus Software Identifies and Prevents Malware
Cross-checking definition files in a database for known malicious software is one of the ways antivirus software works to defend your system. But that leaves an obvious, gaping hole: what about viruses so new or stealth they haven’t yet been identified and added to the database?
Anything not in the database, or anything that obscures the signature’s paper trail, can still slip through the cracks. Hackers aren’t dumb. They know how antivirus software works. They know how it will attempt to sniff out the right combo of 1’s and 0’s. So they will try to sidestep it.
One popular method is encryption – exactly what you’d normally use to protect yourself. But in this case, viruses will either encrypt themselves or parts of the signature so it can’t be matched successfully.
Encryptions lockdown sensitive data under an impenetrable lock. Depending on the encryption level used, it might be virtually impossible to break without the right cipher (or password) to decrypt the contents.
The result is successfully obfuscating a virus’ signature fingerprint to the point that your antivirus software has trouble even detecting it, let alone knowing how to stop it.
Another trick includes mutation like a biological virus. Here, the malware will infect a device and then spin off spawns of all shapes and sizes. So now you’re not just fighting one battle, but an all-out war on several fronts at the same time – each with a different type of malware and required antidote.
Antivirus tools, in response, counterpunch with a few tricks of their own.
The first is through heuristic detection or analysis. Instead of trying to detect just a single signature and fall victim to a mutation, antivirus software will combine related ones into ‘families.’ That way, they can use a broader generic signature to identify anything that looks or smells or acts like a virus from each family. That’s not the only trick up their sleeve, though.
A rootkit is malware that specifically targets administrative controls on a device. Just like it sounds, these aim for complete control over the entire operating system, embedding itself at the metaphorical ‘roots’ so you can’t get rid of it.
Rootkit detection is used to check and see which actions a program is attempting to execute, and based on those actions, determine whether it’s malicious (and how to stop it accordingly).
One similar technique is through using a sandbox before installing any new software. Think about this website you’re reading. It has a ton of visitors, so we wouldn’t want to push a new feature live without testing it first. Install an untested plugin, for instance, and you risk a bug bringing down the entire website.
Instead, you’d test any new features on a staging server, first. It’s like a working replica that allows you to make changes and analyze the impact before pushing it ‘live.’
Same idea applies to a sandbox used by antivirus software. In this case, it will test a new file or run a new piece of software and then sit back and wait. It’ll watch what happens, and what the program tries to do. But all of this occurs in a safe, isolated environment. And it’s only when everything checks out that the program will actually be allowed to run on your device.
Sandboxing is considered a behavioral-based detection scheme because it’s judging the behavior of the virus, as opposed to automatically classifying it based on its properties.
Last but not least, antivirus software is beginning to layer on machine learning to these behavior-based techniques. That way, they can predict what’s about to happen (based on previous similar actions) and stop it in its tracks before it does.
If you’re following along at home, you’ll notice the key to antivirus software success isn’t through one tactic. They can’t. Viruses are too nimble and sophisticated, able to shapeshift at a moment’s notice to easily bypass one or two security checkpoints.
Instead, they combine a few different strategies with different methods of detection to stop as many attacks as possible. Sadly, they’re not perfect. Far from it in fact. Here’s why.
Even Antivirus Software Can’t Always Be Trusted
Most consumers are overconfident in the trust they put into their antivirus software and that can lead to risky behavior that puts the system at greater risk from contracting something malicious.
Even your own antivirus software could be harmful if it doesn’t have a proven track record. Take Mac Defender, for example, which sounds like a legitimate program for defending Mac computers against infection.
Despite branding itself as an antivirus software, along with aliases like MacProtector or MacSecurity, Mac Defender is actually a phishing scam used to trick unwary consuming looking to protect their data. When used for the first time, it redirects the user from legitimate websites, reports that you have a virus, and instructs you to install it immediately to solve the problem. Then, it takes your credit card info like a thief in the night.
This is just one of many malware programs masquerading as a solution, when in fact it’s part of the problem. Phishing scams target Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to fix the problem.
The purported antivirus software is sctually malware (i.e. malicious software) who’s ultimate goal is to get the users’ credit card information which may be used for fraudulent purposes. The most common names for this malware are MacDefender, MacProtector and MacSecurity.
WinFixer is another Windows-specific rogue software that manufactures issues to scare you into infecting your own device.
This is just one of the many reasons to be careful of where you get your antivirus recommendations.
However, even good antivirus software can cause problems with false alarms. When your antivirus software detects the signature of a virus that matches its database, it will usually recommend deleting those files immediately. But when it’s flagging the wrong files, and you need those to perform basic functions on your device, it can leave you powerless.
Preventing Antivirus Software From Bogging Down Your PC
Antivirus software can also affect performance. Constant scanning in the background can slow your device down to a crawl. This can range from frustrating to downright impractical when trying to perform any resource-intensive activities. So, what do users do?
One tip is to deactivate them, at least temporarily, while playing P2P multiplayer games or downloading torrents. In other words, two of the highest-risk activities if you’re willingly connecting to other devices while unprotected. It’s like laying down the drawbridge to welcome the enemy through your own gates.
New viruses, as discussed, are hard to track for a variety of reasons. There’s either nothing to match it against in the definition files, or it uses new techniques like encryption to avoid your scans.
There’s a more-than-decent shot at them wrecking some havoc before they’re fully caught. And when files are infected, they’re tough to fix. Depending on what’s wrong, you might even have to reinstall programs or wipe the operating system entirely.
Not unlike fighting cancer with chemotherapy, unfortunately, you’re going to take out a lot of good cells while getting rid of the bad.
Antivirus software works by identifying similar patterns from its database, or using tools to help predict when an attack will occur (and stopping it before it does). It uses a multi-pronged approach, because viruses can adapt, transform, and get stronger over time. So your risk of exposure doesn’t decrease over time, but only increases exponentially.
Antivirus software isn’t always foolproof, though. There are many malicious programs that masquerade as something that will help you in order to actually harm you. They can cause performance delays to the point where you might willingly drop your guard. And mediocre ones on the market often won’t evolve as quickly as the viruses they’re chasing.
That’s why it’s absolutely critical to only use the best antivirus software on the market. The best form of defense is prevention in the first place. Otherwise, you may not get a do-over once it’s too late.