Is anti-virus obsolete? - The First Global Cybersecurity Observatory

5 features to seek in the next generation anti-virus whether you’re an expert or not!

The landscape of computer threats is in constant evolution. We see new trends appearing, agitating the world of cybersecurity every year! In 2017, ransomware was the star of the party. In 2018, it seems that the new popular trend among hackers is what we call fileless attack (meaning attack without files). According to the latest Gartner and Forrester research, meeting the endpoint security challenge will be a central piece of many companies’ cybersecurity programs for 2019. Today we are giving you a glimpse of the reasons why you cannot solely depend on a scanning anti-virus anymore, and the features you should look for in your next endpoint security system.

Understanding the limits

Back to the basics: antivirus software is a necessary part of every multi-layered cybersecurity program. Nowadays every expert would recommend not even turning on a computer without these programs installed and updated.

They are mostly signature based applications running in the background of your computer that are checking every file you open, scanning traffic and looking in a known database of threats and attacks in order to detect any suspicious signature. It is a piece of code of the virus, comparable to finger prints that identifies it.

Each virus has its own signature. Even if the virus code is not exactly the same, the signature can remain. The interest of the scan is to detect viruses before they run. As soon as you are downloading a file on the disk, the analysis will start.

The performance impact

Traditional antivirus programs run several kinds of scans without considering user activity. For example, they can run a real-time scan on the files you use to make sure they are clean, but it can take up a lot of your system resources and a lot of storage place on your hard drive. If not properly set up, these programs can have a real negative impact on productivity and user experience.
Because of that, we see many staff members postponing scans or simply deactivating them and endangering the whole organization.

Regular updates

Bruno Roques, R&D director at Wooxo sums up the situation:

“The current anti-viruses are regularly updated to integrate the patches of correction following attacks identified by the power plants, but still it is necessary to download the updates on each of the posts and all the employees do not do it…”

Even if you are regularly updating your software, it is impossible for vendors to produce an endless list of new malware and attacks. The bad guys are creative and will always find a way to create brand-new ways to enter your system.

Signature-based scans

Anti-virus and anti-malware are mostly signature-based applications. It was sufficient few years ago, but the situation has changed, and it now raises serious issues: your programs are looking for “finger prints” they would recognize from their database and identify common patterns in the malware’s code, meaning that their action is limited to what they already know.

When it comes to a polymorphic or metamorphic virus - a virus that modifies a part or all its code during its replication - no scanning antivirus will be able to identify it by a signature. For example, the famous ransomware “Wannacry” and “Petya” were polymorphic and metamorphic viruses exploiting zero-day vulnerabilities. They are vulnerabilities unidentified by the product developers, but “waiting” to be exploited by hackers before they are patched. Your scanning antivirus will also not prevent you from this.

File-less attacks

No file, no notification of classic antivirus, no scan and no protection!

They had already existed for many years but seem to have gained in popularity since 2017: according to the Ponemon Institute, 77% of the registered attacks last year were fileless.

These attacks exploit legitimate, natively installed programs (like Power Shell or Windows Management Instrumentation) that can execute tasks from the control console directly from within the RAM of the device.

5 key features any organization should require for its next antivirus

1. Zero-day protection (ZDP)

Preventing from zero-day attacks needs an efficient multi-layer security software that looks in depth in your system when necessary. There are now engines dedicated to the identification of Zero-day exploits. They are based on hybrid detection techniques using statistic and behavioral algorithms.

They look in detail at your running programs to find any suspicious action that could be related to a zero-day exploit.

2. Static analysis

Because malware are still hiding in files and folders, the static analysis is a mandatory feature which will scan files before their execution, identify the threat level and block it in case of high risk. The advantage of static analysis comes from the fact that it is also checking files at rest which are often not seen as a threat by classic scanning anti-virus and therefore detect a malware before it has been executed.

3. The emulator of environment (Sandbox)

Another approach to handle signature changes is to employ an emulator of environment, or sandbox. This is a virtual environment used to isolate and execute suspicious programs in order to detect any wrong behavior and block them. An emulator alone will not be enough to provide you with a sufficient level of security, but coupled with predictive security, such as machine learning, it will significantly increase your protection.

4. Analysis in real condition (Host Intrusion Prevention)

This engine will analyze running programs and detect suspicious behavior, especially when accessing the servers. This feature is very useful against fileless attacks: for example, visiting a website, using a Microsoft Word macro or running PowerShell is legitimate, but their simultaneous activation can result from a phishing attack bringing the user to a malicious website. The engine can therefore realize that it is not a normal operating situation and block affected programs.

5. The machine learning engines

Machine learning is a branch of artificial intelligence enabling machines to learn by giving them a large amount of data to process. While all the features mentioned earlier will protect your system to an acceptable level, machine learning will learn and extract the behavioral characteristics useful for detecting malicious acts. It creates a detection logic applied to running programs. This lifelong learning is what allows the engine to detect the threats yet unknown!

Scanning anti-viruses are still a mandatory part of your company’s security but it cannot only be limited to this feature anymore. It should only be one of the characteristics you are seeking to get when establishing your cybersecurity strategy. And beside the whole preventive aspect, never neglect a strong curative safeguard such as a Backup & Recovery Plan.