Staying One Step Ahead - How Does Antivirus Research WorkAug 25, 2019 | 0 Votes by Justo - rate If you have always wondered how antivirus can stay one step ahead of the viruses that plague the interwebs, do read on!
We all own an antivirus nowadays; however, we hardly know how it is able to stay one step ahead of the constantly-evolving and ever-changing viruses that threaten to take down our systems. Well, the biggest step to getting rid of a virus is to be able to detect its malicious behavior first.
First Step to Understand the Process
The process of research in antiviruses is simpler than we think and more complicated than we expect. It’s an analysis system done half automatically and half manually. All antiviruses’ protection starts with this step, dissecting and analyzing unknown viruses. Symantec’s Digital Immune System works with automated submissions by users and automated analysis to seek potential viruses.
Researchers are mostly used only when it’s necessary but their job is no easy task. They require high skills to dissect viruses, need to understand assembler, have a high level of understanding in languages like C/C++ and macro threats, and also to be familiar with the file systems and the operating systems. Eventually, experience will teach them how viruses work.
Antiviruses Methods to Analyze
Every antivirus works on its own way; however, the methods to analyze them are all similar. Researchers use a disassembler to analyze the code structure or controlled and instrumented environments to study its behavior. Regarding the first one, potentially bad code is run in real desktop and virtual server environments and in some cases, across the networks to reveal infections and how they spread.
Constantly Improved Techniques
Virus writers get more sophisticated each day, making it harder for antivirus to work. Many viruses use anti-antivirus techniques, allowing them to be almost one step ahead. Said techniques include executing one day of the week or activating only after a specific keystroke, that’s why researchers take so long to actually detect a virus.
Automated and Manual
To detect these viruses, researchers execute them in specific environments, automated ones that run through changes to trigger the virus malicious behavior. When all of that fails, the only type of analysis that will work is performed manually. Once they execute it and replicate it, the virus code and behavior is cataloged to be identified with any software scanner.
In the Lab
Trained researchers can analyze and run an application for hours or days to truly determine its malicious characteristics, infection level, or potential. However, this only happens in the lab before making it to the software scanner because for customers to use the product it has to work fast, otherwise, they won’t buy it.
Types of Detection
There are two types of detection and execution that almost every, if not all, antiviruses use. These are signature and pattern detection, both work for exact matches with heuristic scanning and behavior detection to achieve extrapolated detection.
The Methods to Research
There are several ways to execute viruses other than scanning. There are file and boot integrity checking; some products count with this method which will record a checksum of key executable and system files and will analyze if there’re anomalies on boot or execution. There’s also a setting to monitor changes to boot records and behavior blocking.
This way, we can conclude that the most complex part of an antivirus’ work is its researching process, counting with automated and manual methods to execute viruses, making it long for the researchers to detect and difficult to learn for those who are interested.