An AntiMalware, also known as AntiVirus, uses multiple technologies, algorithms, and analysis techniques for detecting viruses and all of the other types of malware. All of this is happening in real-time in the background of your computer. Here are the 10 Malware Detection Techniques used by Antivirus/Antimalware software to detect Viruses, Worms, Adware, Spyware, Ransomware, Trojan Horse, and all the remaining types of Malware.
- File Signature Analysis
- Heuristic Analysis
- Behavioural Analysis
- Cloud Analysis (and File Rating)
- Sandbox Analysis (Virtualization)
- Host Intrusion Prevention System (HIPS)
- Web Filtering and Application Control
- Web Browser Extensions/Add-ons/BHOs
- Custom Domain Name System (DNS) Servers
- Firewall (available in Security Suites)
1. File Signature Analysis
The File Signature Analysis is the oldest and the simplest kind of detection technique. The antivirus companies have a database that contains the signatures (or pieces of code) of all the previously detected malware. This database is known by various names such as Signature Database, Signatures, or Virus Definitions. Antivirus programs continuously scan all of the files and programs on the computer, and match them with their Signatures. If a file or a program matches with a malware available on the database then it is blocked, and the user is notified.
2. Heuristic Analysis
The Heuristic Analysis is a more advanced form of File Signature Analysis. Signature-based Analysis is the oldest and the most commonly used method of malware identification but it’s not the most reliable one. A small change in the previously detectable malware code can make it undetectable in the eyes of an antivirus that uses only Signature Analysis for detecting malware. It cannot protect against threats that haven’t been identified and whose signatures haven’t been created yet. Therefore, the system is vulnerable to such threats.
Heuristic Analysis uses algorithms to determine if a program is malicious or not. It examines the code of the program, and tries to find out the outcome of this code using various methods. If the code is similar to the code of a malware already present in the signature database then it blocks the program because it could be a new variant of that malware. This way, it is helpful is catching the new variants of malware. The Malware Signatures/Virus Definitions work with Virtualization (Sandboxing) in this type of analysis.
Heuristic Analysis is the root cause of False Positives, because the antimalware programs consider a program malware based on a limited information. In reality, that specific program may not be harmful at all.
3. Behavioural Analysis
This method is also useful for identifying malicious programs that are yet to receive virus definitions from the manufacturer, or those that have managed to remain hidden until now from the antivirus developers. Behavioural Analysis, as the name suggests, analyses the behaviour of programs. If the behaviour of a program matches that of another malicious program, then the antimalware recognises it as a malware.
The HIPS (Host Intrusion Prevention System) and the IDS (Intrusion Detection System) technologies work in this type of analysis.
Behavioural Analysis also has a downfall. It is responsible for the increased number of False Positives. A legitimate program might be accessing important locations of the system, but the antimalware may block it assuming it to be a malicious software.
4. Cloud Analysis (and File Rating)
New malware are appearing at an astonishing rate. It’s not possible to create signatures for all of the malware that are found every day. So, in order to provide a more efficient protection to their users, the antivirus companies added another weapon to their arsenal to combat malware. In the Cloud Analysis method, the malware analysis is done on the cloud i.e., on the antivirus vendor’s servers.
The Cloud Analysis is essential for detecting new types of malware. When an Antivirus finds a file that displays a behaviour similar to that of a malicious application then it is sent to the Antimalware vendor labs where it is tested. If the program is found to be malicious, a signature is created for it, which is used to block it from all of the other computers where it is detected.
The Cloud Analysis technology has made it possible to create a lightweight antivirus product. In a Cloud-focused antivirus, the virus definitions or signatures are not downloaded on the computer, so no Internet and disk space usage. Plus, the advanced analysis on potential malicious files is done on antivirus vendor’s infrastructure, and not on user’s computer so that saves computer processing power as well. The drawback of using a cloud antivirus is that it always requires an active Internet connection.
5. Sandbox Analysis (Virtualization)
The Sandbox Analysis technology involves running the programs in a virtual environment to check their actions. If a program acts like a malware then it is marked as one. The Virtualization and the Behavioural Analysis technologies are used in this type of detection technique.
The sandboxing feature can also be used to run those run all of the files that the antivirus can neither whitelist nor blacklist. The files are executed in an isolated section separate from other files stored on the computer. So, running a file in a sandbox container gives you the best of both the worlds. If the file was malicious, it can’t harm your computer because it was executed in a virtual environment/sandbox container, and if it was a legitimate program, you were able to run it.
6. Host Intrusion Prevention System (HIPS)
Host Intrusion Prevention System (HIPS) is a technology used by security software to detect malicious behaviour in a program. It involves monitoring each activity performed by a software on the system. It notifies the user about these activities, and presents him with options like Allow, Block, etc. for those activities.
7. Web Filtering and Application Control
Just like a database of malicious files called Signatures or Definitions, the antivirus companies also keep a database of malicious URLs or website addresses. This is used in the Web Filtering component of the antivirus product. The Web Filtering technology is used to protect the computer from the Internet-borne threats by blocking access to malicious websites, preventing malicious files from being downloaded, and by notifying the user about suspicious websites.
The Application Control. also called a Process Monitor in some programs, is used to monitor the activities of programs installed and running on the computer. This works like an advanced Task Manager, and gives you many advanced options to control the working of a program. This feature uses the malicious URL database to identify the malicious programs. For example, if a program on the computer is trying to communicate to a website or server whose address is mentioned in the malicious URL database, then that program is labelled a malware, and is blocked.
8. Web Browser Extensions/Add-ons/BHOs
In case of most of the users, most of the time spent on the computer is the time spent on a web browser. A Web browser is used to browse the Web or the Internet, the most common place of getting malware on the computers. So, it makes sense to make a product that is made only for the web browsers. Different web browsers have different names like Extensions, Add-ons, Plug-ins, Browser Helper Objects (BHO), etc.
9. Custom Domain Name System (DNS) Servers
Some Internet Service Providers (ISP) inject ads into their networks. You cannot always block these types of ad networks using the ad-blocker extensions. This is because the ISPs usually use the local ad networks to inject ads. The ad-blockers may not be aware of these companies yet.
These ads and potential can be blocked by blocking the main domain and all of the connected subdomains. One way of doing it by using the Hosts file. A user to edit the Hosts file to block such as networks, or use a custom Hosts file. A better option would be using third-party DNS service. Some antivirus companies provide security-focused DNS service that automatically blocks malicious and other unsuitable categories of websites.
10. Firewall (available in Security Suites)
A Firewall monitors the networks connections in real-time, and notifies the computer user about all of the incoming and outgoing network connections. It blocks malicious traffic, and prevents malicious applications from connecting to the Internet, and sending sensitive user data to the hackers. It also protects the computer from unauthorized remote access attempts by automatically terminating such connections. Another way a firewall protects the computer is by hiding the open ports from port scans to prevent any potential hacker attacks on the computer.
Other methods used by computer security programs used to keep your PC secure and prevent any malware infections or hacker attacks.
The following three are not detection but malware prevention techniques.
- Sandboxed Applications – Run unsigned, unknown, and suspicious applications in a Sandbox, an isolated virtual environment.
- Application Whitelisting – Run only those applications that are definitely clean.
- System Rollback – In case of a malware on the system, rollback to a previously created system snapshot. It’s like an advanced version of System Restore.
These are some of the techniques used by the computer security software to keep the computer protected against malware and attacks.