How do antivirus programs really work? Detection after the fact or prevention?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Just like the title says, do the AV programs (or most of them),
including MBAM, such as found in this list:
http://anti-virus-software-review.toptenreviews.com/index.html , work
by preventing virus programs from infecting your system in the first
place, or, do they work after the fact in preventing their spread and/
or deleting them?  Same for any kind of badware, malware.

Also if you browse websites will these AV programs stop infections /
malware from loading onto your system via the browser?

Assume best case scenario, in that you have the registered, paid
version of MBAM and the other AV programs, since I understand the free
version of MBAM does not work in real time and the same could be true
of the other AV programs, since the free versions are often just
crippled "detect only" versions.

RL

Re: How do antivirus programs really work? Detection after the fact or prevention?

On 03/10/2011 12:18 AM, RayLopez99 wrote:
Quoted text here. Click to load it

All current anti-malware program suites will do both, the specialised
ones will do what they're designed for.

Wolf K.


Re: How do antivirus programs really work? Detection after the fact or prevention?

RayLopez99 wrote:
Quoted text here. Click to load it

This is basically what "detection" is all about, and it used to be
mostly a preventative measure. The idea was that you scan a program file
before you execute it - and "known" malware would be detected so that
you could avoid executing it. Best practice included a 'cooling off'
period for new (to the machine) programs in order to allow them time to
become "known" to the AV program if they are malicious (the zero day
period used to be weeks or more for some malware.

Nobody wanted to use the quarantine 'cooling off', nor it seems did they
want to scan new programs at all. The "on access" detectors act as a way
to take the user out of the loop - all programs will be scanned by the
detector *after* the new program is invoked but before it actually executes.

 From a purist's standpoint, all that is needed is to detect. You can be
given the chance to not execute it, and delete it (and get a clean copy
from your backups). AV's became competitive in their ability to "clean"
virally infected files, but still it is better to delete them and *have*
a file backup plan in place. As for most classic trojans, no need for a
backup or a cleaning - just delete them when detected as they have no worth.

Quoted text here. Click to load it

This depends on the individual program being discussed. Some programs
will "detect" by program behavior - and for programs to have a behavior,
they have to be executing. This is where "identification" comes into
play. The scanner has to clearly identify a malware program in some
cases if it is going to be able to "remove" it from a system.

Quoted text here. Click to load it

There may be differences between how one type of badware is handled as
opposed to how another is. Also, if a lame malware detector were to
"identify" a trojan by a cryptographic hash algorithm of the file and
the trojan got infected by a virus, *both* would get through. If the
"real-time" component of the detector used behavior monitoring then you
may get a warning and a successful cleaning on the known malware and it
would miss the virus.

A better malware detector might not rely on a hash algorithm or two, but
might use other indicators within the trojan file and "prevent" the the
trojan *and* the viral infection.
 >
Quoted text here. Click to load it

Some will, I think they generally call these "web shield" or something
like that. Others will only do that if a recognized malware is saved on
your harddrive (temp files for instance).

[...]


Re: How do antivirus programs really work? Detection after the fact or prevention?

Quoted text here. Click to load it

This was all very interesting but specifics were left out.  I supposed
it would be impossible to list all specific programs, but does Norton
for example (I'm leaning towards getting it) do the "prevention" and
"shields" thing, as well as the detection-after-the-fact thing?  I
guess the answer is yes.  perhaps the key is this:  for known badware,
that fails the hash check, it is prevented.  For unknown (zero-day or
rare viruses/malware) badware, the "prevention" thing is done
(heuristics).  And the "shields"--does it block redirects to known bad
sites, or prevent your Java from being exploited (apparently in my
case the trojan got in because--it seems--I was using an old version
of Java that had some sort of security flaw--I've since updated to the
latest version of Java)?

RL

Re: How do antivirus programs really work? Detection after the fact or prevention?

RayLopez99 wrote:
Quoted text here. Click to load it

Indeed they were, and I left them out too.

Quoted text here. Click to load it
 > but does Norton for example (I'm leaning towards getting it) do
 > the "prevention" and "shields" thing, as well as the
 > detection-after-the-fact thing?

I'm sure it does, if you are talking about the security suite and not
just a plain AV program. It might even be something that their regular
AV offering does, but I'm not sure.

Quoted text here. Click to load it

Well, in that scenario it was a blacklist not a whitelist, so if the
hashes matched it was a known badware. If the comparison *failed* it
would fail to recognize it and would let it through. It was a very
simplistic example, I doubt that many detectors rely solely upon hash
comparisons. Much of the malware out there today uses server-side
polymorpism so many many hashes are needed for different forms of the
same malware variant.

Same idea as you wrote above, just kind of upside-down.

Quoted text here. Click to load it
 > the "prevention" thing is done (heuristics).  And the
 > "shields"--does it block redirects to known bad sites,
 > or prevent your Java from being exploited (apparently
 > in my case the trojan got in because--it seems--I was
 > using an old version of Java that had some sort of
 > security flaw--I've since updated to the latest version
 > of Java)?

Usually, you can find a list of features on the website
where they advertise. Everything seems to be a "shield"
of some kind, the important thing is what kind of shield.


Re: How do antivirus programs really work? Detection after the fact or prevention?


Quoted text here. Click to load it

Not really.  They don't get into details.

Quoted text here. Click to load it

And what would those kind of shields be?

Thanks for your other answers, and i'm curious, if server-side malware
morphs, then how is it detected in a blacklist?  Or I guess it cannot
be?

RL


Re: How do antivirus programs really work? Detection after the fact or prevention?

RayLopez99 wrote:
Quoted text here. Click to load it

The existence and (false) trust in blacklists
is what enhances the value of 0day releases.
Better than try to win an often un-winable race,
is to prevent the opportunity of disaster.

Re: How do antivirus programs really work? Detection after the fact or prevention?

RayLopez99 wrote:
Quoted text here. Click to load it

Yeah, they may say web shield but be secretive about how they implement
it - or 'download protection' or 'proxy filtering' without enough detail
for you to know exactly how it does what it does.
Quoted text here. Click to load it

'Active shield' might be "on access" scanning where a 'real-time' shield
might be a "behavior monitoring" they all try to make it sound like they
have something else the other guy doesn't. Web shield might be proxy
filtering of HTTP/HTML and scripting or maybe even just a cloud based
blacklist/whitelist implementation.

Quoted text here. Click to load it

Each new sample is analyzed and a signature created and distributed.
This is in sharp contrast to polymorphic viruses where the algorithm for
creating the differing forms is carried within the virus and can be
analyzed - the server side morphing doesn't have to stay the same, it is
human driven.

This is one reason I thought it was a bad idea for the antivirus
companies to delve into the antimalware business. Antimalware is a whole
'nuther ballgame. It is also a reason to continue to try to educate
others that the dichotomy (distinction) between trojan and virus is an
important one and not 'mere semantics' as some suggest.


Re: How do antivirus programs really work? Detection after the fact or prevention?


Quoted text here. Click to load it

I see.  So perhaps the morphing, if I read this correctly, is not
really done in the server but in the virus.  That is, I can envision a
virus/malware that lives on an evil server and changes say every 10
minutes.

Quoted text here. Click to load it

Not sure what you mean here...sorry if I missed the threat about the
important distinctions between a virus and malware.  I know that you
and David L and a few others like maybe Dustin went back and forth a
while ago, but as a layperson and high level language (C#) programmer
I did not really pay attention to the details, which seem to have been
cryptic one-liners that only you guys know what they mean.  Perhaps
another thread and a synopsis of the differences are needed.  Other
than the "trojan is a worm" and "virus replicates in your PC" I'm not
entirely clear myself on the differences.

RL

Re: How do antivirus programs really work? Detection after the fact or prevention?

RayLopez99 wrote:
Quoted text here. Click to load it

Nope. The polymorphic virus doesn't need a server as it is
self-distributing, and it morphs *itself* into a new host program on
each iteration. The server-side poly is for non-replicating malware so
it can take many forms as it is being distributed as well.

Quoted text here. Click to load it

It's right here in this thread. Polymorphic viruses are "self"
polymorphic and carry the morphing algorithm with them. For
non-replicating malware the polymorphic engine is not carried with the
malware but is with the distribution program (or perhaps a human)
instead. Often it is part of the program on the server that serves up
the malware to visitors. You can't glean the algorithm by capturing an
instance of the malware like you can with viruses.

Quoted text here. Click to load it

Well, understanding will help if you are trying to answer questions like
"will this defense help protect against that malware?" because different
methods are required to combat different malware types.

BTW, worms are replicators and as such are not trojans. Trojans are
non-replicators. As non-replicators they don't have iterations that can
take differing forms, each new form must be made by the distribution
mechanism be it human or programming on a server.



Re: How do antivirus programs really work? Detection after the fact or prevention?

Per RayLopez99:
Quoted text here. Click to load it

Maybe somebody who actually knows something can comment on this,
but my question would be "Why get something that costs money when
Avast's freebie version will do the job?"

I've had Avast on all of my own PCs and on two family member's
PCs for over five years now.   The only time I ever had a problem
was when somebody deliberately over-rode one of Avast's "You've
got a virus in this email and we're not going to open it unless
you override this prompt...." messages.

Had occasion to do a Kaspersky boot-time scan a couple of times
on my main PC, and it came up clean... so I'm guessing Avast is
doing the job.... and the price is definitely right.
--
PeteCresswell

Re: How do antivirus programs really work? Detection after the fact or prevention?


Quoted text here. Click to load it

A bunch of issues raised by your post.  You seem to like this whole
enchilada style of prose. <g>

Why don't you like a AV web scanner (which I assume refers links such
as transfer to links from a host page to a server run by the anti-
virus company to check the links linked to)?

Why do you run AV only?  You a professional?  Maybe you trust you can
remove any malware/badware yourself?  By noticing stuff loaded in Task
Manager?  Man you're good if that's the case.

HOSTS file.  I have no idea what that is, except once to get a cracked
copy of Adobe running I had to change the HOSTS file.  From what I can
tell it's a sort of primitive lookup table used by browsers.  You
killed your HOSTS file I take it, though how your software that
depends on this HOST file, like say Adobe Acrobat or Photoshop, would
work is beyond me.

RL


Re: How do antivirus programs really work? Detection after the fact or prevention?

RayLopez99 wrote:
Quoted text here. Click to load it

I don't dislike them, I only don't feel the need for one on this system.

Quoted text here. Click to load it

Nothing like that, I'm just a hobbyist with good recovery plans and
nothing of any real importance on this computer. Besides, many new
malware instances are capable of hiding things from Task Manager.

Quoted text here. Click to load it

That's exactly what it is, but it has taken on a role for which it was
not designed - that of a blacklist of sorts that returns the loopback
(localhost 127.0.0.1) for certain "bad" site names.

Using an enhanced firewall is a much better way to accomplish that sort
of blacklisting.

Quoted text here. Click to load it

They don't actually depend on it at all, it just gets checked before DNS
(or whatever domain to IP# lookup in use) does. Kind of like a local DNS
service for static IPs.

I sometimes like to look at malware, and I don't need several programs
interfering with that ability.


Site Timeline