Anti-Virus Software Types

Interesting articles

Signature based

Traditional antivirus software relies heavily upon signatures to identify malware.

Substantially, when a malware arrives in the hands of an antivirus firm, it is analysed by malware researchers or by dynamic analysis systems. Then, once it is determined to be a malware, a proper signature of the file is extracted and added to the signatures database of the antivirus software.

Although the signature-based approach can effectively contain malware outbreaks, malware authors have tried to stay a step ahead of such software by writing “oligomorphic”, “polymorphic” and, more recently, “metamorphic” viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.

Signature-based AV compares hashes (signatures) of files on a system to a list of known malicious files. It also looks within files to find signatures of malicious code.

Signature based virus detection succeeds only with old viruses because they did not exists in different variants as it occurs nowadays. The signature can be MD5/SHA1 hashes for example. See this post for more information: What patterns does a signature based anti-virus look for?. Whereas behavior based detection (called also heuristic based detection) functions by building a full context around every process execution path in real time.

McAfee is signature based aka old school techniques.

Sources: Why relying on antivirus signatures is simply not enough anymore.

Behavior based

Behavior-based AV watches processes for telltale signs of malware, which it compares to a list of known malicious behaviors.

The reason many AV products are add behavior-based detection is because many malware creators have begun using polymorphic or encrypted code segments which are very difficult to create a signature for. An easier way to detect these is to watch for a particular pattern of behavior to identify the malware.

Anti-Virus Software

Source: New antivirus software looks at behaviors, not signatures

Algorithm (heuristic) based

Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.

For example, the Vundo trojan has several family members, depending on the antivirus vendor’s classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B.

While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be “heuristic detection.”

Dell trying to sell Cylance anti-virus.

Cylance works without having to do full disk scans.