As part of CBR’s Tech Express series, Kaspersky Lab’s David Emm sat down with CBR’s Ellie Burns to talk all things antivirus.
EB: What is antivirus?
DE: The term ‘anti-virus’, coined at a time when malicious programs were almost exclusively viruses, refers to programs designed to identify and remove malicious code from a computer. In those days, the principal (though not only) method used to detect malicious code was signature scanning, i.e. looking for sequences of bytes that are known to exist in a virus or other type of malicious program.
Today, by contrast, many types of malicious malware are used by cybercriminals to exploit individuals and organisations, typically by targeting confidential data. Hackers are increasing in sophistication and, off the back of society’s increasing use of connectivity, are more prominent than ever – no longer just a matter of concern for the tech industry, but for everyone.
These programs have evolved over the years to combat the new forms of attacks adopted by criminals. Today’s Internet security applications, while still often referred to as ‘anti-virus’, are much less reliant on the use of signatures. They typically include heuristics, emulation, behavioural analysis and more. Indeed, the use of proactive technologies is far more important than signatures – enabling these applications to block new and unknown threats.
So ‘anti-virus’ remains as important as ever.
EB: How does antivirus software work?
DE: In the early days, the primary method (though not exclusive – even then) used to detect malware was the signature – a sequence of bytes found in the malicious program that, when included in an anti-virus database, could be used to identify the malware. These products were also forged in an era where malware was invariably ‘cyber-vandalism’, i.e. before malware-for-profit.
Technology, and what we use it for, has changed dramatically and so have the solutions designed to secure computing devices of all kinds. The applications we use to defend against today’s wide array of threats are the product of decades of evolution and include layers of proactive technologies designed to block new, unknown threats without the need for a signature: heuristics, emulation, behavioural analysis, anti-spam, firewalls, VPN and much more.
The best solutions are also typically integrated into a cloud-based infrastructure that provides the ability to determine the overall reputation of a file in real-time, without the need for an update to anti-virus databases. In other words, they have long since outgrown the description ‘anti-virus’.
The term has become well-entrenched, however, and so continues to persist – it’s a case of ‘new wine in an old bottle’. Some vendors offer free products: whilst they typically go beyond simple signature analysis, they are much less technology-rich than paid-for solutions.
When anti-virus programs first appeared, protection was centred on the desktop. Now, endpoint protection – even given its much greater sophistication – is just one form of protection: there are tailored solutions for different parts of a network, to deflect specific threats such as DDoS (Distributed Denial of Service) attacks, to detect the presence of targeted attackers in the network and to protect industrial facilities.
EB: Is there a difference between viruses and malware?
DE: We use the term ‘malware’ as an umbrella term for all forms of malicious software, including viruses, worms and Trojans. But when PC malware first appeared in 1986 – and for many years afterwards – the problem was almost exclusively a *virus* problem. That’s why the products designed to deal with the problem became known as ‘anti-virus’.
In fact, viruses are just one specific type of malware, defined by its ability to self-replicate, i.e. to add copies of itself to other executable files. Worms also replicate – but from computer to computer, rather than across multiple files on the same device. The term ‘Trojan’ includes any program designed to cause harmful actions on a computer and includes programs that download malicious code, spy on the victim, steal personal data, encrypt data and more. Malware (malicious software) is used to refer to all programs designed to carry out harmful actions on a computer.
EB: Can antivirus also protect against cyber threats other than viruses?
DE: Yes, anti-virus programs have evolved over the years to deal with all types of cyber-threat.
The use of signatures alone to combat malware would be woefully inadequate – something that has led to a number of people suggesting that ’anti-virus is dead’ (here’s a recent example). This would be true only if anti-virus programs remained dependent on signature scanning.
Today, modern anti-virus programs bring together a range of technologies that enable them to detect threats even when they haven’t been specifically analysed in the lab and even if there’s no signature to identify them. The best solutions are also typically integrated into a cloud-based infrastructure that provides the ability to determine the overall reputation of a file in real-time, without the need for an update to anti-virus databases.
Even free anti-virus solutions go beyond signature scanning, although they are typically much less technology-rich than paid-for solutions.
EB: What is the one mistake commonly made with antivirus?
DE: I believe the problem lies less with technology than blind reliance on it. However good technology is, there’s no such thing as 100 per cent security. So it’s important to see security as a process – one that includes technology, but only as part of a wider strategy.
Education is vital, developing a security culture to reduce the likelihood of staff unintentionally jeopardising their own, or the company’s, security is imperative. So too is good network management – not assigning administrative rights by default, segmenting the network to stop the spread of malware, giving write access only where it’s needed, encrypting data, backing up data and restricting applications that can run on the system.
It’s also vital not to see IT security simply in terms of guarding the perimeter. This is important, but so too is in-depth defence – so that if a perimeter is breached, attackers aren’t simply able to run rampant through the corporate network.