How does an antivirus detect a virus?

Signature databases have effectively protected our computers for years. With the arrival of more and more threats, publishers ofanti-virus had to redouble their ingenuity to deal with unknown and unpredictable malware. Behavioral analytics goes further by monitoring the system to block suspicious actions at the source. Let’s take a quick look together to understand how a virus is detected and what an antivirus protects you from.

Heuristic or behavioral analysis: two sides of advanced protection

Summary of previous episodes: At the beginning was the virus. Not very widespread and easy to identify, the first malicious software could (and still can) be detected by its signature, a sequence of successive bytes which allows it to be recognized. Within security suites or free antiviruses, these signatures are updated regularly, and can therefore only detect known threats.

This posed no problem until the threats multiplied, in numbers far too great for optimal responsiveness. Hence the need to offer protection that not only responds to a known virus, but can predict its malicious nature by analyzing its behavior.

Two methods provide this possibility. The first is heuristic analysis, which consists of sifting through software, either by “decompiling” its source code or by running it in a virtual machine. We then detect whether it performs actions that could be suspicious, or we compare the structure of its code to those of already identified threats or to patterns of potentially dangerous behavior.

Behavioral analysis is located at the system level itself. It’s not a file that we monitor by passing it through a scanner or a sandbox, it’s the OS as a whole. Behavioral protection observes system activity (Windows, Android, MacOS, etc.) and recognizes actions that appear malicious, such as requests to an unknown server, file modifications, or requests for access to locations. of memory.

The two methods coexist and complement each other. For example, heuristics may have limitations as many recent threats include protection against emulators. At this point, only the actual execution of the file will be able to betray it.

Ransomware, stealth attacks: behavioral analysis as a defense

Behavioral analysis, by focusing on the system and not just files, is a defense against more pernicious attacks such as “drive-by downloads”, triggered by code executed on a web browser.

In the family of recent threats that have caused particularly damage, ransomware or “ransomware” is typically the type of attack where behavioral protection plays an essential role. Ransomware was born from the mutation of cybercrime. At the time of the first viruses, losing one’s personal files was the most common fear. But what’s the point of destroying documents you care about? Harm the user or the company, certainly. Why not instead take them hostage to try to obtain financial compensation?

This is what ransomware does. They attack your personal files and apply an encryption algorithm to make them inaccessible. Pay the ransom and you will have the key. In practice, this is not even guaranteed.

Here, behavioral analysis will be able to detect these abnormal modifications, block these operations and, if necessary, restore the files to their previous version.

Limits and developments

Behavioral scanning faces the biggest problem with any type of virus scanning: false positives. Unusual system operation may simply be unconventional without necessarily being malicious.

However, behavioral analysis modules are also evolving, and are ideal grounds for one of the recent trends: machine learning. With progressive learning, security solutions increasingly leverage neural networks to distinguish legitimate actions from suspicious ones.

Another pitfall comes at the cost of the effectiveness of this type of analysis. Monitoring the behavior of an operating system can be resource-intensive, potentially slowing down demanding tasks. However, this is the price to pay to benefit from a more effective layer of protection against the proliferation of online threats.