Comprehensive network security

Of course, the first step would be the installation, but apart from that, and once installed, the antivirus toll starts by checking the computer or server where it is installed for programs and files against a database of known types of malwares. Because new viruses are developed every day and always distributed by hackers, the antivirus tool also scans the device for the possibility of new or unknown threats and infections.

Typically, most programs work on three different detection modes, being the first one the specific detection, where it identifies known malware; the second one the generic detection, which seeks for known parts or types of malware or patterns that show a relation by a common codebase; and the third one focuses on the heuristic detection, scanning for unknow viruses and infections by identifying known suspicious file structures. When the program finds a fie that contains a virus it will, normally, place it into quarantine and mark it for deletion. In a quarantine process it is possible to evaluate the file behaviour and determine if it must be removed from the device.

It is important to understand, though, that even an antivirus is capable of protecting the system or network it is installed on, it is not able to protect it against all types of malware. To better understand this, its necessary to realise that there are two different ways for an antivirus software to identify malware: signature detection and behaviour detection. Just like IDS and IPS systems, also antivirus tools focus on two different approaches, taking advantages of well-known vulnerabilities and infection signatures and behaviours.

Regarding signature detection, it may be seen, once again, like a human immune system, where it scans the body (computer) for special characteristics or programs’ signatures known to be related to malicious code, infections, or threats. It does this by referring to a dictionary of known malware, developed based on known signatures. If something on the system matches a pattern present in the database, the program attempts to neutralize it, putting on quarantine or simply deleting it. Moreover, and once again referring to the human immune system, the dictionary or database requires updates. When in human health we get vaccinated or take medicine pills, in computers updates are critical for keeping a proper protection level. These updates make it possible for antivirus tools to recognise new and until know unknown malware, threats, and vulnerabilities.

An antivirus software can only protect the system against what’s it recognizes as harmful, where the problem is that cyber attacks are always growing and being performed in a more sophisticated way each day. The evolution of new exploits and attacks is so big that antivirus vendors have to run against the time to be able to catch up with the constant demand of protection. As result, no matter how recently the antivirus was updated, there is always some new malware that can possibly bypass the antivirus and antimalware software and tools.

When focusing on the behaviour detection, antivirus does not attempt to identify known malware, just like it does when using a signature detection approach. Instead, it monitors the behaviour of the software installed on the machine the antivirus is protecting. To properly train the antivirus tool, it is necessary for the software to have the knowledge of how the normal behaviour of the software it is monitoring is. Then, when a program acts in a suspicious way, such as trying to access a protected file or modifying another program, the behaviour-based antivirus will spot the suspicious activity and alerts the user about it, making it possible for him to act accordingly to the threat. This approach is especially successful on protecting the system against bran new types of malware that do not yet exist in dictionaries or databases and whose signatures are yet not discovered nor documented. The problem, though, is that this approach can increase the number of false warnings. As a computer user, it is possible for you to be unsure of the proper action with such fake alarms, making it possible for you to allow actions incorrectly. Moreover, in a large number of warning, the user may be tempted to allow all, leaving the computer opened to attacks and infections. In addition, by the time the behaviour is detected, also the malware most likely has already run on the system, making the user not sure about the actions the malware took before the antivirus software identifies it.

Antivirus is an important part to secure a computer, system, network or mobile device, and it recommended by the majority of the scholars and researchers on the area. However, the key point is that regardless the type and brand of the antivirus software, it is unable to protect the system against all malware types.