How Traditional Antivirus Works

Life, as the saying goes, is all about choices. Traditional antivirus (AV) products have claimed the lion’s share of the security market for years. However, as the decades have rolled by, attackers’ abilities to invent techniques, tactics and procedures have improved exponentially. Threats like “fileless” malware (which writes nothing to disk) can’t be caught by signatures, so traditional AV is becoming less and less effective.

Even malware development itself has evolved. Attackers now run their own QA labs, use commercial penetration tools, and validate their new malware samples using bootleg multi-engine scanning sites to see if they are detected. If so, they modify the code and try again until it passes under Big AV’s radar.

We need new ways of preventing the execution of malicious code – be it binaries, fileless, script-based or whatever else is coming over the horizon. Today, we’ll take a look at how traditional AV products work in order to understand why it’s so easy for the bad guys to bypass them.

Watch our video and see for yourself how Cylance is different:


VIDEO: How Cylance is Different From Traditional AV

How Traditional AV Detects Malware

There are four approaches traditional antivirus uses to detect malware:

Pattern Matching

The first approach is pattern matching via signatures. Pattern matching is used to check a sequence of tokens for the presence of the constituents (parts) of a pattern. In contrast to the flexibility offered by pattern recognition, the match has to be absolutely exact.

A signature is the digital fingerprint of a piece of malware. It’s a unique string of bits, a binary pattern representing the malware. Each time a traditional AV product encounters a new file, the AV product looks through its signature list and asks, “does this byte in the signature match this byte in (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog