Cape Town, 10 Sep 2014
Today, malware detection, as implemented by what some still refer to as the anti-virus industry, has three main components, and although each component has been regarded as its "primary" function by different commentators at different times, all three still have a part to play in a modern anti-malware product.
Proactive detection and blocking
The holy grail of security software is protection in the form of proactive blocking through a range of heuristic, reputational and generic countermeasures. In other words, stop badware (and other forms of attack) gaining a foothold on a protected system in the first place.
Detection of known malware
First there were viruses (in the broad sense of self-replicating malware in many guises). And yes, there were trojans too, but in smaller quantities, except in the limited sense in which viruses can also be described as trojans - or at any rate, virus-infected code can be described as trojanised. As the balance between self-replicating and non-replicating malware slowly shifted, detection technology also changed, from exact identification to near-exact, to passive heuristics, to active heuristics and sandboxing, to reputational analysis and so on.
Unfortunately, malware technology also evolved in ways that reduced the effectiveness of these enhancements. Nonetheless, a high proportion of threats and threat variants continue to be detected either specifically or using more generic detections.
Remediation
Remediation where something is detected after it has gained a foothold (that is, infected and made some undesirable modification to the system).
As the glut problem began to bite and detection by static signature declined in effectiveness, infection became more sophisticated and harder to reverse, and remediation needed more attention, though we have rarely agreed with those who have said that once you are infected, there is nothing to do but re-image. Then things began to change with heuristics, behaviour analysis, reputation and the rest. Anti-malware is achieved through reputation, behaviour, advanced heuristics, and signatures are primarily used for remediation where proactive methods have failed.
Look for a combination of solutions that give you the best coverage at a price you can afford. This applies to home users as well: the right free antivirus is a lot better than no protection, but the relatively low outlay for a component security suite is well worth it for the extra layers of protection.
Share