Methods of protection against malicious software

Today’s malware is definitely not the only security threat for individual and corporate users, but the tools of detecting and fighting malware remain fundamental in any security solution. There are

Today’s malware is definitely not the only security threat for individual and corporate users, but the tools of detecting and fighting malware remain fundamental in any security solution. There are several reasons for this, the main one being historical. As we already know it all started with viruses, and the first computer security solutions, respectively, were called “antiviruses.” Most people who are not sophisticated in data protection still say “antiviruses” though, even when speaking about the most complex security solutions. They expect those solutions to fight “viruses,” although, as stated above, they are not the only threats.

The functions of detecting and fighting malicious software are mandatory for all contemporary data protection solutions, but their techniques and efficiency differ.

Our Kaspersky Endpoint Security comprises a set of tools for detecting malware and protecting users from it. These include signature-based and heuristic (proactive) scanners, as well as file and email antivirus. The modules for repelling network threats and fighting off dangerous messages in instant messaging clients are often called antiviruses too (the Web Antivirus and the IM Antivirus), although strictly speaking, they are not designed to deal with malware, but to protect from phishing and web attacks.

Malicious programs have been traditionally detected by their signatures. The signature based method has been used for decades and duly earned its reputation for being frugal and sparing the system resources.

However, the daily increase of the number of new malicious programs now exceeds two hundred thousand. This is an avalanche that cannot be effectively dealt with by means of the signature-based method only.

Therefore, several other techniques are used. First, there is a proactive method that detects malicious programs by their attempts at performing certain operations. For example, Trojans are characterized by attempts at gaining access to the system registry, as they copy themselves to network resources, the startup folder and the registry, and resend their own copies, log keyboard input, hide installation of drivers, attempt to modify the operating system kernel, create hidden objects and processes with negative identity or infiltrate other processes, etc.

Our products monitor and analyze these and other activities with the help of a static set of heuristics, the models or patterns of applications’ suspicious activity. Like signatures, such templates are updated regularly. This technology, when detecting a new virus or a new modification of already known malware, allows skipping updates of the whole proactive defense module and adding a new signature to the heuristics base, and updating it along with the product’s antivirus databases. Thus, any new malware may appear quite different from those already known, but if it behaves the same way our solution’s antivirus modules block it.

Starting with the eighth version of Kaspersky Endpoint Security for Windows, the System Watcher component acts as the proactive protector. It comprises a set of templates (Behavior Stream Signatures, BSS) – the models of malicious behavior of which unknown malware can be identified even before the information about it is included in the database of signatures.

System Watcher communicates with the other components of the antivirus software, memorizes the chains of events, gets the full picture of the behavior and records the traces of each individual program and program groups. It greatly improves the accuracy of detecting malware. It is also important to know that System Watcher monitors applications’ activity not just in the current session but throughout the program’s lifecycle altogether.

In order to further improve the performance of the antivirus protection components when processing files, the eighth version Kaspersky Endpoint Security for Windows received two functions – iSwift and iChecker.

The principle of iChecker’s operation is based on calculating and memorizing a checksum (a signature) of an inspected object. After any modification of the object its checksum changes, too. iChecker stores the data of the checksum’s changes in a special table and every subsequent verification compares the previous and the current checksums. When there are no changes detected, the file is excluded from scanning.

iChecker processes files as well as startup objects, mail attachments, etc.

iSwift is a variant of iChecker for NTFS. This file system has an advantage of each object being assigned with an NTFS identifier. iSwift compares the NTFS identifier with the values stored in the special database. And if the values in the database do not coincide with the NTFS identifier the object is being scanned.

There is no need to calculate a checksum in that case, so iSwift can process files of any size (unlike iChecker). However, the file is being checked again when copying since the technology ties it to a specific location. Moreover, iSwift applies to NTFS only.

In addition to the described signature and proactive protection methods, our business products use another way to rapidly identify new threats since System Watcher is integrated with Kaspersky Security Network.

KSN is a cloud service comprised of more than 60 million users worldwide. At the consent of every antivirus user, KSN receives information about attempts at infecting computers and the reports of programs’ suspicious activity. The obtained data is then processed by the distributed expert system, and the information about newly emergent threats and their sources of distribution is made available to all users of the product within 40 seconds. For the comparison: according to the survey by NSS Labs, in the second quarter of 2010 the “manual” blocking of web threats by antivirus companies took from 4.62 to 92.48 hours.

It is impossible to increase the rate of response to threats any further by means of conventional antivirus updates, because it is the minimum time required to detect malware, subsequently analyze it and test the created antivirus updates.

The capability potencies of heuristic detection methods, even of the most advanced ones are 50-70% at the average; so it implies that 30-50% of newly emerging threats are not detected by heuristics.

Kaspersky Security Network incorporates and analyzes vast amounts of data about new threats and allows almost instant reacting. Cloud technologies require minutes or even seconds to identify and detect new threats. If there is a malicious component detected in any program, the information about it is transferred to the Instant Detection System and spread among all customers.

In general, the use of Kaspersky Security Network provides the best timing of responding to the threats, and significantly reduces the traffic spent on updating antivirus databases while finally minimizing the number of security solution’s false positives.

KSN is also actively used to combat malicious links and spam. More information on the principles of Kaspersky Security Network is here.

As a radical but efficient measure of opposing threats, our enterprise solutions also apply allowlists. But let’s discuss that it in a future post.