by Dan Lowe, on 28 October 2013
With 2.3 unique malware variations created every second, I will explain to you why it is impossible for signature detection to keep up with the onslaught of new malware and why there is still and need to use signatures to protect your devices.
Since there are over 200,000 unique malware created every day, it is impossible for signature detection technology to keep up. With 2.3 unique malware variations created every second, I will explain to you why it is impossible for signature detection to keep up with the onslaught of new malware and why there is still and need to use signatures to protect your devices.
In creating malware signatures, the antivirus company would have to first identify whether a file is malicious. Once the antivirus researcher has identified a malicious file, they create an algorithm or hash of the file. A hash is a number that identifies the file through a string of text which is unique to that file. In parallel, the antivirus company generally looks at how to file acts and develops a solution to render it harmless or remediate the file so it can work properly. Antivirus companies need to test the signature, and then update the signature database for it to apply to the systems. If the antivirus database is manually scheduled to update, then it could be hours or days before the local database inside the computer is updated. Sometimes files cannot easily be remediated because it can take multiple researchers from different disciplines to evaluate the file fully and fix it. This is a simple illustration that lets you know that it can take time for a signature to be created and fix a file.
Sometimes malware writers will create a malware variation within the same malware family to get around signature detection. However generic signatures or heuristics allow the antivirus scanning engine to detect malware variations within a family which share much of the characteristics and/or some of the same code. This approach is more effective identifying malware families rather than new categories of malware.
Signature based file detection is fast for capturing known malware, but it also good for investigation and forensics. It is important to understand how malware works so antivirus researchers can revise techniques to improve. If you install new antivirus software into a system, it is useful to scan the file using the signature database that is kept locally to discover malware. This helps prevent malware from corrupting the existing system by quickly identifying malicious applications within the system. One compliant has been that the signature database is fairly large, but generic signatures have been able to reduce the database file size. Behavior based detection is slower, takes more system resources, and can produce more false positives than signature based detection. However, it has proven to be a fairly effective technique. In general, most antivirus companies are using both methods to detection malware.
Some antivirus companies use both the local signature database and signatures in the cloud to further evaluate the different files within the system. By examining certain files in the cloud, antivirus vendors can leverage the latest updates to identify the newest malicious applications. However not all computers are checking for the latest updates in cloud, they are working offline and in more isolated environments. Therefore signature detection will still be around for now until there is a more formidable to identify existing variations and new malware.
Dan Lowe, an OEM Senior Marketing Manager, has been working with Bitdefender for the last 3 ½ years. His familiarity with multiple security products from Firewalls to Antivirus has provided him a unique perspective on the security industry.