Académique Documents
Professionnel Documents
Culture Documents
11
June 2015 Network Security
FEATURE
and prevent infections. That being said, In order to have the right expectations ware vendors usually use the same data-
it is important to note the limitations for scan engines, it is useful to know how base for all supported platforms to cut
of anti-malware products and recognise anti-malware scan engines work. Each down on costs. Not only is the database
that there are more effective solutions anti-malware engine consists of two main the same, but the actual functionality of
out there. Here are a few important parts: the engine core or engine binary the scan engine itself is nearly the same
questions to ask around that topic: and a signature database. The engine on each supported platform, indicating
UÊ 7
ÞÊÃ
Õ`ÊÜiÊÀiÞÊÊÌ
iÊÃV>}Ê core is the heart of the scan engine and that the detection capabilities should not
capabilities of a single anti-malware contains the scan logic – how to analyse change through the platforms.
engine when multi-scanning technol- different files, how to extract archives, etc.
ogy is available? In summary, the engine core can scan files Revealing test results
UÊ 7
ÞÊÃ
Õ`ÊÜiÊÀiÞÊÊ>Ì>Ü>ÀiÊ for both known and unknown threats.
products installed on our computer, We collected a variety of third-party test
when we know they can be difficult “Anti-malware vendors results where you can check the detection
to manage and ensure that they usually use the same capabilities of many anti-malware prod-
are up to date?3 database for all supported ucts. AV-Comparatives and AV-Test are
UÊ 7
ÞÊÃ
Õ`ÊÜiÊÌÀÕÃÌÊiÌÜÀi`ÊV- independent anti-malware testing
platforms to cut down
puters in an environment where end organisations focusing primarily on anti-
users often have admin privileges that
on costs. Not only is the malware product research and product
could expose the network to potential database the same, but the testing.7,8 They test not only Windows-
threats?4 actual functionality of the based products but they also provide test
Therefore, in order to achieve ade- scan engine itself is nearly results for mobile protections, mainly for
quate network protection it is neces- the same on each supported Android-based security products. Their
sary for anti-malware engines to detect platform” mobile protection test results include
malware regardless of platform. Cyber- detection rates for malicious Android
attackers are creating malware that can applications.
target multiple operating systems, so The signature database checks files VirusBulletin is a UK-based security
shouldn’t our anti-malware products against lists of known malware to speed information portal and testing company,
offer similar cross-platform features? In the detection process. Currently, there are focusing on the global threat landscape.9
theory, we should be able to use Linux- more than 300 million different malware It performs anti-malware product testing
based firewalls with content filtering, samples out there. Many anti-malware six times per year. Every test is based on
Linux-based email servers and Linux- vendors are proactively using generic a different platform, including many for
based web proxies to catch Windows detection technologies to reduce the size both Windows versions and Linux plat-
malware before it attacks our network. of signature databases and to provide pro- forms. Every test includes WildList sam-
tection against a lot of different malware ples and recent malware samples.10 The
How scan engines work types. Despite these efforts, signature company tests proactive and reactive
databases are quite large. Most of them detection capabilities as well.
At the beginning of the anti-virus era, are 100-200MB in size and are constantly While these organisations provide a
scan engines used only simple pattern growing as vendors release new updates. good sense of the performance of anti-
matching to recognise malware, com- Signature updates are usually released malware engines, they do not include
pared to the techniques they now use after thorough quality testing has been many malware samples written for Linux
to detect advanced threats.5 This is a performed. These tests require time and platforms because the Windows OS is a
cat-and-mouse game because malware a huge amount of resources, so anti-mal- much more popular target for attack. So
writers are always working on new dis-
guises to make detection harder, such as
encryption, polymorphism and rootkit,
while anti-malware vendors are working
to discover new approaches for detecting
these threats.6 Modern scan engines use
CPU emulation, operating system emu-
lation, cryptanalysis, sandboxing, heu-
ristic and many other complex methods
to detect threats. By using one or more
of these technologies, scan engines can
achieve an optimal detection rate and
speed, depending on the type of cur-
Figure 2: Sample multi-scanning results for detection of Linux-based malware by Metascan Online.
rently analysed file.
12
Network Security June 2015
FEATURE
13
June 2015 Network Security
FEATURE
engine and/or signature database for has up-to-date protection. Protection Kaspersky Lab, 8 Apr 2015. Accessed
detecting malicious Android applica- is important for Android devices and May 2015. https://threatpost.
tions. Our findings indicated that these Android-based platforms because mali- com/new-evasion-techniques-help-
scan engines couldn’t detect malware cious programs can easily place or drop alienspy-rat-spread-citadel-mal-
that was written for other types of plat- malware programs to our SD card and ware/112064.
forms. A few security applications used our PC to infect further devices. 2. Segura, Jerome. ‘Citadel: a cyber-
vendor cloud services to check hashes of As we have seen, detection capabilities criminal’s ultimate weapon?’.
scanned files that could provide detec- for Linux malware by Windows-based MalwareBytes blog, 5 Nov 2012.
tion for non-Android threats, but they anti-malware products is quite high, so Accessed May 2015. https://
were in the minority. users and network administrators can blog.malwarebytes.org/intelli-
generally trust that malware written for gence/2012/11/citadel-a-cyber-crimi-
Conclusion Linux will be caught by their Windows- nals-ultimate-weapon/.
based anti-malware products, especially 3. Dunn, John. ‘Who runs an anti-
While Windows-based anti-malware if a multi-scanning solution is in place. virus scan these days? Apparently
products do effectively detect Android- Education for consumers and almost nobody’. TechWorld, 28
based malware, the resource limitations employees will become more impor- Jan 2015. Accessed May 2015.
previously discussed limit an Android- tant over the next 10 years, as many www.techworld.com/news/secu-
based anti-malware program’s ability of these sophisticated attacks can be rity/who-runs-anti-virus-scan-
to detect malware written for another prevented by common-sense cyber- these-days-apparently-almost-
platform. security improvements.11 A strong nobody-3595951/.
emphasis on the importance of avoid- 4. Winn, Adam. ‘How Bad Software
“A strong emphasis on the ing software vulnerabilities by keeping Updates Put Your Network at Risk‘.
importance of avoiding programs and operating systems up to OPSWAT blog, 13 Mar 2015.
date, as well training for how to avoid Accessed May 2015. www.opswat.
software vulnerabilities
phishing attacks provides a strong com/blog/how-bad-software-updates-
by keeping programs and first line of defence for cross-platform put-network-at-risk.
operating systems up to malware. New cross-platform malware 5. Galea, Deborah. ‘How to Detect
date, as well training for is being discovered every day, but by Advanced Threats‘. OPSWAT blog,
how to avoid phishing putting our focus on improving detec- 12 Mar 2015. Accessed May 2015.
attacks provides a strong tion via multi-scanning, and investing www.opswat.com/blog/detect-
first line of defence for resources in consumer and employee advanced-threats.
cross-platform malware” education, organisations in the anti- 6. ‘Polymorphism’. The Java Tutorials,
malware community can mitigate the Oracle. Accessed May 2015. http://
It is important to remember that anti- damages caused by these sophisticated docs.oracle.com/javase/tutorial/java/
virus programs for Android function exploits.12 IandI/polymorphism.html.
differently than traditional engines. On 7. AV-Comparatives. Home page.
Android, a sandbox technique ensures About the author Accessed May 2015. www.av-com-
that an application may only access Szilard Stange joined OPSWAT as direc- paratives.org.
its own data. These products cannot tor of product management in 2014. He is 8. AV-Test. Home page. Accessed May
monitor file system changes to scan all responsible for one of the company’s flagship 2015. www.av-test.org/en/.
files, nor can they do a full file system technologies, Metascan. Prior to joining 9. Virus Bulletin. Home page. Accessed
scan to look for malicious programs. To OPSWAT, Stange held many engineer- May 2015. www.virusbtn.com/index.
partially remedy this issue, third-party ing and product management positions in 10. WildList. Home page. Accessed May
security applications can rely on hooks the IT security industry and helped create 2015. www.wildlist.org.
that the Android operating system pro- many anti-malware products, next-gen- 11. Galea, Deborah. ‘10 Things to
vides by default, which proves effective eration firewalls and security monitoring Include in Your Employee Cyber-
for scanning applications, but not for products at BalaBit and VirusBuster. He security Policy‘. OPSWAT blog,
catching other types of malware, such as brings expertise in enterprise level security 27 Mar 2015. Accessed May 2015.
those stored on an SD card. software definition and development and www.opswat.com/blog/10-things-
This should not be an issue if we use holds a Master’s degree from the University include-your-employee-cyber-securi-
our mobile devices carefully. Every time of Pannonia. ty-policy.
we make a connection to a desktop 12. Hebels, Justin. ‘New cross-platform
PC to transfer files between a mobile References malware discovered’. Thawte, 5 Feb
device and a PC, or we move an SD 1. Mimoso, Michael. ‘New evasion 2014. Accessed May 2015. https://
card between our devices, we have to techniques help AlienSpy RAT community.thawte.com/articles/new-
make sure that our desktop computer spread Citadel malware’. ThreatPost, cross-platform-malware-discovered.
14
Network Security June 2015