Viruses have been a significant concern for cybersecurity professionals from long back and it continues to do so. After cybercriminals have started posing their malicious cyberattacks sophisticatedly, the fight against these threats has become more alarming and challenging. Some PC makers preinstall antivirus (AV) software in their manufactured systems, which are usually in their trial versions. These preinstalled AV programs later prompt you to sign up for a premium or a paid version after the trial period is over. In such a situation, you should not give in to the pressure of sticking to the same software; in fact, try to find the one that suits your requirements.
No one can win a war by providing soldiers with just armor. Instead, your choice of weapons should be personalized and competent enough to safeguard yourself against the future threat. An AV program is not self-sufficient to protect various entities of your organization and prevent a cyberattack. With AV, you need to have other defense systems, which include firewalls, intrusion detection systems, popup/ad blockers, phishing filters, end-point compliance, and a lot more. Consider all of these to be just a front-line warrior in a war zone, while a dedicated team of security professionals will be at work to protect and prevent your organization’s security framework. Moreover, that’s why it is a must that you have your preliminary defense strong enough to eliminate as many threats as it can.
Do You Really Understand AV Software?
AV software is a program, originally designed to search, identify, and eliminate threats, especially viruses before it can harm your system. However, with time, new threats have emerged, and now AV software is capable of fighting against various kinds of cyber threats. These threats include malware (ransomware, spyware, adware, Trojans, and worms), keyloggers, backdoors, rootkits, and browser hijackers. Moreover, some of the specialized AV software can also offer protection against phishing attacks, online banking attacks, spam, malicious URLs, advanced persistent threat, and botnet DDoS attacks.
As several firms develop AV software, a few of their functions differ from one another. However, all of them ensure a few general responsibilities, which are:
- Scanning files and folders for the presence of predefined malicious threats
- Permitting you to schedule autoscanning
- Notifying on infection detection
- Automatically eliminate detected malicious codes
- Evaluate the health of the system
How Does AV Software Work to Protect You?
An AV program can be referred to as one of the significant weapons of a multilayered security strategy. As most malware regularly morph to avoid detection, our defense strategy must include AV software that is equipped with advanced capabilities to identify earlier mentioned sophisticated threats.
Take a look at the features of the AV program and how they contribute to better performance of the program.
The capability of AV software to run in the background to check every accessed file and folder is generally known as on-access scanning, background scanning, resident scanning, and real-time virus protection. The usage of these terms change depending on the AV program you are using.
This background operation of the AV program works efficiently and smoothly without interrupting your usual work. For instance, when you run an executable (.exe) file, it might seem that it launches immediately, but in reality, AV software scans it and then allows it to begin. Otherwise, it notifies you about the detected danger. During the scan, AV software matches various elements of the file with predefined threats (such as viruses, worms, and types of malware). It also performs “heuristic” checking to identify any new unknown viruses. AV scanning is not limited to .exe files; it also examines .zip files for a compressed form of viruses, .doc or .docx file for malicious macro, and more like that. On-access scanning is a good idea as it limits viruses to exploit loopholes in the security system, which are left undetected by the scanner.
Full System Scanning
With regular on-access scanning, a complete system scan leaves minimal space for viruses to attack your system. Even if you downloaded a virus by mistake, the AV program eliminates it immediately on its own, without waiting for you to launch a manual scan. Well, full system scanning usually used when you have freshly installed your AV program. In such a case, it’s required that you detect already existing unnoticed viruses and other threats. This can also be used during the repair of your system. For repairing an infected system, it is recommended to perform a full disk scanning on the victimized hard drive by using another system.
Predefined Virus Definitions
AV software updates itself with new definitions of different types of malware, usually once in a day. This file contains unique signatures of the viruses. Whenever an AV program comes across a piece of a program matching the predefined signature, it stops running the infected program and puts it under “quarantine.” This infected file will then be deleted automatically, or your system will prompt you with an option to run it regardless of the presence of malicious content; both these choices depend on the software you are using.
An AV program is also capable of employing heuristics. It can detect an unknown type of malware even when it is not included under the virus definitions. For instance, if the AV software notices a program replicating itself or trying to access all .exe files, then the software can tag it as an unknown type of virus. However, this feature is not designed to be aggressive in nature; in this way, the program won’t be flagging authorized programs as viruses.
A heuristic method is a combination of static and dynamic heuristic techniques. Static heuristic analysis decompiles the program to examine its source code. This source code will then be matched with the present viruses in the heuristic database. Even if a part of the code matches with the existing code in the database, the code will be considered as a threat by the AV program. While in dynamic heuristic techniques, the researchers look for malicious code in a secure virtual environment than letting the AV program play by its predefined rules.
False positive is a term used to denote an error in reporting a legitimate file as a virus because of its suspicious behavior. It has been noticed that AV programs sometimes flag genuine Windows system files, third-party applications, and even their own program files as viruses. This false positive, if considered as a virus by the user, can damage the user’s system. Microsoft Security Essentials identifying Google Chrome as a virus is one such incident .
Imagine not being able to receive a mail from a regular customer just because he/she used a word that categorized the mail as spam. Even getting spams messages in your inbox is annoying. That’s where Bayesian spam filtering comes into the picture. It gives you the probability that a certain email is a spam. This Bayesian spam filtering follows Bayes’ theorem, which states the probability of an event. This same theorem is used in AV programs to reduce the number of false positives.
If you want to choose the best AV program available in the market, then look for its detection rates. It is never the same and fluctuates over time. To calculate the detection rate of an AV program, both virus definition files and heuristics are taken into consideration. Some AV software is effective with heuristics while some are good with virus definitions; this is an interesting attribute to consider while selecting an AV program for your system.
Interesting Note: If you want to test whether your AV software is working correctly or not then look at the EICAR (European Institute for Computer Antivirus Research) test file.
Consider all the above-listed features while choosing an AV program for your system.
Simplifying Detection and Reliability Rates of AV Program with Bayes’ Theorem
Let’s take the example of an advertisement saying: Overall malware detection rate is 75% for AV 1, 97% for AV 2, and 94% for AV 3. The choice seems obvious, isn’t it?
Suppose, we have analyzed our system for malware and concluded that the probability of it being “healthy” is 1%. We have also evaluated that the reliability of our AV is about 99%. The question is: If the AV reports that the system is healthy, what is the probability that it will be infected? This is where Bayes’ theorem unfolds its power. Most people will assume that the answer is 99% or close to 99%. That’s the reliability rate of the scan, right? In reality, the exact answer, underpinned by Bayes’ theorem, is only 50%.
In the Bayesian theorem,
P(B)—the probability that your system was infected before being scanned is 1% or 0.01.
P(E)—the probability that an infection will be detected. P(E) is the probability that the scan will be positive, whether your system is infected or not. In other words, it includes both false positives and true positives.
To calculate the probability of a false positive, you must multiply the false positive rate, which is 1% or 0.01 by the percentage of the system that has been infected, that is, 99%, for a total of 0.0099. Yes, your 99% accurate super test gives as many false positives as true positives! Let’s finish the calculation. To obtain P(E), add the false and true positives to a total of 0.0198, which, when divided by 0.0099, gives 0.5. So the probability that your system will actually be infected is 50%.
Let’s keep it short and simple: if you have scanned your system only once, the probability for your computer to be “clean” is 50–50. This may seem strange but it’s real because the AV doesn’t recognize unknown malware. But if you restart a scan, everything will change. If you redo the test, you can considerably reduce your uncertainty since now the probability of your system being infected, P(B), is 50% and not 1%. If the second scan is positive, Bayes’ theorem tells you that the probability of infection is now 99% or 0.99.
As this example shows, repeating Bayes’ theorem can provide very precise data. This means that the probability that your system will be infected decreases with each successive scan because, on the one hand, the AV software receives information about the malware that was previously unknown with each consecutive update and, on the other hand, the probability that you will download unknown malware regularly is significantly low.
So, understanding Bayesian statistics is the most appropriate way to judge the reliability of an AV program.
Even in 2019, we do need AV programs. These days, the AV program is not mandatorily used to eliminate viruses and a handful of cybersecurity attacks. But it also ensures that malicious miscreants won’t be able to steal your data or damage your system easily. Living an online life has never been easy, and with the advancement of technology, every form of defense is needed.