The limits of traditional antivirus systems: why they are not sufficient anymore

A bit of history

The birth of computers was followed – almost immediately! – by that of viruses in the first half of the 1980s. In most of the cases they were spread through floppy disks, which at the time represented the main means of exchange of data.

It was Fred Cohen who, in his “Computer Viruses – Theory and Experiments” of 1984, gave for the first time the definition of the concept of “informatic virus”.
The inventor of the anti-virus is deemed to be G DATA Software AG. In 1987 the company, founded by Bohum in 1985, developed the first commercial programme to fight informatic viruses. Soon after that, John McAfee who delivered his anti-virus and his company was acquired by Intel in 2011. Other known and spread antiviruses are Avira, Avast, Bitdefender, Eset, F-Secure, Kaspersky, Panda Security, Sophos, Symantec, Webroot.

Over the years, both viruses and antiviruses have evolved enormously. Nevertheless, it has become more and more clear that who perpetrates an attack has usually got an advantage over who must defend himself.
Today, the word antimalware is often preferred to antivirus, which is basically a synonym since the word malware (short for “malicious software”) includes in an extensive way all sorts of types of detrimental softwares, among which are also viruses.

Antiviruses and antimalwares are hence softwares aimed at detecting and then eliminating various types of malicious codes.

Investing in cybersecurity is essential to grant the continuous functioning of companies, organisations, institutions and schools.

Business Cyber Attack Protect you with DNSfilter-

>> FlashStart is totally based on the Cloud and easy to set up → Try it now!

How do antimalwares work and why they are not sufficient anymore

To understand the limits of antimalwares – which today are more and more evident – it is useful to understand how these softwares work. It will then become clear that we cannot deem them a sufficient protection for our devices anymore.
The first antiviruses used to perform checks in an essentially “mechanical” way based on the check of the signature (indeed they are called “signature-based”). The signature was generated using a hash algorithm and, because of its uniqueness, it was comparable to a fingerprint that identifies a file in a unique way.
Working like this, they could detect only known viruses, which were already present in their database of virus definitions, but they could not catch new attacks since they had not been classified yet.
Each new virus has first to be identified and analysed in order to determine the signature and then be added to a list of known viruses. The updates of signature databases are sent to the users with a frequency that – depending on the supplier – can be daily or even multiple times a day.
Databases are updated on a daily basis but there is a time span during which the threat already exists but is not part of the antivirus database yet because the antivirus supplier must: identify the malicious agent, add it to the antivirus database, make it available for download to the customers who must update the signatures.

It is therefore evident that this “filing” procedure will always and inevitably be a little late, since there will always be a time span (even just of one day…) within which the antivirus won’t be able to recognise the malware that has just been created.

What is polymorphism

Hackers, who develop their techniques using “research and development” processes similar to those of real companies (since today that is what they are), have learnt to exploit this weakness of antimalwares. They manage to do it through the so-called “polymorphism”: in order to deceive the antimalware system they use an unknown code. But all of this can be done in a very simple way: creating a brand new malware is not necessary, all they have to do is changing the signature in the already-existing one.

A malware is a sequence of lines of code. This code – once it has been created – will have a unique fingerprint, which is the hash calculated using a hashing algorithm. The hash is what is controlled by signature-based antimalwares.

Therefore, the attacker will create a polymorphic malware: this is able to code its own signature every time in a different way, so as to appear different in every attack. In practice, the malware turns a code block into another code block with the same functions as the previous one but a different fingerprint. We shall underline that – given the peculiarities of the hashing algorithms – even the smallest change will lead to a completely different hash (what is defined as the “avalanche effect” of the hash).

Generating a polymorphic virus requires just a few seconds and is a more and more widespread technique: today, most of the malicious agents are polymorphic. In other words, almost every attack uses a newly-generated malware that is not known yet, at least until the signature database gets updated.

Because of polymorphism, the efficacy of antivirus decreases drastically: according to some research by Malwarebytes (2017) a traditional antivirus cannot protect the user from almost 40% of the malware attacks.
Moreover, these antivirus will not be able to answer efficiently to “0-day” attacks, meaning they will not be able to identify the new threats that are not yet present in the vendors’ databases.

In conclusion: detecting threats based on the signature is useful but has a limited efficacy. For this reason, modern antimalware use also most innovative methods, which focus on the analysis of dangerous behaviours. In this way, they manage to identify attacks which are not known yet. This technique is known as Heuristic Analysis.

Cybersecurity is the top priority on the 2021 agenda of at least 61% of the interviewed CIOs (Chief Information Officers).

Cybersecurity top priority - told CIO

>> FlashStart is a leader in competitiveness → Request prices!

Heuristic analysis

The word “Heuristic” defines the set of strategies, techniques and inventive procedures to look for a topic, concept or theory useful to solve a new problem. As far as antiviruses are concerned, it is a function to use in addition to that based on signatures: an executable file is scanned, looking at its structure, behaviour and attributes.

In this way, its source code is selected and examined. If the code shows instructions typical of malware or if a given percentage of the source code corresponds to the something that has already been identified as malicious, the code will be marked as a potential threat.
In other words, comparing antiviruses to a police investigation, the traditional ones identify the criminal because they have his fingerprints, while the heuristic ones can understand that he is a criminal – even though they have never seen him before – because they see his ability to carry out suspicious actions.

This technique uses the logics of behavioural analysis to identify suspicious characteristics present in new and unknown viruses and in the modified (polymorphic) versions of existing threats.
Heuristic analysis is therefore more efficient to have a preventive protection of the unknown threats, since it is capable of identifying polymorphic viruses.
In some cases, for the most advanced antimalwares, a dynamic heuristic analysis is also carried out: the suspicious file is executed in a sandbox – which in IT identifies a test environment, isolated from the main one – to determine without risk if a programme is safe or not. The execution in sandbox allows one to understand the software behaviour and what threats it could lead to, “detonating” it in an environment which is isolated from the main system.
Although they are one step ahead, also no-signature heuristic analysis softwares have proven insufficient to contain cyber threats that are more and more advanced and so antimalwares have had to evolve further, becoming real “security programmes”, which cannot be defined as simple antiviruses anymore.

With cloud internet security, users don’t have to download lengthy updates and reboot their systems, all changes are automatically adopted by the system!

Cloud Security - photo of Sebastian Voortman da Pexels

>> FlashStart is totally in-Cloud and easy to activate → Try it now!


EDR systems (Endpoint Detection and Response)

The new frontier is represented by Artificial Intelligence (AI) and Machine Learning (automatic learning, ML).
AI does not only carry out a series of checks, it also analyses specific behaviours and detects anomalies in order to identify an attack, for example a ransomware.
With machine learning it is possible to recognise new behaviours and patterns and classify them so as to “teach” them to the defence system, which will hence evolve more and more.

These technologies are implemented through EDR (Endpoint Detection and Response) or also XDR (there is mainly a commercial difference between the two), which represent the future (actually, by now the present) and are the best solution for cybersecurity, especially because signature-based methods or other, less evolved methods are not able to manage the evolution of the current threats.

Of course, EDR includes a signature-based antivirus, but this is only one of the system components, as we will see. In practice, every endpoint requires installing an agent (like for the traditional antivirus system), which is capable of carrying out real-time monitoring and of collecting data about the endpoints using threat intelligence techniques (threat detection).

The agent collects behavioural data from the endpoint (such as processes, connections, volume of activity and data transfers), examines them and compares them to the expected behavioural patterns, analysis and relates them, observes their anomalies and sends them to a centralised dashboard where the system administrator can detect the threats and decide on response activities.

This activity makes use of Machine Learning (ML): the agent learns how to recognise the endpoint user typical behaviours and – after a learning phase (which usually lasts 1-2 weeks) – it will be able to use this information to recognise abnormal behaviours that might indicate an attack on the endpoint.
This mode is also defined “User Behaviour Analytics” (UBA) and hereafter we report the definition provided by the Clusit Report:
“UBA: Technology that learns the “normal” behaviour of users of a specific IT system through the analysis of relevant quantities of data (log,…), and afterwards signals abnormal activities enabled by the users.”

Since all attacks have typical behaviours, which have been studied and translated in mathematical models, EDR protection systems combine such mathematical models (“Behavioural patterns”) and are able to recognise and block these attacks, without needing to know them ex-ante.
Moreover, thanks to the ML and AI that the threat-intelligence system that the EDR supplier has provided, they manage to cluster millions of files and their typical behaviours.
Another advantage of advanced EDR systems is that they communicate with the supplier’s systems who maintains a database  built on the cases of cyberattacks that have already taken place.

Therefore, by correlating the event reported to the EDR with their own database (using AI), the service supplier can recognise attacks that are still unknown. Another useful source of intelligence on the threats is the Adversarial Tactics, Techniques and Common Knowledge project (ATT&CK) by MITRE, a non-profit research group that works with the US government. ATT&CK is a knowledge base and a framework based on the study of millions of cyberattacks in the real world.
ATT&CK categorises cyberthreats depending on various factors, such as the techniques used to infiltrate an IT system, the type of system vulnerability exploited, the malware tools used and the criminal groups associated with the attack. The crux of the work is identifying models and characteristics that remain the same independently of the minor changes in an exploit.

To sum it up, the main functions of an EDR system typically are:

»  monitoring and collecting data that could indicate a threat from endpoint activities;
»  analysing such data to identify threat patterns using rules set up by the vendor and/or by the system administrator;
»  notifying the threats and response actions executed through a centralised dashboard, that collects and correlates the data of all the endpoints of the company system.

EDR can be connected to a SIEM system (Security Information and Event Management), which on top of the EDR events, collects and correlated also the events coming from other sources, such as firewalls, DNS servers, IDS (Intrusion detection system), IPS (Intrusion prevention system), WAF (Web Application Firewall).
SIEM represents a control architecture on the security of the entire system that needs to be defended. These architectures (EDR, ISD/IPS, SIEM) represent the solutions that companies today should adopt, going over the simple and by now obsolete antivirus solutions.

According to the EU, the cost of cybercrime for the global economy in 2020 amounted to 5.5 trillion euros, more than double the figure for 2015.

> FlashStart is Multi-tenant and fast to set up → Try it now!

The Author

Giorgio Sbaraglia, engineer, is a consultant and trainer on the topics of cyber security and privacy.


You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.  

> For more information click here
> For a free trial click here
> To request a quote click here