Malware guide: detecting malware

What do anti-malware programs do?

Anti-malware programs are intended to perform one or more of the following tasks:

  • Prevention of malware infection,
  • Detection of infection,
  • Removal of infection.

It is important to understand that not all programs can do all of these tasks. The best solution for your business will depend on your circumstances, though you will definitely need some form of anti-malware protection.

Some anti-malware programs are intended to protect single devices (such as a laptop) and some work to defend networks. They typically work in real-time (run all the time in the background), but can also conduct one-off scans as needed.

Note that most free anti-malware programs do not remove infections, but will quarantine them. You may need to buy a removal program in order to remove any infection completely. Also, free software doesn’t usually offer all the features of paid-for versions, and won’t provide support if you have a problem.

How does malware detection work?

Malware detection techniques are continually evolving as malware becomes more sophisticated and as new technologies appear. There are nine approaches outlined below that you should be aware of…

1.     Signature analysis

Traditionally, malware detection has been based on comparison against known malware.

Every piece of software or file has unique characteristics, known as a footprint or signature. The known signatures for malware are recorded in a database. Your anti-malware product will check an incoming file against the set of known malware signatures, to decide whether it is known to be malware or not.

Of course, new malware is developed all the time, so it is important that your product is regularly updated with newly identified signatures.

Newer forms of malware try to evade this kind of detection by mutating. Known as polymorphic malware, they can hide from signature-based detection by changing certain features. This is so that they become unrecognisable, even minor changes are enough to do this.

Another way that malware evades detection is by code obfuscation (making it harder to interpret). This is done by compressing the malware code, encrypting it or inserting complex and irrelevant code.

Signature-based detection won’t work on fileless malware, as there’s no file to use for comparison. Another technique is needed, and this is typically behaviour-based analysis.

2.     Heuristics, or behaviour-based analysis

Heuristic or behaviour-based analysis looks for unusual activity. It would begin by establishing a baseline of the activity levels that are normal for a particular environment. Then if that activity level changes, it would regard whatever caused the change as a threat.

This type of analysis requires that the initial baseline is indeed normal, and not already distorted by malware. Once working, this type of analysis can detect polymorphic malware where signature-based analysis cannot, because it is searching for the way the malware behaves, rather than for its characteristics.

Behaviour based analysis can also help to detect fileless malware, by looking for processes behaving unusually. For example, by executing shell commands, or unexpected deletions of administrative command (bash) history, excessive network communications or privilege escalation.

3.     Intrusion detection systems: HIDS and NIDS

HIDS, or host-based intrusion detection systems, work by monitoring the activity happening within the system, looking for anomalous behaviour. For example, they examine the applications being used, the files being accessed, and information in the kernel logs.

They detect, rather than prevent, an intrusion, and can quarantine suspected malicious programs. Because they are host-based, they can keep a laptop (a host) protected if the laptop is taken off-site, like a traditional antivirus program.

On the other hand, NIDS, or network-based intrusion detection systems, monitor the network traffic between computers, looking for anomalous behaviour. They allow administrators to monitor other devices too, such as; firewalls, print servers and routers.

HIDS and NIDS are both behaviour-based analysis tools, and work well in combination to protect a corporate network.

4.     Memory analysis

Memory analysis, or memory forensics, is the analysis of volatile data in a computer’s memory. This is data held in temporary memory, and is lost when the computer is turned off. Forensics experts can capture a snapshot, or memory dump, about the system, as long as the computer is still on. This can be used to find information about an attack, including fileless attacks and can be used as evidence of cyber-crime.

Some sophisticated enterprise security systems include memory forensics capabilities, which could be used in detection.