Malware Threats Can Easily Bypass Antivirus Software (Know the Limits of Antivirus)

For long, antivirus and antimalware software has been regarded as a foolproof method to keep systems secure. However, many IT professionals believe though it is a nice-to-have, AV products don’t make devices entirely unhackable. The anti-virus program simply uses a database of virus signatures composed of previously identified viruses. When a new virus is discovered, it is sent to the antivirus company and a digital signature or hash of the virus is created and added to the database. 

Even modern antivirus programs still rely heavily on that method. What this means is that there is a vulnerable time frame between a new virus being written and the antivirus programs are able to update their database. During that time, the malware can (and has) wreak a lot of havoc. This implies that though antivirus products give an added sense of security, they are not the best way to mitigate threats. 

As threats become more sophisticated, the antivirus programs have to evolve in order to keep up. With the rise of the internet and increased attack vectors, antivirus programs also have to scan for and detect all sorts of malware attacks. Due to the complexity of today’s security landscape, this is increasingly difficult and hackers have evolved ways to get past antivirus programs. 

Also, the number of operating system (OS) independent languages that could be used to write malware is increasing, allowing a single malware program the chance to affect a wider audience. Computers, mobile devices and even industrial machinery controllers (the stuxnet worm is a very good example of malware running on different operating environments) are not safe from malware authors.

Learn More: Antivirus, Anti-Malware Products by Major Vendors Botched With Security Flaws: CyberArk Study 

Cyber Threats That Antivirus Software Won’t Catch

Viruses can get past signature-based virus scanners by changing their signature. This is known as polymorphic malware and works when the virus changes some of the code while it is propagating. Even a simple code change that doesn’t affect the way the virus works is enough to change the signature and prevent antivirus programs from detecting them. 

By code change, I’m not implying changes to the human-readable source code. How it works is that the malware has an encryption generator, which creates different encryption algorithms. The different encryption functions then encrypt and decrypt other functions — the functions which cause the damage and effectively tamper the code. 

Another technique through which viruses and malware get past antivirus scanners is by encoding the payload, sometimes several times. Criminally minded people often use tools to do this manually and when the malware is delivered and activated, then it is decoded and does its damage. 

This is generally done by using a small header program tacked onto the front of the encoded virus. The antivirus scanners don’t see this program as a threat and the encoded virus is just seen as data. So when the header is triggered (by being embedded into an existing executable for instance), it will decode the malware into a memory region and then jump the program counter to that region and execute the malware.

Why Antivirus Software isn’t Enough

These previous methods obviously depend on getting a file onto the targeted machine and then executing it. There is a newer method of running malware on a machine, and it doesn’t require anything stored on the targeted machine. 

This type of fileless malware operates entirely in the memory of the machine, clearly bypassing antivirus scanners.  

The visited infected webpage does not deliver the malware directly. Instead, it uses a previously known vulnerability in a related program to direct the machine to download the malware to a memory region. Then, like the previous malware types, that memory region is then executed. 

What makes these types of malware so stealthy is that when the malware has done its job or the machine is reset, the memory is wiped and there is no evidence that somebody installed malware.

Learn More: How Antivirus Products Can Compromise Privacy 

How to Prevent Malware From Infecting Systems

Fortunately, with all the above methods, there are still ways to secure devices. The better quality antivirus programs out there scan the file system and scan memory and active processes for malware. 

Modern OS and CPUs support non-executable memory. They are commonly known as Data Execution Prevention or DEP. This basically works because any memory available to a program that is not used for running the program is marked as non-executable. 

If some malware does manage to insert its code into the memory of that program, it will not be able to run. This makes the job of malware writers harder (but not impossible) and makes a malware-infected program easier to detect. 

Rather than try and detect known viruses, modern AV programs use whitelisting to detect unknown malware. Whitelisting is when the AV program has a database of file signatures of critical OS or known program files. If any of those files have a signature change, then it is flagged as potentially infected.

As always, the best way for anyone, especially remote workers, to keep their machines malware-free should be the standard operating procedure for any computer work. One of the best ways is to keep all programs on the endpoint devices up-to-date. 

Learn More: 5 Ways Hackers Can Get Around Your MFA Solution 

Closing Thoughts 

New vulnerabilities are discovered in programs all the time and malware writers are quick to exploit those faster than anti-virus programs can detect them. By far, the best way to avoid malware exists between the keyboard and the chair. The actual people using the computers need to be aware that any unsolicited email could be a threat and any website is a possible link to an attack. 

Even advertisements on legitimate websites have been used to install malware onto machines. Paranoia regarding possible malicious links is the key here. People should only install programs from the original sites and never from third-party or cracking sites.

Yet, even the most diligent keyboard bashers and the most up-to-date AV programs can still be bypassed with a sufficiently advanced threat. One such technique uses a method that many AV programs are vulnerable to simply because it works. 

The typical sequence of events goes like this. The malware is copied to the machine. The AV scans that file and determines that it is malware and deletes or moves it to a quarantine area for analysis. In between the time that the AV scans the file and then removes, the malware has a small chance to do what I call a link attack. 

That small chance is what is called a race condition where the malware races to perform its attack before it is rendered inoperable. The link (called different terms by different OSes) attack, provided the race condition succeeds, is then able to run with the privileges of the anti-virus program. By its very nature of work the AV generally runs with the highest privileges available.  

This can render any OS to be inoperative and even worse, result in data leakages. It is also possible to use this race condition to install other files or perform any task. However, the upside is that there aren’t many malicious people taking advantage of it. The older and more traditional methods are still working well enough due to people not maintaining their endpoint devices properly.

Do you think antivirus software gives a false sense of security?  Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!