Malware Detection Requires Both Signatures and Behavior Analysis

Malware Detection Requires Both Signatures and Behavior Analysis

Although signature-based antivirus solutions remain essential elements of network security, they are no longer adequate as standalone measures. As malware attacks become progressively more sophisticated, organizations of all sizes require additional lines of defense.

Signature-based solutions look for known patterns of bytes, functions, hashes or other characteristics that have been previously identified and indexed as malware. Hackers have learned to evade signature-based defenses by modifying their malicious code quickly and by using polymorphic malware that constantly changes characteristics such as file names or encryption keys. Nearly half of all malware is new or zero-day with none of the known characteristics of malware, according to a recent Internet Security Report from WatchGuard Technologies.

Additionally, hackers use JavaScript and Word macro viruses to hide malware. JavaScript is used in HTML attachments that mimic login pages for popular legitimate websites to trick users into willingly giving up their credentials. Macro viruses use Microsoft Office documents to disguise downloaders that install malware in order to harvest credentials. WatchGuard’s report notes a significant increase in the use of these techniques.

Although these types of attacks are specifically designed to outmaneuver signature-based defenses, it doesn’t mean antivirus isn’t working. After all, roughly half of all malware variants still have identifiable characteristics. However, it is a good idea to use a product that isn’t entirely dependent on signature identification.

WatchGuard’s Gateway AV solution uses both signature-based and behavioral-based scanning to identify and block malware at the network gateway. Behavioral scans go beyond known characteristics and identify malware by looking for suspicious behavior. Gateway AV uses machine learning models to assist in the detection of files and programs conducting suspect operations such as modifying keystrokes, altering data or generating suspicious files.

WatchGuard also delivers behavioral detection capabilities in its unified threat management appliances with its APT Blocker solution. This additional layer of defense thoroughly analyzes a wide range of executables and documents, including Office file types, to detect and stop advanced threats.

APT Blocker delivers real-time threat visibility and protection in minutes. Suspicious files are submitted to a cloud-based sandbox, a virtual environment where code is analyzed, emulated and executed to determine its threat potential. Full-system emulation — which simulates physical hardware including CPU and memory — provides a detailed view of file behavior, making it difficult for advanced malware to evade detection.

APT Blocker and Gateway AV create a complementary and effective defense against malware, including zero-day and polymorphic threats. To develop its quarterly Internet Security Report, WatchGuard collects data over from more than 33,000 of the company’s security appliances installed globally. Over the course of three months, WatchGuard’s Gateway AV solution and APT Blocker stopped nearly 23 million malware variants and almost 3 million network attacks.

In the not-too-distant past, computer viruses took weeks or even months to spread, giving security vendors plenty of time to develop countermeasures based on the threat’s unique binary pattern. While signatures still form the basis of most antivirus measures, they are becoming increasingly inadequate. That’s why it is important to complement signature-based defenses with behavioral-based solutions. Together, they represent a key part of the layered security strategy required to block today’s advanced threats.