The downfall here is that the process relies on every single digit being the same. If just one bit does not match, the malware will evade traditional anti-virus software. Now that attackers are aware of this impediment, even miniscule mutations will bypass pattern matching processes. Newer threats such as \u201cfileless\u201d malware have no digital footprint and write nothing to the disc, therefore cannot be detected by pattern matching digital signatures at all.<\/p>\n\n\n\n
- \n
- Heuristic Analysis<\/strong> \u2013 This technique considers the properties of the file and whether these fall within what it considers \u201cabnormal\u201d. It essentially has a set of rules or questions that it asks of the file, and if every rule\/question returns true, the anti-virus flags the file as malware.<\/li>\n<\/ul>\n\n\n\n
This heuristic approach fails by relying too heavily on its set of rules being 100% met in order to flag software as malicious. If the attacker gains knowledge that enables their software to not meet just a single rule, the malware will not be detected.<\/p>\n\n\n\n
- \n
- Behavioural Analysis<\/strong> \u2013 This process works similarly to heuristic analysis but focuses on how the file behaves rather than its properties. If the behaviours match that of malware, the anti-virus will detect it.<\/li>\n<\/ul>\n\n\n\n
This process takes a rather illogical approach as it requires the program to run first, before the anti-virus can detect malware. Here\u2019s an analogy: imagine Aragorn, Legolas and Gimli monitoring the battle at Helm\u2019s Deep to spot orc weaknesses, only to discover an entirely new threat, the Uruk-hai, arriving at their doorstep. Better late than never?<\/p>\n\n\n\n
- \n
- Hash Matching<\/strong> \u2013 A hash value can be generated by running a file through an algorithm, such as MD5 (Message-Digest algorithm) or SHA-256 (Secure Hashing algorithm, 256 bit). Anti-virus software calculates these hashes and compares them to hash values of malware. If the hashes match, the anti-virus will detect malware.<\/li>\n<\/ul>\n\n\n\n
This has drawbacks similar to pattern matching \u2013 the changing of a single bit on any part of a file used to generate the hash value will generate a completely different hash value and the anti-virus software will fail to detect malware.<\/p>\n\n\n\n
Furthermore, the hashing algorithms used to produce hash values have been proven unreliable. A requirement of a hash algorithm is that it is illogical to find two inputs that produce the same hash (known as collisions). MD5 is known to have such vulnerabilities, this having been proven in 2012 by Flame malware<\/a>, making this technique an unreliable one for anti-virus software to use. SHA-256 has also been found to produce collisions, although not to the extent of MD5.<\/p>\n\n\n\n
A third point of weakness is that hash matching is futile against polymorphic malware, which is malware that continually changes its features in order to remain undetected.<\/p>\n\n\n\n
The major fallback of traditional anti-virus is its inability to detect software that it has not encountered before. It relies on matching malware with known software in its database, making it ineffective at detecting zero-day malware (malware that has not been previously encountered). This is explained more fully in the ThreatVector article How Traditional Anti-virus Works<\/a>.<\/p>\n\n\n\n
Artificial Intelligence and Machine Learning Anti-virus<\/h3>\n\n\n\n
Traditional anti-virus software has been improved with Artificial Intelligence and Machine Learning anti-virus solutions.<\/p>\n\n\n\n
Artificial Intelligence (AI) is a program that can \u201cmimic\u201d human intelligence. Machine Learning (ML) is a subset of AI, where the machine \u201clearns\u201d as it is exposed to more data, allowing its response to improve over time.<\/p>\n\n\n\n
AI-based anti-malware is ideally able to recognise malicious software when it hasn\u2019t been previously identified, and\/or before it is able to execute. Machine learning programs can learn beforehand what is considered normal behaviour and are then able to identify anything that may fall outside of this, enabling pre-emptive defence against malicious software. The new threat can then be added to the anti-virus engine\u2019s existing database.<\/p>\n\n\n\n
AI-based anti-virus software is helpful against zero-day attacks and identifying malware that has been slightly modified in order to escape detection by traditional anti-virus software, as it relies less on known digital signatures and a set of rules, and more on how software behaves.<\/p>\n\n\n\n
Although advancing all the time, AI and ML anti-virus solutions are not the be-all and end-all. Here\u2019s how an AI\/ML-based system could be fooled:<\/p>\n\n\n\n
- \n
- Exploiting the model \u2013 ML anti-virus software is given large amounts of data and left to process and make decisions on this data based on the parameters within its model. If an attacker can find out how the model uses its parameters, they could exploit the model by changing something within a file that they know will trick the model into thinking it is safe.<\/li>\n<\/ul>\n\n\n\n
Take for example Cylance\u2019s AI anti-virus software, which was duped in 2019. Researchers were able to discover a bias in Cylance\u2019s ML model towards a particular game that the model had whitelisted (marked as safe). They exploited this weakness by appending non-harmful strings of code from the game to a malicious file. The researchers, from Skylight Cyber in Australia, trialled this technique with 384 malware programs<\/a>, with Cylance\u2019s detection rate being less than 11%.<\/p>\n\n\n\n
- \n
- An imperfect dataset \u2013 ML algorithms use the dataset they are provided with to learn: the more data provided for the program to learn, the more effective it will be at doing its job.<\/li>\n<\/ul>\n\n\n\n
However, an effective model requires all the data to be labelled correctly. If one data input is labelled incorrectly, the machine could use this particular input to form a bad decision that it then builds on as part of its learning, resulting in an ineffective model in the long term.<\/p>\n\n\n\n
Sandboxing<\/h3>\n\n\n\n
Sandboxes are used to run potentially malicious material in a tightly controlled environment with restricted network access and inability to read from input devices. A sandbox is often used to run untrusted or untested software and, because it is isolated from the host device, it can stop the spread of malware to the rest of the machine.<\/p>\n\n\n\n
This particular security mechanism analyses an object\u2019s behaviour as it executes, which makes it helpful in detecting malware that may have passed under the radar of other anti-virus programs while static.<\/p>\n\n\n\n
Although a security favourite, sandbox technology has its downfalls.<\/p>\n\n\n\n
One of its security measures is also a downfall. The tightly controlled sandbox environment can often be a dead giveaway for malicious software. Hackers can program malware to recognise when it\u2019s running in a sandbox environment, at which point it will terminate or, in more sophisticated programs, perform fake operations in order to appear benign, until it is marked as safe by the sandbox and delivered to the host device.<\/p>\n\n\n\n
Another sophisticated way through a sandbox is in delayed execution. As sandboxes are used temporarily to test and check software before allowing them onto a host device, attackers can program delays into malware so that it doesn\u2019t execute until an amount of time has passed (enough time for the sandbox to have performed its analysis) or certain operations take place, such as a restart. In the same case as above, sandboxes can fail to detect malicious behaviour and pass the malware to the host device, where it will later execute.<\/p>\n\n\n\n
Malicious software that is packaged within clean files often goes undetected by sandboxes, as does encrypted malware, which (unless decrypted) is simply invisible to security systems.<\/p>\n\n\n\n
Password-protected emails containing malware are often passed on to the end user by sandboxes as they cannot gain access to analyse it.<\/p>\n\n\n\n
Some programs simply cannot run in a sandbox environment due to the restrictions in place, so malware within these programs evades sandboxing systems completely.<\/p>\n\n\n\n
Although you wouldn\u2019t want to ride into Isengard without a sandbox at your side, make sure it\u2019s not the only thing in your arsenal \u2013 sandboxes do have several vulnerabilities that can be exploited by attackers.<\/p>\n\n\n\n
In with the New: From Battle Axe, to Many-Handed Longsword<\/h2>\n\n\n\n
Now, imagine a tool where all these solutions are covered in one. This is where Opswat MetaDefender comes in. The name speaks for itself:<\/p>\n\n\n\n
- \n
- META:<\/strong> Most Effective Tactic Available. The best way to win the game. A specialised form. Seeing from a higher perspective. Going above and beyond.<\/li>\n\n\n\n
- Defender<\/strong>: \u2026let\u2019s assume you know this one.<\/li>\n<\/ol>\n\n\n\n
The MetaDefender provides a multi-layered approach, encompassing a multitude of security modules, rather than a single anti-virus engine or sandbox solution.<\/p>\n\n\n\n
Let\u2019s break these layers down and discover how MetaDefender triumphs over other anti-virus technologies, starting with (bring in the war-drums please\u2026) :<\/p>\n\n\n\n
The MetaDefender Core<\/h3>\n\n\n\n
The MetaDefender Core integrates six security modules to form a comprehensive anti-virus solution that can be used on-premises, in the cloud, and with air-gapped networks.<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/www.adminbyrequest.com\/Images\/Blogs\/O_MetaDefender_Core_Shield.png\")
<\/figure>\n\n\n\nHere\u2019s how it works:<\/p>\n\n\n\n
Multiscanning<\/h3>\n\n\n\n
MetaDefender makes use of 35+ anti-malware engines when it scans files. These engines use a combination of traditional and AI\/ML tactics, such as digital signatures, heuristics, and ML models, to detect known malware files.<\/p>\n\n\n\n
We know why relying on a single anti-virus program to detect all threats is a mistake. MetaDefender knows this too, so has partnered with over 35 anti-malware companies which are all used to scan your files with Opswat\u2019s multiscanning module to make sure no threat slips through unnoticed.<\/p>\n\n\n\n
35 rings of power are better than one, right?<\/p>\n\n\n\n
Deep CDR<\/h3>\n\n\n\n
Standing for \u2018Deep Content Disarm and Reconstruction\u2019, this security module boasts the motto \u201cTrust no file\u201d and assumes that every file is malicious. It identifies file types and scans them using its multiscanning tool.<\/p>\n\n\n\n
It then implements the CDR process of breaking the file down and reconstructing it, removing malicious elements and preserving the usability of the file. Voila: you now have a new, safe file to use, while the other is quarantined.<\/p>\n\n\n\n
Deep CDR is effective against zero-day attacks and prevents threats that may slip past other anti-virus technologies, as it disarms and rebuilds all files under the assumption that they are all evil.<\/p>\n\n\n\n
Proactive DLP<\/h3>\n\n\n\n
MetaDefender takes protection a step further with its Proactive DLP (Proactive Data Loss Prevention) module, which redacts PII (Personally Identifiable Information) found in files being uploaded, protecting organisations from potential (and expensive) compliance violation risks.<\/p>\n\n\n\n
File-based Vulnerability Assessment<\/h3>\n\n\n\n
Vulnerability scanning is a process which detects weaknesses within a network or on a computer. Yet another step organisations must take to ensure they stay protected from hackers.<\/p>\n\n\n\n
Again, MetaDefender has this base covered with its file-based vulnerability assessment module.<\/p>\n\n\n\n
While most vulnerability scanners identify exploitable points after software has been installed, MetaDefender can get it done before installation. It can also scan for vulnerabilities while programs are running, or at rest.<\/p>\n\n\n\n
So far, we\u2019ve killed\u2026 four orcs with one arrow? Yes please.<\/p>\n\n\n\n
Threat Intelligence<\/h3>\n\n\n\n
Recall those times when you\u2019ve run a \u201cquick\u201d anti-virus scan of your device and it ended up taking three full moons, a few winters, and the dawning of a new age \u2026<\/p>\n\n\n\n
Anti-virus software relies on data to do its thing: matching signatures, hashing, behaviours, and a bunch of other security intel. There is so much activity going on during these traditional scans that computers can become unusable during the time it takes. If your anti-virus software had a smaller dataset, the process wouldn\u2019t be quite so tiresome, but it also wouldn\u2019t be anywhere near as effective.<\/p>\n\n\n\n
Incoming: cloud-based threat intelligence. Put the dataset on the cloud, and Boom! \u2013 you won\u2019t be growing a full beard in the time it takes to perform a scan.<\/p>\n\n\n\n
MetaDefender\u2019s threat intelligence platform has an expansive cloud-based database, developed from analysing data from thousands of computers worldwide, offering \u201cone of the fastest file hash lookup services in the market\u201d (3.86 seconds to scan a file and 15 milliseconds to look up a hash, FYI).<\/p>\n\n\n\n
A huge dataset and no performance issues on your device, that\u2019s another orc in the bag.<\/p>\n\n\n\n
Sandbox<\/h3>\n\n\n\n
Just to add an extra layer of chainmail, the MetaDefender Core also integrates a sandbox environment.<\/p>\n\n\n\n
How many orcs are we up to now? I\u2019ve lost count.<\/p>\n\n\n\n
Forging the Ring: Putting it All Together in a PAM Solution<\/h2>\n\n\n\n
The Dangers of Running as Administrator<\/h3>\n\n\n\n
So, when do organisations run the most risk of coming face to face with the enemy, aka: malware? When they give too much power to the end user via administrator rights.<\/p>\n\n\n\n
Admin rights are a powerful thing and are not to be taken lightly; we all know what happens when one gets tempted by power …<\/p>\n\n\n\n
The majority of malware infections within an organisation result from end-users having administrator access to their computers. Aside from being able to install and execute malicious software, admin rights allow an individual to:<\/p>\n\n\n\n
- \n
- Install unauthorized software that may slow down computer systems or lead to non-work activities (stop playing solitaire Jeff! Unless it\u2019s LOTR-themed, in which case it\u2019s acceptable).<\/li>\n<\/ul>\n\n\n\n
- \n
- Install unlicensed software that may result in fines when software vendors come knocking.<\/li>\n<\/ul>\n\n\n\n
- \n
- Access other user profiles and data, leading to potential privacy beaches, data breaches and theft.<\/li>\n<\/ul>\n\n\n\n
- \n
- Make changes to the operating system settings, which may cause a myriad of problems and be costly to fix.<\/li>\n<\/ul>\n\n\n\n
But, although dangerous, admin rights are a necessary evil. The answer is simply to control the evil, with PAM: Privileged Access Management.<\/p>\n\n\n\n
PAM to the Rescue!<\/h3>\n\n\n\n
PAM is the strategy of controlling user access and permissions across an organisation\u2019s IT infrastructure. The main goal is to operate in an environment of \u201cleast privilege\u201d: restricting access and permissions to the absolute minimum necessary for users to get their jobs done.<\/p>\n\n\n\n
We know that admin rights open the doors to the danger zone in computer systems. Administrator accounts are targets for attacks due to their privileged rights: elevated permissions, access to sensitive information, and the ability to change OS settings. In fact, according to Forrester Research, privileged credentials are involved in 80% of data breaches.<\/p>\n\n\n\n
With a PAM system in place, organisations can control who is accessing what, log everything being accessed\/downloaded\/installed, monitor any suspicious activity and segregate their networks. This enables businesses to crack down on the small stuff (Jeff and his solitaire addiction) and reduce their computer systems attack surface (the big stuff) without hampering productivity.<\/p>\n\n\n\n
An Ode to the Fallen: Moller-Maerske<\/h3>\n\n\n\n
Let\u2019s talk about this \u201cbig stuff\u201d.<\/p>\n\n\n\n
We know that users with privileged credentials can install and run dodgy files and programs. Of greater significance is their ability to access other user profiles and data and make changes to the operating system settings because of their privileged credentials.<\/p>\n\n\n\n
To grasp why this is significant, one only has to ask Moller-Maerske: the world\u2019s largest container shipping company, which was brought to its knees in 2017.<\/p>\n\n\n\n
NotPetya ransomware is thought to have originated in a Ukrainian company\u2019s accounting software called M.E.Doc during an auto-update, and it got its foothold in just one computer in a Maerske branch in Odessa, Ukraine, when an employee requested IT admin to install the M.E.Doc software on his computer. NotPetya spread swiftly across Maerske\u2019s entire international computer system, moving laterally across the network by extracting administrator credentials. The ransomware (or \u201cwipeware\u201d, being the more appropriate term for the destructive software) took down Maerke\u2019s entire network of 4000 servers and 45,000 computers, resulting in $300,000,000 in damages to the Danish company.<\/p>\n\n\n\n
Read the full story here: The Untold Story of NotPetya, the Most Devastating Cyberattack in History<\/a>, and get the all the technicalities here: NotPetya: Timeline of a Ransomworm<\/a>.<\/p>\n\n\n\n
How did a company that was not the target of the attack, but was simply caught in the crossfire, allow this to happen? The previous year, Maerske IT executives had raised concerns about out-of-date operating systems, poor patching and, above all, lack of network segmentation (i.e. dividing a network into smaller parts so that one area\/set of users do not have access to others). Had Maerske implemented better network segmentation within their infrastructure, they may have been able to contain the spread of NotPetya ransomware.<\/p>\n\n\n\n
And how can network segmentation be achieved? Through PAM. BAM! (standing ovation please).<\/p>\n\n\n\n
The Ring of Power in the Right Hands: Admin By Request<\/p>\n\n\n\n
What do you get when you cross Opswat\u2019s MetaDefender with Admin By Request\u2019s PAM solution? Basically, a Gandalf-Aragorn hybrid that even the Witch-King of Angmar can\u2019t beat.<\/p>\n\n\n\n
Admin By Request has partnered with Opswat to bring you the ultimate security tool with their MetaDefender Cloud.<\/p>\n\n\n\n
Many solutions rely on an administrator spending endless amounts of time whitelisting programs or doing remote installs, but Admin By Request works the other way around: intercepting software installs made by users and installing it without the user being an administrator. See how it works here<\/a>.<\/p>\n\n\n\n
No remote installs necessary and no need to be constantly updating whitelists leads to a very grateful IT department.<\/em><\/p>\n\n\n\n
Mitigated vulnerabilities from not having admin accounts left, right and centre leads to a very safe computer network.<\/em><\/p>\n\n\n\n
Combine this PAM solution with MetaDefender\u2019s 35+ anti-virus engines, and the chances of your system being compromised are virtually zero.<\/p>\n\n\n\n
Fun fact: Bitdefender and Avira anti-virus solutions are often 100% effective against malware. Both of these engines are part of the 35+ that supply the MetaDefender Core.<\/p>\n\n\n\n
Opswat’s\u00a0Detection\u00a0Efficacy overview<\/a>\u00a0provides more of an insight into just how well the Multiscanning module does its\u00a0job: 4 engines detect 62.80% of the top 10,000 searched for\u00a0threats from the MetaDefender Cloud database,\u00a012\u00a0engines detect 90.53%,\u00a020 engines detect 98.69%, and the MetaDefender Cloud detects 99.4%.<\/p>\n\n\n\n
To put it simply: Jeff may not have a valid reason for installing LOTR-themed solitaire onto his work computer, but at least you can rest assured knowing it\u2019s safe.<\/p>\n\n\n\n
See how Opswat is implemented by Admin By Request: Admin By Request \u2013 Malware Detection<\/a>.<\/p>\n\n\n\n
Epilogue<\/h2>\n\n\n\n
In Opswat\u2019s words:<\/p>\n\n\n\n
\u201cSingle anti-malware engines, next-gen firewalls, sandboxes, machine learning, IPSs, and proxy anti-malware solutions do not provide adequate cybersecurity protection on their own\u201d<\/em>.<\/p>\n\n\n\n
Can one anti-malware solution really rule them all?<\/p>\n\n\n\n
Absolutely, if it combines an array of anti-malware tactics and an ingenuitive PAM solution into one war-effort. Download it here<\/a>.<\/p>\n\n\n\n
Take that Sauron.<\/p>\n","protected":false},"excerpt":{"rendered":"
Learn about OPSWAT’s MetaDefender anti-virus software and why a single solution is not effective enough to provide adequate cybersecurity.<\/p>\n","protected":false},"author":2,"featured_media":7857,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[130,131,186,113,189,187,94,82,185,184,188,84],"ppma_author":[10],"class_list":["post-3761","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blogs","tag-antimalware","tag-antivirus","tag-antivirus-engine","tag-api","tag-cloud-computing","tag-detection","tag-integration","tag-malware","tag-metadefender","tag-opswat","tag-tactic","tag-virus","entry","has-media"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t
- Make changes to the operating system settings, which may cause a myriad of problems and be costly to fix.<\/li>\n<\/ul>\n\n\n\n
- Access other user profiles and data, leading to potential privacy beaches, data breaches and theft.<\/li>\n<\/ul>\n\n\n\n
- Install unlicensed software that may result in fines when software vendors come knocking.<\/li>\n<\/ul>\n\n\n\n
- Defender<\/strong>: \u2026let\u2019s assume you know this one.<\/li>\n<\/ol>\n\n\n\n
- META:<\/strong> Most Effective Tactic Available. The best way to win the game. A specialised form. Seeing from a higher perspective. Going above and beyond.<\/li>\n\n\n\n
- An imperfect dataset \u2013 ML algorithms use the dataset they are provided with to learn: the more data provided for the program to learn, the more effective it will be at doing its job.<\/li>\n<\/ul>\n\n\n\n
- Exploiting the model \u2013 ML anti-virus software is given large amounts of data and left to process and make decisions on this data based on the parameters within its model. If an attacker can find out how the model uses its parameters, they could exploit the model by changing something within a file that they know will trick the model into thinking it is safe.<\/li>\n<\/ul>\n\n\n\n
- Hash Matching<\/strong> \u2013 A hash value can be generated by running a file through an algorithm, such as MD5 (Message-Digest algorithm) or SHA-256 (Secure Hashing algorithm, 256 bit). Anti-virus software calculates these hashes and compares them to hash values of malware. If the hashes match, the anti-virus will detect malware.<\/li>\n<\/ul>\n\n\n\n
- Behavioural Analysis<\/strong> \u2013 This process works similarly to heuristic analysis but focuses on how the file behaves rather than its properties. If the behaviours match that of malware, the anti-virus will detect it.<\/li>\n<\/ul>\n\n\n\n