How Virus Hunters catch the Bad Guys (Part 3)

You know now about how Avira finds out about new malware types and how we engineer the antidote. But how do we actually stop malware (and keyloggers and identity theft and other nasties) on your computer or mobile device? That is the job of Avira’s software agent – the part that you see as a red umbrella logo running on your devices.

As data traffic flows in and out of your device, we scan it – the email files that you are receiving and sending, the websites that your browser visits, and any external IP traffic that may be requesting access to your ports. To our machines, all of this traffic is just a bunch of encrypted 1s and 0s so you don’t have to worry about your privacy. Our scanning engines in your Avira agent use three basic techniques to identify and stop bad things from happening to your device:

  1. Scan the traffic looking for any signatures that match to a database of known viruses and Trojans;
  2. Watch for programs on your device that start to exhibit malicious-looking behavior, such as making changes to your Registry or unpacking additional coded malware;
  3. Analyze program code (sometimes called disassemble program code) to look for malicious things. This analysis is often very complex and is usually done in the cloud on our high-powered servers, with the results sent back to your device almost instantaneously.

All of the above is happening on your computer in milliseconds, which is pretty amazing when you think of it.

I underlined some key words above because these are words that many people have heard of when reading about antivirus and security software. If you are interested, we’ll now discuss each of them in a bit more detail.

Signature-based detection is the most common antivirus technique. Every piece of malware has a unique fingerprint – it could be a particular series of bytes in the code, or a cryptographic hash of the file, or any other identifiable element – and that fingerprint can be matched against a database of known viruses and Trojans. The advantage of signature-based methods of detection is that it is fast and 100% effective for known malware. The downside is that it won’t stop any viruses or malware that hasn’t been seen before – and the bad guys are good at mutating their exploits to evade detection but still retain its functionality. So signature-based detection is an efficient first pass, but it needs to be used along side other detection methods.

Behavior-based detection (sometimes used interchangeably with the term ‘Heuristics-based’ detection) identifies malware by watching for suspicious behaviors – like attempts to modify the host file or initiating data calls out to dubious IP addresses. Heuristics-based detection technically means statically examining files without an exact signature match. Although no single behavior or observation might be enough to declare a file as malware, taken together, behavior and heuristics-based techniques can flag files and add up scores. By setting threshold scores and stopping any executable code that surpasses those limits, it allows the antivirus tool to detect the presence of previously unseen malware or virus, and keep your system protected.

Cloud-based detection collects potential malware samples from your computer and sends it to Avira’s high-powered severs for analysis. This technique minimizes the load put on your Avira software agent (so your computer can run faster), and Avira’s cloud engine can observe patterns and correlate data across millions of other Avira users. Doing so means that individual users of Avira antivirus benefit from the collective experiences of the entire Avira community. Another benefit to moving some analysis to the cloud is that it makes it more difficult for the Bad Guys to reverse-engineer and test their malware against our scanning engines without identifying themselves.

In practice, all of these techniques are used together in a “layered” approach that gives Avira a nearly perfect 99.8% detection rate, according to AV-Comparatives’ independent tests conducted March 2014.

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.