The first antivirus looked for vulnerabilities in the code, called signatures.
The first antivirus looked for vulnerabilities in the code, called signatures. Once identified, the signature was added to a list known as the “signature list.” This list was used to scan all files when files were found to contain any of these signatures, it was quarantined for observation. The file is backtracked, and if found to come from a questionable area, it is killed or kept in quarantine until further action is taken. It was believed to be neutralized once quarantined; however, with experience, these viruses remained active. This was how “normal” antivirus software operated.
Today’s computer viruses are more advanced
When computers were slow this approach was effective but as viruses increased in speed they become less and less effective. In addition, the “old” antiviruses were out-facing. So once the attacker gets past it, the antivirus was very slow to catch them inside the system.
Today’s computer viruses are more advanced and move so fast that the old way doesn’t catch them. This is how crypto and ransomware were born.
Files come in looking like a normal application, allowing it to clear anti-virus. Then a trigger goes off, like a bomb. The first thing it does is overtake the antivirus. Since the antivirus reports directly to the operating system, it very quickly overtakes the operating system without resistance. It then poisons or converts all the files. Anywhere the infected machine has rights becomes infected too. All this in less than a second. Attackers also use pop-ups to spread viruses across machines and networks simply by user approval which happens very easily.
Blue Sky combats this
With Endpoint Detection and Response (EDR) and Managed Detection Response (MDR). The next generation of antivirus goes beyond signatures and looks at how files behave. It learns behavior and does not require signature updates. It waits for files to try to initiate a crypto event. When an event is detected, it freezes the system and takes it off the network. The machine can then be rolled back before the incident, and the infected files removed.
It’s like a computer’s shield. MDR has a hosted Security Operation Center (SOC) or, in other words, REAL humans at a desk inspecting a system/network for issues. The MDR is looking for programs that send signals to the attacker’s machine to get instructions (phone home) or for people to try to attach to equipment or machines to gain access to them. The program gets past the antivirus by looking normal. Then a trigger or timer activates and receives instructions from the attacker on how and when the virus will attack.
How does the protection work?
MDR kills the program when it sees the signal going somewhere it shouldn’t be going. In a computer, other programs also send signals to receive instructions however are appropriately registered, so when they phone home, the MDR follows them to verify it’s going where it’s supposed to.
Another tactic attackers often use a program that will make a window to get onto a machine. Once on the machine, they slowly poke around, gathering info. Trying to see where else they can go. This is called lateral movement. An MDR kills the program, the window, and the attacker on the system.
On average, an attacker can sit on a machine for over 100 days to 4 years without being detected. Because of this, Endpoint Detection and Response (EDR) and Managed Detection Response (MDR) are mandatory tools to employ in your environment to help protect your company from being attacked.