Content deleted Content added
link |
GreenC bot (talk | contribs) Move 3 urls. Wayback Medic 2.5 per WP:URLREQ#zdnet.com |
||
| (11 intermediate revisions by 9 users not shown) | |||
Line 123:
In 2005, [[F-Secure]] was the first security firm that developed an Anti-Rootkit technology, called ''BlackLight''.
Because most users are usually connected to the Internet on a continual basis, [[Jon Oberheide]] first proposed a [[Cloud computing|Cloud-based]] antivirus design in 2008.<ref>{{cite web|url=https://www.usenix.org/legacy/event/sec08/tech/full_papers/oberheide/oberheide_html/index.html|title=CloudAV: N-Version Antivirus in the Network Cloud|publisher=usenix.org|url-status=live|archive-url=https://web.archive.org/web/20140826115701/https://www.usenix.org/legacy/event/sec08/tech/full_papers/oberheide/oberheide_html/index.html|archive-date=August 26, 2014}}</ref>
In February 2008 McAfee Labs added the industry-first cloud-based anti-malware functionality to VirusScan under the name Artemis. It was tested by [[AV-Comparatives]] in February 2008<ref>[http://www.av-comparatives.org/wp-content/uploads/2008/01/sp_fdt_mcafee_200802_en.pdf McAfee Artemis Preview Report] {{webarchive|url=https://web.archive.org/web/20160403110306/http://www.av-comparatives.org/wp-content/uploads/2008/01/sp_fdt_mcafee_200802_en.pdf |date=April 3, 2016}}. av-comparatives.org</ref> and officially unveiled in August 2008 in [[McAfee VirusScan]].<ref>[http://library.corporate-ir.net/library/10/104/104920/items/313409/MFEFQ308Oct30Final.pdf McAfee Third Quarter 2008] {{webarchive|url=https://web.archive.org/web/20160403020632/http://library.corporate-ir.net/library/10/104/104920/items/313409/MFEFQ308Oct30Final.pdf |date=April 3, 2016}}. corporate-ir.net</ref>
Line 139:
== Identification methods ==
In 1987, [[Fred Cohen|Frederick B. Cohen]] demonstrated that the algorithm
There are several methods which antivirus engines can use to identify malware:
* '''Sandbox detection''': a particular behavioural-based detection technique that, instead of detecting the behavioural fingerprint at run time, it executes the programs in a [[virtual machine|virtual environment]], logging what actions the program performs. Depending on the actions logged which can include memory usage and network accesses,<ref>{{Cite journal |last1=Lv |first1=Mingqi |last2=Zeng |first2=Huan |last3=Chen |first3=Tieming |last4=Zhu |first4=Tiantian |date=2023-10-01 |title=CTIMD: Cyber Threat Intelligence Enhanced Malware Detection Using API Call Sequences with Parameters |url=https://www.sciencedirect.com/science/article/pii/S0167404823004285 |journal=Computers & Security |volume=136 |pages=103518 |doi=10.1016/j.cose.2023.103518 |issn=0167-4048}}</ref> the antivirus engine can determine if the program is malicious or not.<ref>[https://enterprise.comodo.com/security-solutions/endpoint-protection/sandboxing.php Sandboxing Protects Endpoints | Stay Ahead Of Zero Day Threats] {{webarchive|url=https://web.archive.org/web/20150402115401/https://enterprise.comodo.com/security-solutions/endpoint-protection/sandboxing.php |date=April 2, 2015}}. Enterprise.comodo.com (June 20, 2014). Retrieved on 2017-01-03.</ref> If not, then, the program is executed in the real environment.
* '''[[Data mining]] techniques''': one of the latest approaches applied in malware detection. [[Data mining]] and [[machine learning]] algorithms are used to try to classify the behaviour of a file (as either malicious or benign) given a series of file features, that are extracted from the file itself.<ref>Kiem, Hoang; Thuy, Nguyen Yhanh and Quang, Truong Minh Nhat (December 2004) "A Machine Learning Approach to Anti-virus System", ''Joint Workshop of Vietnamese Society of AI, SIGKBS-JSAI, ICS-IPSJ and IEICE-SIGAI on Active Mining; Session 3: Artificial Intelligence'', Vol. 67, pp. 61–65</ref><ref>{{cite book|title=Data Mining Methods for Malware Detection|url=https://books.google.com/books?id=lZto6RraGOwC&pg=PR15|year=2008|isbn=978-0-549-88885-7|pages=15–|url-status=live|archive-url=https://web.archive.org/web/20170320111622/https://books.google.com/books?id=lZto6RraGOwC&pg=PR15|archive-date=March 20, 2017}}</ref><ref>{{cite book|author1=Dua, Sumeet|author2=Du, Xian|title=Data Mining and Machine Learning in Cybersecurity|url=https://books.google.com/books?id=1-FY-U30lUYC&pg=PP1|date=April 19, 2016|publisher=CRC Press|isbn=978-1-4398-3943-0|pages=1–|url-status=live|archive-url=https://web.archive.org/web/20170320093100/https://books.google.com/books?id=1-FY-U30lUYC&pg=PP1|archive-date=March 20, 2017}}</ref><ref>{{cite book|doi=10.1109/ACT.2010.33|chapter=Analysis of Machine learning Techniques Used in Behavior-Based Malware Detection|title=2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies|page=201|year=2010|last1=Firdausi|first1=Ivan|last2=Lim|first2=Charles|last3=Erwin|first3=Alva|last4=Nugroho|first4=Anto Satriyo|isbn=978-1-4244-8746-2|s2cid=18522498}}</ref><ref>{{cite book|doi=10.1145/1593105.1593239|chapter=A survey of data mining techniques for malware detection using file features|title=Proceedings of the 46th Annual Southeast Regional Conference on XX – ACM-SE 46|page=509|year=2008|last1=Siddiqui|first1=Muazzam|last2=Wang|first2=Morgan C.|last3=Lee|first3=Joohan|isbn=9781605581057|s2cid=729418}}</ref><ref>{{cite book|doi=10.1109/CCST.2003.1297626|chapter=Intelligent automatic malicious code signatures extraction|title=IEEE 37th Annual 2003 International Carnahan Conference on ''Security'' Technology, 2003. Proceedings|page=600|year=2003|last1=Deng|first1=P.S.|last2=Jau-Hwang Wang|last3=Wen-Gong Shieh|last4=Chih-Pin Yen|last5=Cheng-Tan Tung|isbn=978-0-7803-7882-7|s2cid=56533298}}</ref><ref>{{cite book|doi=10.1109/PDP.2010.30|chapter=Malware Detection by Data Mining Techniques Based on Positionally Dependent Features|title=2010 18th Euromicro Conference on Parallel, Distributed and Network-based Processing|page=617|year=2010|last1=Komashinskiy|first1=Dmitriy|last2=Kotenko|first2=Igor|isbn=978-1-4244-5672-7|s2cid=314909}}</ref><ref>{{cite book|doi=10.1109/SECPRI.2001.924286|chapter=Data mining methods for detection of new malicious executables|title=Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001|page=38|year=2001|last1=Schultz|first1=M.G.|last2=Eskin|first2=E.|last3=Zadok|first3=F.|last4=Stolfo|first4=S.J.|isbn=978-0-7695-1046-0|citeseerx=10.1.1.408.5676|s2cid=21791}}</ref><ref>{{cite book|doi=10.1145/1281192.1281308|chapter=IMDS|title=Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining – KDD '07|page=1043|year=2007|last1=Ye|first1=Yanfang|last2=Wang|first2=Dingding|last3=Li|first3=Tao|last4=Ye|first4=Dongyi|isbn=9781595936097|s2cid=8142630}}</ref><ref>{{cite journal|url=http://dl.acm.org/citation.cfm?id=1248547.1248646|title=Learning to Detect and Classify Malicious Executables in the Wild|journal=J. Mach. Learn. Res.|first1=J. Zico|last1=Kolter|first2=Marcus A.|last2=Maloof|date=December 1, 2006|volume=7|pages=2721–2744}}</ref><ref>{{cite book|doi=10.1145/1599272.1599278|chapter=Malware detection using statistical analysis of byte-level file content|title=Proceedings of the ACM SIGKDD Workshop on Cyber ''Security'' and Intelligence Informatics – CSI-KDD '09|page=23|year=2009|last1=Tabish|first1=S. Momina|last2=Shafiq|first2=M. Zubair|last3=Farooq|first3=Muddassar|isbn=9781605586694|citeseerx=10.1.1.466.5074|s2cid=10661197}}</ref><ref>{{cite journal|doi=10.1007/s11416-008-0082-4|title=An intelligent PE-malware detection system based on association mining|journal=Journal in Computer Virology|volume=4|issue=4|page=323|year=2008|last1=Ye|first1=Yanfang|last2=Wang|first2=Dingding|last3=Li|first3=Tao|last4=Ye|first4=Dongyi|last5=Jiang|first5=Qingshan|citeseerx=10.1.1.172.4316|s2cid=207288887}}</ref><ref>{{cite book|doi=10.1145/1774088.1774303|chapter=Malware detection based on mining API calls|title=Proceedings of the 2010 ACM Symposium on Applied Computing – SAC '10|page=1020|year=2010|last1=Sami|first1=Ashkan|last2=Yadegari|first2=Babak|last3=Peiravian|first3=Naser|last4=Hashemi|first4=Sattar|last5=Hamze|first5=Ali|isbn=9781605586397|s2cid=9330550}}</ref><ref>{{cite journal|doi=10.1007/s10844-010-0148-x|title="Andromaly": A behavioral malware detection framework for android devices|journal=Journal of Intelligent Information Systems|volume=38|page=161|year=2011|last1=Shabtai|first1=Asaf|last2=Kanonov|first2=Uri|last3=Elovici|first3=Yuval|last4=Glezer|first4=Chanan|last5=Weiss|first5=Yael|s2cid=6993130}}</ref>{{Excessive citations inline|reason=Only a few papers are needed for this|date=October 2021}}
Line 153:
=== Heuristics ===
Many viruses start as a single infection and through either [[
For example, the [[Vundo]] [[trojan horse (computing)|trojan]] has several family members, depending on the antivirus vendor's classification. [[NortonLifeLock|Symantec]] classifies members of the Vundo family into two distinct categories, ''Trojan.Vundo'' and ''Trojan.Vundo.B''.<ref>{{cite web|url = http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99|title = Trojan.Vundo|access-date = April 14, 2009|last = Symantec Corporation|date=February 2009| archive-url= https://web.archive.org/web/20090409002645/http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99| archive-date= April 9, 2009 | url-status=
While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using [[wildcard character]]s where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code.<ref>{{cite web|url=http://www.extremetech.com/article2/0,2845,1154648,00.asp |title=Antivirus Research and Detection Techniques |access-date=February 24, 2009 |publisher=ExtremeTech |archive-url=https://web.archive.org/web/20090227002351/http://www.extremetech.com/article2/0%2C2845%2C1154648%2C00.asp |archive-date=February 27, 2009 |url-status=live}}</ref> A detection that uses this method is said to be "heuristic detection".
Line 204:
The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a virus infection was present. At the time, viruses were written by amateurs and exhibited destructive behavior or [[pop-up ad|pop-up]]s. Modern viruses are often written by professionals, financed by [[Organized crime|criminal organization]]s.<ref>{{cite web|url=http://www.computerweekly.com/Articles/2007/07/13/225537/hacking-poses-threats-to-business.htm|title=Hacking poses threats to business|access-date=November 15, 2009|author=Illett, Dan|work=[[Computer Weekly]]|date=July 13, 2007|url-status=live|archive-url=https://web.archive.org/web/20100112104421/http://www.computerweekly.com/Articles/2007/07/13/225537/hacking-poses-threats-to-business.htm|archive-date=January 12, 2010}}</ref>
In 2008, [[Eva Chen]], [[CEO]] of [[Trend Micro]], stated that the anti-virus industry has over-hyped how effective its products are—and so has been misleading customers—for years.<ref>{{cite web|url=
Independent testing on all the major virus scanners consistently shows that none provides 100% virus detection. The best ones provided as high as 99.9% detection for simulated real-world situations, while the lowest provided 91.1% in tests conducted in August 2013. Many virus scanners produce false positive results as well, identifying benign files as malware.<ref>{{cite web|url = http://www.av-comparatives.org/wp-content/uploads/2013/12/avc_prot_2013b_en.pdf|title = Whole Product Dynamic "Real World" Production Test |access-date = January 2, 2014|last = AV Comparatives |date=December 2013| archive-url= https://web.archive.org/web/20140102214834/http://www.av-comparatives.org/wp-content/uploads/2013/12/avc_prot_2013b_en.pdf| archive-date= January 2, 2014 | url-status= live}}</ref>
Line 211:
===New viruses===
Anti-virus programs are not always effective against new viruses, even those that use non-signature-based methods that should detect new viruses. The reason for this is that the virus designers test their new viruses on the major anti-virus applications to make sure that they are not detected before releasing them into the wild.<ref>{{cite web|url =
Some new viruses, particularly [[ransomware]], use [[polymorphic code]] to avoid detection by virus scanners. Jerome Segura, a security analyst with ParetoLogic, explained:<ref name="CBC16Apr10">{{cite news|url = http://www.cbc.ca/consumer/story/2010/04/16/con-adult-video-virus.html|title = Internet scam uses adult game to extort cash|access-date = April 17, 2010|last = [[The Canadian Press]] |date=April 2010 | work=CBC News| archive-url= https://web.archive.org/web/20100418215458/http://www.cbc.ca/consumer/story/2010/04/16/con-adult-video-virus.html| archive-date= April 18, 2010 | url-status= live}}</ref>
Line 233:
Furthermore, inexperienced users can be lulled into a false sense of security when using the computer, considering their computers to be invulnerable, and may have problems understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, it must be fine-tuned to minimize misidentifying harmless software as malicious ([[false positive]]).<ref>{{cite web | title=Softpedia Exclusive Interview: Avira 10 | url=http://news.softpedia.com/news/Avira-s-New-Anti-Malware-Fleet-139829.shtml | work=Ionut Ilascu | publisher=Softpedia | date=April 14, 2010 | access-date=September 11, 2011 | url-status=live | archive-url=https://web.archive.org/web/20110826154924/http://news.softpedia.com/news/Avira-s-New-Anti-Malware-Fleet-139829.shtml | archive-date=August 26, 2011}}</ref>
Antivirus software itself usually runs at the highly trusted [[kernel (operating system)|kernel]] level of the [[operating system]] to allow it access to all the potential malicious process and files, creating a potential avenue of [[attack (computing)|attack]].<ref>{{cite web | title=Norton AntiVirus ignores malicious WMI instructions | url=
respectively, have been exploiting anti-virus software to spy on users.<ref>{{cite news| title=NSA and GCHQ attacked antivirus software so that they could spy on people, leaks indicate | url=http://www.belfasttelegraph.co.uk/technology/nsa-and-gchq-attacked-antivirus-software-so-that-they-could-spy-on-people-leaks-indicate-31327280.html | date=June 24, 2015 | access-date=October 30, 2016}}</ref> Anti-virus software has highly privileged and trusted access to the underlying operating system, which makes it a much more appealing target for remote attacks.<ref name="Kaspersky-targeted">{{cite web | url=https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/ | title=Popular security software came under relentless NSA and GCHQ attacks | work=Andrew Fishman, Morgan Marquis-Boire | date=June 22, 2015 | access-date=October 30, 2016 | url-status=live | archive-url=https://web.archive.org/web/20161031151320/https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/ | archive-date=October 31, 2016}}</ref> Additionally anti-virus software is "years behind security-conscious client-side applications like browsers or document readers. It means that Acrobat Reader, Microsoft Word or Google Chrome are harder to exploit than 90 percent of the anti-virus products out there", according to Joxean Koret, a researcher with Coseinc, a Singapore-based [[information security]] consultancy.<ref name="Kaspersky-targeted"/>
| |||