Antivirus Wiki

Interview With Dana Edwards

  • January 23, 2019

About Dana

Dana Edwards is a Cybersecurity expert and distributed ledger technology researcher with over 20 years of experience in IT. Born and raised in Boston Massachusetts, he obtained a Bachelors degree in Ethics, Social & Political Philosophy from the University of Massachusetts. 

After obtaining his Masters degree in Cybersecurity from University of Maryland University College he founded Edwards Information Security Consulting which has provided services to companies such as, Coinmaster, and more. Dana has been a prolific blogger on the topics of information security, artificial intelligence, and distributed ledger technology.

Dana Edwards

Dana Edwards

Cyber-Security and Distributed Ledger Researcher

Dana Edwards is a Cybersecurity expert and distributed ledger technology researcher with over 20 years of experience in IT. Born and raised in Boston Massachusetts, he obtained a Bachelors degree in Ethics, Social & Political Philosophy from the University of Massachusetts. After obtaining his Masters degree in Cybersecurity from University of Maryland University College he founded Edwards Information Security Consulting which has provided services to companies such as, Coinmaster, and more. 

He has been fascinated by and continuously studied computer science and information security since 1997 when he received his first computer. As a student, teacher, and as a problem solver, he wishes to share some of his knowledge with the world. And to inspire, conduct, and promote innovative experiments in Cybersecurity.

Q1: How has AV software changed over the years?

AAs our technology evolves our reliance and in some cases dependency on our technology is increasing. It has been said that our smart phone is now like an extension of our mind. That is to say when a person picks up a tool they think of it as an extension of their hand. Just as it is critical for our biological bodies to have defenses against viruses it is equally critical for our computers to have similar defenses. If our computers are wide open to viruses then our computers become unreliable. People are increasingly putting sensitive information on these computers and it is important that this information remain secure not just from theft but also from damage.

Q2: What types of AV software are available? What should users typically be looking for?

AThere are several types of AntiVirus software available from vendors such as Avast, AVG, and many others. The standard AntiVirus software focuses on removing the threat of Malware but many go beyond just this goal. In the beginning the kinds of threats to detect were not all that sophisticated. There were worms, viruses (malware), trojans/keyloggers, but as time went on the sophistication level and nature of the attackers have changed. Antivirus software typically follows either a whitelist/blacklist approach or a runtime behavioral analysis approach.

Metrics exist enabling a quantitative assessment or screening review process for users which can rank the effectiveness of AntiVirus software by scores on tests such as the VB100 (Virus Bulletin) test which works by comparative review to determine both the ItW Catch Rate and the False Positive rate. Good AntiVirus software should receive high scores in comparative review tests like VB100 and have a high catch rate and a low false positive rate. I recommend applying a data driven quantitative approach to selecting security solutions and the results from some of these tests can aid in the selection process.

The more simplified approach to choosing AntiVirus software requires users to just make sure that the AntiVirus software is frequently updating it’s binary signatures. These binary signatures are how the software detects and removes viruses by looking for matches to these signatures during a scan. It is also important that the AntiVirus software provide some kind of additional protections beyond just a large frequently updated signature database, such as Firewall protection, browser vulnerability protections, and some capacity to defend against and detect Zero day attacks.

Q3: How has AV software changed over the years?

AIn the beginning AntiVirus software was not very sophisticated because the attackers were not usually very sophisticated. At the same time the kind of rewards which attackers could get was not as great nor the amount of damages as catastrophic. So in the early days an Antivirus software was usually just a signature database and a scanner (signature detection). The scanner would simply sort through each file and compare it to the binary signature of every known virus in order to isolate the virus from the file. This was considered effective enough in the beginning but attacks kept becoming more sophisticated and also potentially more damaging. For those interested in history, Bernd Fix is generally recognized as having invented the concept of AntiVirus. John McAfee produced the most known binary signature scanner (Virus Scan).

 From the early era of the signature database and scan approach we saw also in the 1980s the addition of heuristic engines. In the 1990s-2000s middle era the level of sophistication from attackers began to rise and some of this may be due to the fact that in the late 90s to early 2000s the number of people who joined the Internet spiked combined with the birth of Internet commerce which made computers attractive to identity thieves. In the late 90s to early 2000s the virus makers began to develop stealthy techniques so that their viruses could evade the signature detection of AntiVirus software. In response to these changes in attack techniques and in the priorities of attackers the AntiVirus makers such as including Firewalls, adding Browser and script vulnerability protections, adding email attachment scanning, and more. During this era the detection and removal of rootkits and keyloggers also became something AntiVirus software would focus on because of the risks from credit card fraud and identity theft.

 In the current time the threats are much more sophisticated than what most imagine. Spam protection may be included. Scam protection from websites which are flagged as scams may be included because fake websites or fake companies may exist online. Cloud protection or collaborative filtering strategies is a way for AntiVirus companies to allow users to input into a website database or flag. The point made here being that the in the current time one of the issue is trust scarcity and attackers are taking advantage of the tendency of people to trust too easily. The opening of an unknown url, the execution of an unknown file, the opening of an unknown attachment, or even from a known person, all introduce risks. Current Antivirus software rely on sandboxing to reduce these risks and to potentially detect anomalous behavior in a file.

Q4: How important is it to keep AV software updated?

A: It is most critical to frequently update AntiVirus software. I recommend setting the update frequency to daily. I also suggest going with AntiVirus software which frequently updates their databases. The speed which you can reduce the vulnerability of your computers has a major influence on the level of risk you or your company has. Faster updates means faster known threat reducing.

Q5: How are new viruses discovered? How are their fixes found?

A: In many cases it is security researchers who discover new viruses. These security researchers then release a patch or a fix in cases where it can be done in a timely fashion. Security researchers check for vulnerabilities and may actually deliberately try to write viruses to determine what is possible. Often unfortunately there is no means to discover a new virus prior to seeing computers infected in the wild. Zero day attackers create viruses which leverage unknown or unpopular vulnerabilities so that there isn’t a fix or patch or known signature in the signature database. In these cases we have to look for strange behaviors and with enough examples we (or machine intelligence) can figure out that there is a new virus. In the most unfortunate circumstance the only indication that a computer or network has a virus could be unreliable/unexpected behavior.

Q6: How does an AV software work?

AAntiVirus Software generally includes a signature database and a scanner. More sophisticated AntiVirus software works by leveraging sandboxing, anomaly detection, cloud database, collaborative filtering and machine learning. The binary signature database scanner simply scans and compares until it finds a match for a virus signature. Sandboxing simply runs or executes a file or app in a very isolated safe manner so that the virus scanner can search for any unexpected behavior which would only show while it’s running. Cloud databases merely improve on storage so that signatures can be downloaded rather than have to be stored on one machine. Collaborative filtering allows users to rate trustability of different websites so that scams can be filtered or to label certain domains or websites as spam. Machine learning gains power from many examples and for anomaly detection or in a cloud context this can make sense.

New Antivirus software uses the state of the art in signature based detection,machine learning/AI, and if available continuous monitoring or real time protection for suspicious computer activity. The real time protection can detect anomalies in behavior of a computer and can help detect unknown or stealthy forms of malware. More specifically anomaly based intrusion detection is used to protect networks from more sophisticated attackers.

Q7: Are there chances of false positives in AV software?

AAbsolutely. Sometimes the behavior of a legitimate app might resemble the behavior of a suspicious app. Machine learning is not perfect, and heuristics aren’t perfect. It is possible with collaborative filtering where the users flag websites or domains that some of these could actually be false positives. For example AntiVirus software might label something like BitTorrent or Bitcoin as a kind of malware due to the unusual behaviors but this doesn’t mean it actually is. My suggestion is to try to use the AntiVirus software which has good reviews from verified users or which received good scores on tests on the topic of false positives.

When doing a comparative analysis and assessment of AntiVirus products I recommend factoring in the false positive rates as well as virus detection rates. The lower the false positive rate the better and the higher the detection rate the better. The ideal detection rate is 100% and the ideal false positive rate is 0%.

Q8: What are some new developments in AV technology?

A:  The addition of machine learning and behavioral analysis is new. In 2013 there was not the addition of machine learning and anomaly detection wasn’t the focus. Today the focus is on leveraging breakthroughs in AI and this includes for Virus detection. The threat of ransomware is increasing at this time so rootkit detection and sandbox technologies will also be important.

Sandbox technology takes the isolation approach where an untrusted application is run in an isolated environment so that the probability of it influencing the behavior of other processes is reduced. In summary, process isolation, machine intelligence enhanced behavior analysis and detection, are the two main trends Iím seeing in AntiVirus software.

Leave a Comment