See that floppy disc?
That’s how F-Secure Labs used to get malware to analyze.
Nowadays, of course, it’s much different, Andy Patel from the Labs explained in a recent post, “What’s The Deal with Scanning Engines?”
In just a few hundred words, Andy lays out what makes modern protection so different from the anti-virus that you remember from the 80s, 90s or even the early 00s. And it’s not just that floppy disks the Labs once analyzed have been replaced by almost any sort of digital input, down to a piece of memory or a network stream.
The whole post is worth checking out if you’re interested in how relentless modern internet security must be to keep up with the panoply of online threats we face. But here’s a quick look at five of the key components of endpoint protection that work in tandem to stop attacks in their tracks, as described by Andy:
- Scanning engines.
Today’s detections are really just complex computer programs, designed to perform intricate sample analysis directly on the client. Modern detections are designed to catch thousands, or even hundreds of thousands of samples. - URL blocking.
Preventing a user from being exposed to a site hosting an exploit kit or other malicious content negates the need for any further protection measures. We do this largely via URL and IP reputation cloud queries. Spam blocking and email filtering also happen here. - Exploit detection.
If a user does manage to visit a site hosting an exploit kit, and that user is running vulnerable software, any attempt to exploit that vulnerable software will be blocked by our behavioral monitoring engine. - Network and on-access scanning.
If a user receives a malicious file via email or download, it will be scanned on the network or when it is written to disk. If the file is found to be malicious, it will be removed from the user’s system. - Behavioral blocking.
Assuming no file-based detection existed for the object, the user may then go on to open or execute the document, script, or program. At this point, malicious behavior will be blocked by our behavioral engine and again, the file will be removed. The fact is, a majority of malware delivery mechanisms are easily blocked behaviorally. In most cases, when we find new threats, we also discover that we had, in the distant past, already added logic addressing the mechanisms it uses.If you’re interested in knowing more about behavioral engines, check out this post in which Andy makes then easy to understand by comparing the technology to securing an office building.
So you must be wondering, does this all work? Is it enough?
Well, our experts and our computers are always learning. But in all the tests this year run by independent analysts AV-Comparatives, we’ve blocked 100% of the real-world threats thrown at us.
Cheers,
Jason
Categories