Presentation is loading. Please wait.

Presentation is loading. Please wait.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Similar presentations


Presentation on theme: "Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares."— Presentation transcript:

1 Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares data to known malware in a dictionary Heuristic approaches - Checks the machine for “bad” behavior

2 Dictionary-Based Approach Scan files on disk (and in memory) and compare them to known malware If a match is found then malware is detected Once malware is detected, one of the following actions is performed 1. Repair the file (if possible) 2. Quarantine the file (change access privileges) 3. Delete the file

3 Dictionary-Based Details Typically examines files when the OS performs create, open, close or emails them All files are scheduled to be scanned on a regular basis - Maybe a new file has mysteriously appeared Virus dictionary must be updated regularly - Need to catch “0day” attacks - Updates must be secure

4 Blacklisting vs. Whitelisting A malware dictionary is essentially a blacklist, describing “bad” software - Any software in the blacklist is known bad There are so many different types of malware that it is hard to make a complete dictionary A whitelist is a list of known good software - Software not on the white list is assumed to be bad Similar to “Deny-All” for firewalls

5 Weaknesses of Dictionary-Based Cannot detect new malware - Virus must be in the dictionary to be detected - Time to include in a dictionary can vary - Different malware often shares code (i.e. metasploit) Small changes in malware can make it undetectable - There are many ways to write the same program - Polymorphic worms are encrypted to avoid detection

6 Heuristic Antivirus Techniques Monitor the behavior of all programs If the behavior is “suspicious” then malware is detected Example: Writing data to an executable program is suspicious - Viruses do this to spread Benefits: - Can detect new malware Weaknesses: - Hard to define “suspicious” behavior - Many false positives are possible - Malware writers can adjust to the heuristics

7 Issues with Antivirus Antivirus tools may not properly “clean up” after eliminating malware Antivirus tools may significantly slow down your machine Cannot use more than one antivirus tool at one time - Antivirus operations are “suspicious” May need to disable antivirus when making low-level changes - Installing a windows service pack or video drivers - Modifying OS and drivers is “suspicious”


Download ppt "Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares."

Similar presentations


Ads by Google