Scanning for malware isn't good enough.

January 20th, 2020
Scanning for malware

How do you stay protected against malware? First, you recognize it. Then, you stop it from doing what it wants to do. And then, you remove it from your device. That’s what malware scanning and removal software does – and if you’ve ever wondered how “anti-malware” software does all that, you’re in the right place.

Back when there were just a handful of viruses, “white hat” security professionals (the good guys) recognized that you could detect viruses by the specific code they contained. Once these telltale patterns of code were identified, antivirus software could look for them, testing all the files on a computer and checking new files as they were copied, downloaded, or installed.

Signature-based detection worked very well for years, and it had several key advantages. First, it was relatively easy to implement. Second, it was lightweight: if done right, it didn’t interfere much with system performance. More important, it was quite good at identifying known attacks, and it rarely generated “false positives” – claims that a file was infected when it really wasn’t.

Protection from Zero day attacks

While signature-based detection is still part of most anti-malware systems, it’s no longer enough. First, by definition, it can’t recognize brand-new “zero day” attacks that haven’t been seen before – and in the age of the internet, those attacks could spread widely before security researchers were able to distribute updated signatures to stop them. And as malware became more common, signature databases grew, potentially leading to slower system performance. Some anti-malware providers responded by moving some of their processing to the cloud.

(To give you a sense of the breadth of the problem, SophosLabs analyzes over 400,000 new malware samples daily, and nowadays 75% of malware is unique to a single organization.)

Malware authors also became smarter about hiding their code – using techniques such as mutating hashes, code resequencing, inserted blocks of code that doesn’t do anything except disrupt recognizable patterns, and other more advanced obfuscation techniques. They embedded attacks in hard-to-find locations, relocated them from executables to website scripts, and built malware that never even stored itself on a computer’s hard drive. Anti-malware software developers have countered these methods, and continue to do so, but it’s a constant battle.

Battling advanced threats 24/7

Something more was needed. Advanced anti-malware software now also identifies malware through its behavior: what it does that malware typically does, and other software on your computer typically doesn’t do. For example: if ordinary software never stores files in a specific location that’s often used by malware, that might be a sign of trouble. So, too, if a process on your computer starts encrypting a large number of files, anti-malware software should recognize that ransomware might be at work.

As you might guess, it can be hard to tell legitimate processes from malware, especially when malware authors are deliberately trying to confuse the two. Therefore, behavior-based anti-malware needs to be as smart as possible. At Sophos, we use deep learning – an advanced form of artificial intelligence – to pinpoint true malware behavior and reduce false positives.

Deep learning and beyond

Deep learning has proven quite effective, but we’re still pioneering artificial intelligence improvements. For example, at the renowned Blackhat conference we recently presented machine learning innovations that make better use of the malware behavior rules we’ve already developed.

Of course, it’s not enough to recognize malware: you want it halted. High-quality anti-malware software can:

  • Clean a malware infection, removing the malicious file and any associated files, while leaving other ‘good’ files intact
  • Delete a malware infected file and any stray components it may have scattered across your device
  • Quarantine a malware infected file, so it remains on your computer in a safe location where it can’t execute or cause any problems

By default, Sophos Home Premium chooses the right option for each situation and only asks your input when necessary. We figure you’ve got enough on your mind. But if you want more control, you can make adjustments through the Dashboard. Either way, from scanning to removal, you’re covered.

What are you waiting for? Let's get started!

Free Download
No credit card required