Categories
Application Security IT Security Outsourced IT

Antivirus Protection

What is Antivirus Protection?

Antivirus software protects devices against viruses and malware through a combination of prevention, detection, and removal. Antivirus software can be installed on computers and other devices, such as smartphones and tablets. The two major types of antivirus protection are1:

Traditional antivirus protection. Traditional antivirus software relies heavily upon the signature, or binary pattern, of a virus in order to identify malware. Antivirus security vendors analyze files suspected of containing malware and once they determine that it is malicious, a proper signature of the file is extracted and added to the signatures database for the antivirus software. Since traditional antivirus protection only detects known signatures, it is ineffective against many modern viruses. Cyberattackers now often write “oligomorphic,” “polymorphic,” and “metamorphic” viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the antivirus database.

Next-generation antivirus protection. In the last decade, the security industry has shifted focus toward signature-less approaches to antivirus protection. New antivirus capabilities detect and mitigate zero-day attacks and other, more sophisticated malware. Some of these next-generation capabilities include behavior-based malware detection, which builds a full context around every process execution path in real time, and machine learning (ML) models, which identify patterns that match known malware characteristics and other various forms of artificial intelligence. These methods are found in next-generation, endpoint detection and response (EDR) and extended detection and response (XDR) solutions.

Key tasks that antivirus protection software performs to help defend against viruses includes:

  • Scanning computer to identify files known to be malicious software, identifying them based on a set of detection patterns.
  • Scheduling scans to automatically recur on an ongoing basis.
  • Scanning specific files, directories, or the entire computer.
  • Quarantining, deleting, or working with other security software to remove malicious codes and software.
  • Providing validation that your computer and other devices are free of viruses and are safe to use.
  • Alerting security team when viruses are detected on computers.
  • Whitelisting and blacklisting to block or allow custom hashes.
  • Using ML to detect and prevent known and unknown malware.
  • Monitoring for indicators of attacks (IOAs) to correlate endpoint events to detect stealthy activities that indicate malicious activities.
  • Exploit blocking, which detects and blocks attacks that use macros, execution, in-memory, and other fileless techniques.
  • Integrated threat intelligence, which enables the immediate assessment of the origins, impact, and severity of threats in the environment, and provides remediation guidance.

1 Cisco, 2023, “Advanced Malware Protection (AMP)”