What could be the next generation of antimalware give us?
On my 3yrs+ of experience as cyberops, I have came across alot of malwares with different view points of the infected file itself. There can be times that malwares operates in benign on the system, without the installed AV agent detecting it. There can be two reasons behind,
a. Agent has not yet been updated with its latest signature.
b. AV does not have the hash or signature registered yet on the database.
On a, there are instances that user tends to forgot or ignore updating virus AV to its latest signature. As for me AV must automically download the signature without the user's consent and without affecting what the user is doing.
On b, different AV engine, has different view point with regards to its signature-based detection. One file could be detected by one engine as something suspicious while the engine validate that file to be safe. There is no uniformity of detections, thus living the host unsecure.
Malware are so smart that it can evade detection and steal informations from your system without you even noticing. I have read a book by Koret and Bachaalany entitled Antivirus: The Hacker's Handbook. I would recommend that book for startups, for those enthusiasts who wanted to know how an antivirus work and ideas on how to evade it. That book inspired me to create my own prototype. In that book it was clearly stated how the evolution of AV has changed for the last couple of decades. One major reason behind this is the push and pull force of both malware and the anti-malware, for a one big motivation - 'money'. Malware is a creation for automatic money making. This can be the first automated device for a silent type of robbery. Authors are crazy motivated to create millions of these sort. There could be a company or organization which invests alot of money for this software. Spying on government agencies, networks, corporations,citizens or even factory explosions to name a few, are reasons for a millenial type of global warfare know as cyberwar.
Antivirus company of today, are working for exhaustion to battle those malware-makers and to provide the anti-malware, patch their software as often as an eye blinks. But what could be there basis? How will day battle these things? Let's check what the modern AV could do:
1. Check for application's known suspicious patterns and bad behavior.
2. Check for suspicious network behavior basing on network packets.
3. Check for user's browsing actions basing on known malicious web components.
4. Connecting the dots of those known vulnerabilities, with similarities to what have been identified before.
But still, AV operates and based on its detections to what have been dealt and known before. What about the 'unknowns', the zero-days? New detections-patch-update has always been the cycle. A never ending cycle to what I dubbed the 'malware-antimalware push and pull'. There could be some malware lying on big corporations, banks and factories that haven't been detected by their antimalware devices. These could be stealing informations for a long time already, without anyone's knowledge. Just by their thoughts they're secure, but in reality they're not.
Despite the market's competition, global AV companies must unite to battle the unseen. They must have the unified repository of malware signatures, for them to eliminate on what has already been detected and focus on what to come. Why can't we have an AV that scan and protect our system and would based its signature to a unified global repositories of malware signatures, would it be more reliable? Would our system be more safe? Would our data be more secured? Could an AI AV help us?
Comments