Is Anti-virus Reactive?

From the M86 Security Whitepaper “Real-time Code Analysis: Proactive Protection Against New and Dynamic Malware Threats”

Reactive in nature, anti-virus solutions are mainly effective against known threats and are powerless against dynamically obfuscated and zero-day attacks, which often use multiple technologies, stages and angles of attack. Hackers are also clever enough to test their malicious code against anti-virus products before releasing them to ensure the code will not be detected.

Yes, adding real-time code analysis to your malware threat detection improves your defenses. However, this characterization of anti-virus is misleading.

Anti-virus software detects only known threats. Once threats are known and signatures or patterns are developed and deployed, anti-virus software prevents these known threats. Anti-virus signature or pattern updates are developed in reaction to known threats. Anti-virus software is an efficient detective and preventative measure. Summarizing it as “reactive in nature” is misleading.

In fact, as M86 points out, malware developers “often use multiple technologies, stages and angles of attack.” One or more of these technologies often has an existing anti-virus signature or pattern. In this way, your anti-virus solution detects an attack and prevents at least part of it. Your anti-virus software acts as an Intrusion Detection System whenever it encounters malware. While it reports a specific threat, you should not consider its report to be an exhaustive description of the nature of the intrusion which has occurred. (This is also one reason why using anti-virus software to “clean” an infection should not be considered a reliable measure.)

Malware developers “test their malicious code against anti-virus products before releasing them to ensure the code will not be detected.” That is, they modify some of their code to avoid matching existing signatures and patterns. It is not wise to modify all of your code; retain that which was working well and introduce new mechanisms which do not match any existing signatures or patterns. Fortunately, that which was working well is usually detected by anti-virus software with updated signatures and patterns. You are alerted to the incident and should investigate further to learn what the anti-virus software has missed.

Unfortunately, whatever the anti-virus software has missed has done its damage. This could include information disclosure. That is, real-time code analysis is an improvement over signature and pattern based systems. With signature and pattern based systems along with an incident response procedure, you have a minimal function set. It is improved with real-time code analysis.

See also: Can You Clean a Virus?, Basic Virus Defense, Is Anti-Virus Dead?, The Anti-Virus Guy, Anti-Virus Remains Important

See also: Active Defense from HBGary. From its description, this appears to be a post incident, detective, reactive measure to find malware which has gone undetected. This approach, too, will not detect all payloads of malicious software (e.g., configuration changes and network tools installed for malicious purposes).