In the past, programs that scan computer systems for known viruses have proven to be the most effective and efficient means of fighting viruses. The anti-virus software vendor regularly provides information about new viruses and malware. This is done at least once a day and takes place in the background, unnoticed by the user.

A signature-based virus scanner that scans in the background (transient / on access) checks newly downloaded files or inserted storage media the very first time it is used. Infection with known computer viruses can therefore be avoided in principle. Known viruses are analysed by specialists and classified as harmful. The anti-virus software manufacturer must therefore not only be able to find many viruses, but must also be able to identify them as accurately and quickly as possible, be able to undo the actions caused by the pests and, if possible, should not provide false positives, as this can also have serious consequences.

If the malware is not yet known to the antivirus program, it cannot (based solely on the signature) protect against this (yet) unknown malware. Only if the manufacturer informs you of this new malware through an update, the software offers protection against this malware - unfortunately often too late. Because once the malware is active, it is not easy to remove, and often there is no way around a new installation of the operating system and programs.

Protection against new unknown malware and new detection techniques

The number of newly detected viruses and malware programs is constantly increasing. Currently, several thousand new malware programs are analyzed every day in the laboratories of antivirus software developers. However, the time in which these pests are active and cause damage has decreased. This requires continuous development of detection techniques to provide up-to-date protection.

Different vendors rely on various new techniques and are constantly developing them.

Heuristics - Heuristics are the recognition of similar malicious files based on defined rules. The more sensitive the response of the heuristics, the more malware is detected, but the number of errors detected also increases. Therefore, this technique is mainly used in non-critical areas such as examining downloaded files.

Firewall/program control: This is where programs are given or denied permission to receive information from the Internet or to transmit information over the Internet.

Multiple scanning engines: There are also manufacturers that use 2 different scanning engines to achieve a higher level of detection.

More updates: Some manufacturers solve this problem by updating signatures more frequently (updates every hour or even more often). However, sometimes the quality suffers and there may be more bugs detected.

HIPS / proactive detection : Includes technologies that detect and block malicious activity when unknown malware is triggered. Ideally, the results are reported to the lab so that the pest can be detected and removed after the next update based on the signature. These detection technologies intervene very deeply into the system and require more system resources than systems without active detection. In complex networks, additional adjustments may be required. In any case, it is recommended to check in a test environment that all applications are working properly.

Sandbox: Here, checks are performed in a virtual (isolated) environment. In this way, behavior can be analyzed without causing any damage. However, if the malware performs a malicious action with a delay (e.g. 1 minute after opening a file), this procedure does not help.

Recommended antivirus programs with 1 year and 3 pc license:

White-Listing: This is where information is gathered about which files or programs are harmless, and all unknown files or programs are considered suspicious. This is probably the safest, but also the most time-consuming method because each new file must first be classified as good, and there are more good files than harmful ones.

Cloud-based detection: Here much of the detection takes place in the data center of the antivirus lab. Users submit information by which the lab automatically classifies a file as good or bad if it is not already known. In this way, users get constantly updated protection against new threats. Cloud-based detection techniques are now being integrated and continuously developed by almost all vendors as a protection enhancement. Large amount of data (BigData) from various sources is used to detect new threats. Suspicious files can also be manually checked in the lab by IT security experts.

Configuration of antivirus programs

In order to achieve maximum protection with the least possible use of resources, the antivirus system must be adjusted. Depending on your system equipment and protection requirements, you can apply the appropriate settings. However, you should know what you are doing when you change the settings. Some products designed for single users often offer less adaptability. They are not suitable for use in complex networks.

Virus protection in networks

The more complex the network, the more important it is to have a protection system that is individually tailored to the area of application. There are protection modules optimized for different server roles (virus protection for file servers, mail servers). Particularly in the area of servers, you should check in advance whether the system requirements are met and check in a test environment whether the software runs without errors. In large networks, it is particularly important to ensure that updates are distributed quickly across the network. Central administration is an important part of IT security solutions in company networks. Mobile end devices should also be included here.

Through parameterization, settings can be made in antivirus programs to determine which files are to be scanned and the scope of the scan. It is the job of IT security management to determine the appropriate settings and set them as default settings in the configuration of individual protection modules.

It also makes sense to check the data traffic on the gateway right now. However, this should in no way be seen as a substitute for further protective measures on workstations, file servers and mail servers, but rather as a useful supplement and relief. For smaller networks, several protection functions are often combined in one device. So-called UTM devices combine, for example, a firewall, intrusion prevention system, VPN gateway, email virus protection, spam filter and/or web content filter.

Comments (0)

Leave a comment