ProCircular Information Security Experts Corner

From the Front Lines of Malware Detection

Posted by Bryan Prather-Huff on Jan 24, 2019 3:24:18 PM
Find me on:

Everyone has (or should have) an anti-virus solution. It's probably barked at you once or twice for downloading a file from a sketchy website or opening a link from an email you didn't quite recognize. But how does your anti-virus know what programs are bad, and what programs are good?

How is malware detected?

Traditional anti-virus software uses a combination of techniques to detect malware including heuristic analysis, but primarily utilizes signature based detection to identify malware. Signature based detection takes a hash of a file and compares it against a list of known malicious hashes or uses a specific series of characters or binary uniquely found in a piece of code. A cryptographic hash is a fixed length series of characters which uniquely (or nearly uniquely) identifies an input, which could be anything from the contents of an email to your kid's copy of Fortnite. Read more about Cryptographic Hash Functions on Wikipedia.

500px-Cryptographic_Hash_Function.svg

Modern anti-virus solutions also utilize techniques like behavioral analysis (what a program does when it runs) to identify malware, but still falls back on signature based analysis for routine scanning of the files on your hard drive which aren't running.

Where do the signatures come from?

When a new piece of malware is discovered by a team of security researchers, it is de-compiled and studied to identify the unique markers which anti-virus can use to identify and remove it. Security researchers might get samples of malware from incident response teams responding to malware outbreaks at organizations, by surfing the internet looking for reports of new malware, and many other discovery techniques.

Because signature based threat detection is reactive and not proactive, it's important to augment your traditional anti-virus solution with behavioral and heuristic threat detection to stay ahead of the latest and greatest in threats.

At ProCircular, our Security Operations Center utilizes our SIEM product offering to not only provide our clients with top quality monitoring and reporting to identify internal threats, but also identify issues and help them adhere to compliance.

By adding additional threat data from the AlienVault Open Threat Exchange (OTX) and utilizing top of the line Network Intrusion Detection monitoring with Proofpoint Emerging Threats (ET PRO) signatures, we are able to identify new and emerging threats in our client's environments based on patterns and hashes seen on the wire. This allows us to provide the fastest response and remediation to new threats not yet recognized by traditional anti-virus and also contribute to the growing community of threat data services.

By leveraging analytics and advanced detection tools, ProCircular helps your company stay ahead of the wild west of cyber threats before your anti-virus takes notice of the issue!

Interested in learning more about SIEM and whether it's the right fit for you?

Contact ProCircular

Topics: Cybersecurity, Information Security, Incident Rsponse, security incident handling, security incident response, cybersecurity plan, SIEM

ProCircular is a Full-Service Information Security Firm

We are passionate about helping businesses navigate the complex world of information security, and our blog is another great source of inforamtion. We can assist you no matter where you are in your security maturity journey:

  • Breached or hit with ransomware?
  • Don't know where to start? 
  • Looking to confirm your security with a third party?

Secure your future with ProCircular.

Recent Posts

Subscribe to Email Updates