Where to detect malware
Most people in the industry are used to believing that anti-malware needs to run directly on terminal devices. Based on compliance requirements, many enterprises are forced to adopt this deployment mode, that is, running anti-malware on each Windows Device. As Mac and Linux are accelerated to enterprise desktops and data centers, anti-malware also needs to consider Malware detection on these platforms. But remember that the underlying architecture of Mac OS X and Linux can better prevent malware than Windows XP.
The emergence of virtualization complicate the selection of the best anti-malware technology. Consider that if each client running on a virtual device runs an anti-malware proxy, you will need to re-run the same code on the same hardware, which violates the purpose of virtualization. Therefore, anti-malware vendors now optimize their engines to run on a single client (or within a hypervisor) and communicate with the virtualized environment to ensure that VM resources are optimized.
Return to the idea of preventing malicious files from getting close to the periphery as much as possible. anti-malware should be deployed closer to the entry point-on the periphery of the enterprise or in cloud services. The most convenient way to check malware is through the web or email security gateway or cloud service. Because email and Web are still the main attack objects, this is usually the first deployment location.
There are also some new devices that we have always called as network-based Malware detection. This detection method is used to view all incoming network traffic and analyze the files that enter the network, this is similar to the endpoint deployment described above-ensure that files with attack characteristics cannot be accessed.
Solution
What should you do when you find a malicious file? At this time, you need to combine other deployed systems/controls. Therefore, the best anti-malware technology you are looking for must be able to interoperate with these systems or devices, because your network devices need to block/isolate devices that may be infected. You also need to ensure that alarms are sent to the report control interface, anti-malware management system, SIEM/log management product, or help station system to start the repair process.
Although you have made the best effort to detect, if you are infected with malware, usually the best anti-malware technology has the ability to clean up the device. In the control interface, you only need to click a button to repair the device. As malware becomes more complex and "vicious", cleaning becomes a battle to defeat. All malicious attackers will try to leave some residual malware to ensure a second infection. Therefore, enterprises should clean up repeatedly. You can perform multiple cleanup operations. why only one cleanup?
Therefore, we recommend that you mirror the infected device again. Although this method usually results in data loss and inconvenience to users, given the high risk of re-infection, we believe that it is more important to ensure that malware has been eliminated.
To select the best anti-malware, you must understand threats, how to detect threats, and how related products fix infections. Anti-malware is no longer a simple signature match. Now, anti-malware has added many new detection technologies to determine whether the software program is malicious and whether it can be executed on the device. Before we discuss the main considerations for choosing the best anti-malware, let's take a look at the tactics used by malicious software writers. Their tactics make detection very challenging.
Anti-Virus (AV) technology comes from a very simple idea: if the code is not good, stop it. Therefore, anti-virus vendors carry a large list of "bad things" and compare each file that enters the device with this list. On the other hand, the attacker's countermeasure is to slightly change every malicious file, so that every file is very close, but not completely similar to known bad files. This is a simple method to avoid detection. Suppliers distribute millions of new signatures to each device. Obviously, this strategy and business model cannot be expanded.
Then, the industry began to try a positive security model, that is, creating a whitelist for authorized software programs. If the software is not authorized, it cannot run. This method can prevent malware (it cannot appear in the whitelist), but this seriously affects availability. Users will need to load software very frequently. If the software they want to use is not in the whitelist, they will be annoyed.
The blacklist mode cannot be expanded, but the whitelist mode cannot be accepted by users. Therefore, the industry has to start from scratch and rethink how malware works to determine the best detection method.
Basic elements of malware
The basic element of all malware is a file, which will be executed first and then do bad things. Anti-malware is used to detect these files before they do anything bad. Given that malicious software writers can confuse bad files, they can no longer trust what files look like. Instead, they should evaluate what each file does ".
It should be clear that searching for known malicious files is still useful, but this cannot be extended to every device, so anti-malware vendors use cloud computing to record and save billions of files (software hashing ). The anti-malware agent on each device checks the file's "reputation" to determine 1) Whether they have seen it before 2) whether it is a malicious file.
Blocks known malicious files, while known legal files allow execution. So what if you encounter a file that you have never seen before? This is where the next generation of anti-malware plays a role. The proxy sends an unknown file to the service to analyze the file. It runs the file in an isolated environment to check whether there are any malicious factors. The service then sends back a "ruling" to the device to allow or block the file.
Obviously, there is a certain degree of delay in this process. Before you get a clear judgment, you can determine whether to allow an unknown file to pass (in this case there is a risk) or isolate the file. No cloud-based anti-malware technology can block today's attacks