What is anti-malware software and how does it work?

Cybercriminals are using the most advanced technologies to gain access to your system(s) and steal your sensitive and private data for financial gain. To keep up, cybersecurity vendors are working hard to incorporate these same technologies to stop these modern-day attacks. Whether you are a consumer or business, this article will help you better understand what malware is and what you can do to stop these continued attacks.

Shorthand for malicious software, malware is an application written with the intent to cause damage to systems, steal data, gain unauthorized access to a network, or wreak havoc. Malware infection is the most common cyberthreat that an individual or organization can face. It is often used to steal data for financial purposes but can also be applied as a weapon in state-orchestrated attacks, as a form of protest by hacktivists, or to test the security posture of a system. Malware is a collective term and refers to several malicious software variants, such as trojans, worms, and ransomware. 

There is a variety of malware types, including viruses, trojans, ransomware, key loggers, and worms.

A computer virus is malicious code that attaches itself to clean files, replicates, and tries to infect other clean files. Viruses must be executed to run by an unsuspecting user performing an action such as opening an infected email attachment, running an infected executable file, visiting an infected website, or clicking on an infected website ad. Computer viruses are rare today, representing less than 10% of all malware.

Trojans are named after the story of the Trojan War, where the Greeks hid inside a wooden horse to infiltrate the city of Troy. Trojan horses (or simply Trojans) disguise themselves as a legitimate application or just hide within one. This type of malware acts discretely, opening security backdoors to give attackers or other malware variants easy access to the system.

Ransomware is one of the most dangerous types of malware today and demands special attention. Originally, ransomware was designed to take control of a system, locking users out until they paid the cybercriminal a ransom to restore access. Modern variants of ransomware usually encrypt the user’s data and may even exfiltrate data off the system to dramatically increase the attackers’ leverage over their victims. 

Backdoors are a stealthy method of bypassing normal authentication or encryption on a system. They are used for securing remote access to a system, or for obtaining access to privileged information to corrupt or steal it. Backdoors may take many forms: as a standalone program, as a hidden part of another program, as code in the firmware, or as part of the operating system. While some backdoors are secretly installed for malicious purposes, there are deliberate, widely known backdoors that have legitimate uses, such as providing a way for service providers to restore user passwords.

Worms get their name from the way they infect systems. Unlike viruses, they do not need a host file or application. Instead, they simply infect a system and then self-replicate across other systems through the network, using each consecutive infection to spread further. Worms reside in memory and can replicate hundreds of times, consuming network bandwidth.

Keyloggers record a user’s computer activities – keystrokes, visited websites, search history, email activity, chat and messaging communications, and system credentials such as logins and passwords – with the objective to steal a user’s personal or sensitive information.   

Every day, the AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA).

Many malware attacks can have a combination of functions of ransomware and worms that can come in the form of a trojan. Furthermore, malware can consist of hundreds to thousands of modified samples. For example, WannaCry is an example of ransomware that contained both a virus and a trojan. As of last count, there were many samples of WannaCry as the program was modified. As of 2017, there were 386 WannaCry ransomware samples in the wild and we can expect there to be thousands of more samples as of this writing.

Starting around 40 years ago, anti-malware software worked by using simple signatures in conjunction with a database that contained footprints of known malware. When the anti-malware scanned a computer, it searched for these footprints. If malware is detected, the software either deleted or quarantined it. 

While signature-based anti-malware is still used today, cybercriminals can avoid this approach by changing something in the code so the signature will not work. This is when heuristics started to appear. Heuristics detection is based on what a program does and if the program “misbehaves,” it is flagged as malware. This approach has now evolved into behavioral heuristics where rules track the programs’ behaviors. For example, most legitimate software is not intended to inject itself into systems processes but if it does, it is flagged as malware.

Today, most anti-malware software employs signature detection, behavioral heuristics analysis, and an Artificial Intelligence (AI)/Machine Learning (ML)-based approach. An ML approach is like heuristics analysis except that the ML algorithm not only analyzes what the program/file does, but also analyzes what it looks like. To do this, it can use behavioral heuristics fed into the model and/or it can create and continuously improve its own behavioral algorithms through continuous training. ML-based systems automate a lot of the detection with minimal analyst intervention or direct input.

The marketplace offers all three types of approaches separately or combined but the ideal solution should have a combination of all three. There is never a guarantee that one type will stop all malware.

There are also other technologies that can detect malware. For example, sandboxing takes a process, puts it into a sandbox (virtual machine (VM)) and makes the malware think it is executing in a real environment. Over time, the software can watch the behavior to detect malware. Unfortunately, this can be a slow process as some malware does not immediately execute.  

The top-line benefit of anti-malware software is to secure sensitive and personal data and keep a user’s systems, applications, and data protected. More specifically, anti-malware software can protect a user from:

• Malware, phishing, and ransomware attacks
• Drive-by downloads that happen when a user visits a malicious webpage
• Advanced persistent threats (APT) that are intended to establish an illicit, long-term presence in a network to collect sensitive data or compromise an organization’s operability
• Exploits that utilize zero-day vulnerabilities
• Data leakage, whether deliberate or due to negligence or mistakes in data handling

Acronis offers more than an anti-malware solution because it combines data protection, backup, and anti-malware in a single solution.

Acronis True Image is an easy-to-install and manage, efficient, and secure solution that offers individuals the best personal cyber protection available on the market today. With Acronis True Image, you can

• Create full-image backups in two clicks.
• Replicate local backups to the Acronis Cloud.
• Safeguard your data, applications, and devices – including your mobile devices – against the latest malware, including zero-day ransomware and cryptojacking attacks.

What makes Acronis True Image different is that is the only personal cyber protection solution that delivers a unique, integrated combination of proven backup technology and antimalware protection that stops even the latest threats. This means you no longer need to purchase a backup solution from one vendor and an anti-virus solution from another. Instead, consider Acronis True Image and get the full system and data protection you need with one integrated solution.  

Acronis developed Acronis Cyber Protect to suit the needs of businesses operating in the post-pandemic reality. By providing a unique integration of data protection and next-generation cybersecurity capabilities, Acronis Cyber Protect delivers improved security, lowers costs, and improve efficiencies. The automation and streamlined management empower any business – large or small – to decrease their risk, avoid downtime, and increase their IT team’s productivity.

Acronis Cyber Protect protects endpoints, systems, and data and, among other features, includes AI-based behavioral detection that stops zero-day attacks, URL filtering, vulnerability assessments, videoconference protection, and automated patch management to ensure your business can recover your data and systems in the shortest time possible.