Legacy Anti-Virus Not Catching Your Cold?

The problem is that traditional defense systems are not designed to catch quickly evolving malware and exploits that are seen in the wild.

By Michael Woodside, Principal Systems Engineer

“Hey Boss, John has another virus on his computer, I don’t know where he keeps getting these from, and how they keep getting past our current antivirus…”

Does this sound like your IT shop? Are you tired of chasing after the virus, always repairing the damage, but never getting ahead? Don’t you wish that there was something better, and more efficient that we could use to prevent this from happening? Well there is, but first let’s explain some basics such as how we have been identifying files and why legacy Anti-virus, which worked for so long, is no longer stopping the threats.

What Is a File Hash?

Imagine you ate a red fruit from the tree over there, it tastes sweet and delicious. Instead of describing the fruit in a detailed manner every time you discuss it, you give the fruit a specific name such as a “Red Delicious” apple. Then, from that moment forward you can use the name “Red Delicious” as a reference instead of the description. A file hash is the same idea for a computer. Instead of describing the contents of the 1’s and 0’s that make up the data, the computer uses a mathematical calculation to create a value given to a specific set of data. We call that Value the File Hash. But what’s the problem with using a file hash? Just like our fruit example, you change any piece of that description and it’s a completely new item. Perhaps it’s a yellowish green fruit now, and we call it a pear. If you change some of the contents of the data, then we get a new hash value.

Legacy Anti-Virus Use the File Hash to Identify Malicious Files…

Many modern-day systems are infected by harmful software known as malware. The problem is that traditional defense systems are not designed to catch quickly evolving malware and exploits that are seen in the wild. These files may mutate many times in a period like a real-life virus in the doctor’s office. Doctors call each version a different strain, and the same can be said of malicious software. Every time the virus mutates the hash can change and evade detection for a little while longer. One of the problems with using the Hash file method is that to catch a virus or malicious piece of software we must have been exposed to it before or it will spread, just like our immune system. We are only as strong as the database of known things to which we have been exposed. Is your legacy Anti-virus not living up to your expectations? Perhaps that is because Legacy anti-virus defenses were not designed to stop modern-day threats.

Stop Chasing the Virus…

When something new comes along that we have never seen, we have no knowledge and no resistance, therefore it runs uncontrolled and wreaks havoc on networks until someone can identify how to stop it. However, that comes with a cost as we are now forced with repairing the damage that has already been done. While to some that is a small price, imagine if you had to reload every computer in your environment from backups or from scratch because a new virus took control. What can be done to stop chasing the Virus and get ahead of the curve? It’s time we start looking for symptoms that appear before the infection.

Time to Treat the Symptoms

Now that we know why traditional Legacy Anti-virus isn’t effective against new viruses and malicious software, what can we do? We act as doctors and start by treating symptoms or identifiers of an exploitation technique. While new Malicious software appears daily, most if not all, use the same forms of techniques to infiltrate their targets and perform their programmed routine. Since we know these techniques, we can treat them before a full-blown infection or before the first execution phases of the software, thus stopping the malicious software from achieving its goals or spreading further.

Stopping One Symptom Can Prevent a Full-Blown Infection…

If we can stop just one of these steps then we can prevent the full execution of the software and flag that unknown file for review and diagnostics. Now we are changing the way we identify and classify files and malicious software. Instead of needing to see every file to prevent an attack, we can focus on the underlying symptoms and methods because the software needed to stop an infection can be smaller, more efficient and easier to manage. We no longer need a giant database of file hashes to check every file against. We can just place stops or roadblocks at each major technique.

But What Are These Symptoms or Techniques?

The symptoms or exploitation techniques that are normally used are split into three main categories; pre-exploit techniques, Kernel Exploit Techniques and traditional exploit techniques. There are quite a few known exploit techniques that have been used to gain control and exploit the targeted system, and as such most malicious software uses around seven or eight of these known techniques to successfully gain access to the targets. These symptoms can be obvious such as calling a new program, changing a setting on the computer, or as simple as saying “WHO AM I” or “what privileges do I have?”. For a list of some of the known technique exploit methods, please click here. Going back to the original question of this blog post- isn’t there something else out there that is more adept at catching this new breed of Malicious software? Yes, the answer is Palo Alto Traps a next Generation Endpoint Protection software that uses Exploit prevention and zero-day threat mitigation to stop the threat and prevent a full-blown infection.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Crafting a Futureproof 1:1 Device Strategy for School Districts

In the evolving landscape of Education Technology, crafting a futureproof 1:1 device strategy is crucial. This strategy should link every student, teacher, and administrator experience with specific device specifications. The integration of educational apps into the curriculum can significantly enhance the learning environment. These apps, tailored to the needs of students, can provide interactive content, fostering a dynamic learning experience.

Optimizing Your K12 Tech Investments: Funding 1:1 Device Programs

This blog will guide school districts grappling with the financial and resource demands of implementing a successful 1:1 device program amid ongoing challenges of budget constraints and competing priorities. Our guided workbook, created in partnership with Intel, provides further support with personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

K12 Cybersecurity: How to Secure 1:1 Devices in Your School District

This blog post delves into the importance of security, cybersecurity, and data privacy in school districts implementing 1:1 device initiatives. It offers basic steps for evaluating, planning, and executing a security strategy. Our guided workbook, created in partnership with Intel, provides a personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.

Ransomware Gangs Adding Pressure with ‘Swatting’ Attacks—Here’s What You Need to Know

Ransomware gangs are implementing new extortion tactics to encourage victims to pay up. Swatting is becoming an increasingly popular tactic. It involves calling law enforcement to falsely report a serious, in-progress crime triggering an extreme response such as an armed raid from the SWAT team. Explore how cybercriminals are using this tactic and what you can do to prevent it from happening to you.

Smishing Attacks are on the Rise—Here’s How To Keep Your Data Safe

Smishing attacks are on the rise, posing a significant threat to data security. Originating from a blend of SMS and Phishing, these attacks have seen a drastic increase since 2020. The widespread use of smishing attacks has persisted, with a lack of awareness being a major issue. Many view these as simple spam messages, unaware of the danger they pose. This blog aims to raise awareness about smishing and provide actionable insights to protect yourself and your organization.