8 Types of Cyber Threats That Evade Traditional Antivirus
The first documented computer virus was Creeper, developed in 1971. Created in an academic setting, the virus was built to demonstrate a file’s ability to transfer across a network. It took six months before computer programmers wrote a successful antivirus program called Reaper. This was the first documented lag between threat and defense. Ever since, security professionals and computer programmers have been playing catch up.
As an industry, we detect threats, update our defenses, then repeat as necessary. Many traditional antivirus (AV) programs operate on signatures. As malicious software is discovered, a signature describing the file is generated, added to a database, then the database gets pushed out to the customer base. If the antivirus discovers a file on your machine that matches a signature, that file gets quarantined and/or removed. However, this approach has its limitations.
Limitations of Traditional Antivirus
By December 2018, malware was being discovered at an alarming rate of 350,000 new threats per day. With that number continuing to rise, signature-based AV solutions can have a hard time keeping up with this volume, often leaving devices vulnerable. Furthermore, many modern cyber threats are designed to evade traditional antivirus solutions. Here are eight types of cyber threats that can evade traditional antivirus, along with examples of each:
1. Advanced persistent threats (APTs)
APTs are sophisticated and targeted attacks that can bypass traditional antivirus programs. They are often launched by nation-states, cybercriminals, or other advanced actors with the goal of stealing sensitive information or disrupting operations. APTs can remain undetected for months or even years, making them particularly dangerous. An example of an APT is the 2017 NotPetya attack, which caused widespread damage to businesses and infrastructure around the world.
2. Zero-day attacks
Zero-day attacks exploit unknown vulnerabilities in software, and can occur before a patch or update is available to fix the vulnerability. Because traditional antivirus relies on known signatures to detect malware, zero-day attacks can easily slip past these defenses. An example of a zero-day attack is the WannaCry ransomware attack that affected hundreds of thousands of computers worldwide in 2017.
3. Polymorphic malware
Polymorphic malware is designed to change its code or signature with each infection, making it difficult for traditional antivirus to keep up. By constantly changing its appearance, this type of malware can evade detection and continue to infect systems. An example of polymorphic malware is the Emotet Trojan, which has been active since 2014 and continues to evolve and evade traditional antivirus programs.
4. Weaponized documents
Attackers often use weaponized documents to exploit flaws in different document formats, which can compromise a system. These documents typically use embedded scripts that are obfuscated to make them appear harmless to traditional antivirus. Once launched, the attack runs in the background without the user's knowledge. An example of weaponized documents is the TrickBot malware, which spreads through phishing emails that contain malicious Microsoft Word documents.
5. Browser drive-by downloads
Drive-by downloads are files downloaded to the endpoint using vulnerabilities in the browser or a browser add-in. The download could come from a legitimate website with a compromised script or ad service, or it could be a malicious website specifically set up to initiate the download. These attacks start with email or social phishing, email attachments, or well-disguised pop-up links to lure users to a website. An example of a browser drive-by download is the Magniber ransomware, which infects victims through malicious advertisements on legitimate websites.
6. Fileless attacks
Fileless attacks occur without installing an actual payload on a system, making them extremely difficult for traditional antivirus to detect. They’re typically executed in the endpoint’s memory, and use built-in system resources to infect machines. An example of a fileless attack is the PowerShell Empire toolkit, which is used by attackers to run malicious code in the memory of a targeted machine.
7. Obfuscated malware
Obfuscated malware is designed to evade detection by disguising its malicious code. It uses techniques like packing and encryption to conceal itself from traditional antivirus programs. By the time it reaches the endpoint, the malware has been "unpacked" and decrypted, ready to do its damage. An example of obfuscated malware is the Locky ransomware, which uses a complex encryption technique to hide its malicious code from traditional antivirus programs.
8. Ransomware
Ransomware is a type of malware that encrypts data on a victim's system, then demands a ransom payment in exchange for the decryption key. Traditional antivirus may be able to detect some types of ransomware, but sophisticated variants can easily evade these defenses. An example of ransomware is the Ryuk ransomware, which has been used in numerous attacks against organizations worldwide and can evade traditional antivirus by using obfuscation techniques to hide its presence and behavior.
The Role of Endpoint Detection and Response
To address the limitations of traditional antivirus, Endpoint Detection and Response (EDR) solutions have emerged. EDR solutions use machine learning algorithms and behavior-based analysis to detect threats in real-time. They monitor all activity on endpoints, identifying and responding to threats as they occur, rather than relying on a database of known signatures.
EDR solutions are particularly effective at detecting the five cyber threats mentioned above, which can evade traditional AV solutions. By detecting threats in real-time, EDR solutions can help prevent infections before they cause damage.
Conclusion
The rise of new and advanced cyber threats highlights the need for organizations to adopt a layered security approach to protect their endpoints. Traditional antivirus solutions can no longer provide the level of protection required to safeguard against modern threats. Organizations need to look beyond signature-based detection and consider Endpoint Detection and Response (EDR) solutions to better protect their endpoints.
To protect against modern threats, organizations should take a layered security approach. By overlapping multiple security controls, you can mitigate the risk of falling victim. Enterprotect 360 is a layered cybersecurity platform that brings together 11 layers of protection including industry-leading Endpoint Detection and Response (EDR) capabilities powered by SentinelOne.
With the right security measures in place, organizations can defend against modern cyber threats and keep their data and systems safe from harm.
Here are some links to help you learn more about the Enterprotect 360 platform:
Sign-up for a Free Trial of Enterprotect 360
References
AV-TEST. "Malware." https://www.av-test.org/en/statistics/malware/
Security Magazine. "Increasing Cybersecurity Gaps and Vulnerabilities due to Remote Work During COVID-19." https://www.securitymagazine.com/articles/92571-increasing-cybersecurity-gaps-and-vulnerabilities-due-to-remote-work-during-covid-19
RiskIQ. "Evil Internet Minute 2020." https://www.riskiq.com/resources/infographic/evil-internet-minute-2020/
SentinelOne. "The 2020 State of Endpoint Security: An Overview of Enterprise Security Needs and Practices." https://www.sentinelone.com/resources/whitepapers/2020-state-of-endpoint-security/
Carbon Black. "2019 Global Threat Report." https://www.carbonblack.com/resources/threat-research/2019-global-threat-report/
Morphisec. "Endpoint Security & Ransomware Prevention During COVID-19: A Survey of IT Pros."
https://lp.morphisec.com/2020-endpoint-security-survey-covid-19
Frequently Asked Questions
-
Traditional antivirus is unable to detect certain cyber threats because it relies on signature-based detection, which involves comparing a file against a known entry in a database of known threats. If the threat is new or has not yet been identified, traditional antivirus may not be able to detect it. Additionally, cybercriminals are constantly evolving their techniques to evade traditional antivirus, such as using obfuscated malware or fileless attacks.
-
Cyber threats evolve to evade traditional antivirus by using techniques such as obfuscation, encryption, and fileless attacks. Obfuscation involves altering the code of a malware program to make it difficult for traditional antivirus to detect. Encryption involves encrypting the malware code to make it difficult to analyze. Fileless attacks avoid detection by running malicious code in a computer's memory rather than on the hard drive, which traditional antivirus is not designed to detect.
-
Traditional antivirus can struggle to keep up with the volume of new malware being created. With over 350,000 new malware variants being created each day, traditional antivirus relying on signature-based detection can have a hard time keeping up with this volume, often leaving devices vulnerable.
-
To determine if your traditional antivirus is working effectively, you can run regular scans and monitor your device for any unusual behavior or alerts from your antivirus software. It is also recommended to keep your antivirus software up to date with the latest virus definitions and software updates.
-
The limitations of signature-based detection used in traditional antivirus include the need for frequent updates to virus definitions, the inability to detect new or unknown threats, and the evasion techniques used by cybercriminals to avoid detection.
-
Traditional antivirus software can have vulnerabilities or weaknesses that can be exploited by cybercriminals. For example, if the software is not kept up to date with the latest software updates, it can be vulnerable to attacks that exploit known vulnerabilities.
-
Traditional antivirus is often unable to protect against fileless attacks. Fileless attacks occur without installing an actual payload on a system, making them extremely difficult for antivirus to detect. They are typically executed in the endpoint's memory and use built-in system resources to infect machines.
-
Traditional antivirus is often unable to protect against zero-day attacks. Zero-day attacks are attacks that exploit vulnerabilities in software that are not yet known to the software vendor. Traditional antivirus relies on signature-based detection and is therefore unable to detect unknown or new threats.
-
Traditional antivirus can be effective against some forms of ransomware, but it depends on the type of ransomware and the specific antivirus software being used. Some forms of ransomware are designed to evade traditional antivirus, such as fileless ransomware or ransomware that uses encryption to avoid detection.
-
Organizations should consider implementing supplementary security solutions in addition to traditional antivirus, such as Endpoint Detection and Response (EDR) or network security solutions. EDR can provide additional layers of protection by detecting and responding to threats in real-time, rather than relying solely on signature-based detection.
-
Traditional antivirus is a type of cybersecurity software designed to detect and block known malware threats. It works by scanning files on a device for signatures or patterns that match known malware threats. If a match is found, the antivirus software will quarantine or remove the threat. Traditional antivirus relies on signature-based detection, which means it can only detect known threats and is ineffective against new or unknown threats.
-
Traditional antivirus is effective at detecting and blocking known malware threats. However, it is limited in its ability to detect and block new or unknown threats. Cybercriminals are constantly developing new techniques and methods to evade traditional antivirus, making it less effective against advanced and persistent threats.
-
The limitations of traditional antivirus include its reliance on signature-based detection, which means it can only detect known threats, and its inability to detect new or unknown threats. Traditional antivirus is also limited in its ability to detect and respond to advanced and persistent threats that can evade detection.
-
No, traditional antivirus cannot protect against all types of cyber threats. It is primarily designed to detect and block known malware threats and is limited in its ability to detect and respond to advanced and persistent threats that can bypass traditional antivirus.
-
Examples of cyber threats that can bypass traditional antivirus include polymorphic malware, obfuscated malware, fileless attacks, browser drive-by downloads, APTs, zero-day attacks, ransomware, and other advanced and persistent threats.
-
Cybercriminals evolve their techniques to evade traditional antivirus by using tactics such as polymorphism, obfuscation, encryption, and other evasion techniques. They may also use social engineering tactics to trick users into downloading and installing malware, or exploit vulnerabilities in software and operating systems to gain access to devices and networks.
-
Traditional antivirus can struggle to keep up with the pace of new malware and threats being created. With the volume of new malware being discovered every day, signature-based antivirus solutions can have a hard time keeping their databases up-to-date with the latest threats.
-
The main difference between traditional antivirus and EDR is that EDR provides advanced threat detection capabilities beyond what is available in traditional antivirus. EDR solutions use behavioral analysis, machine learning, and artificial intelligence to detect and respond to advanced and persistent threats that can bypass traditional antivirus.
-
Yes, there are known vulnerabilities and weaknesses in traditional antivirus software. Cybercriminals can exploit these vulnerabilities to bypass or disable traditional antivirus and gain access to devices and networks.
-
You can tell if your traditional antivirus is working effectively by monitoring its activity, such as whether it is scanning files and detecting threats, and reviewing its logs and reports for any identified threats or issues.
-
Signature-based detection is a technique used by traditional antivirus to identify threats by comparing a file or program to a known database of signatures, or patterns of malicious code. The limitations of signature-based detection include its inability to detect new or unknown threats that do not have a corresponding signature in the database, and its susceptibility to evasion techniques used by cybercriminals to modify the code of malware and avoid detection.
-
Traditional antivirus is limited in its ability to protect against fileless attacks, which do not rely on files or executable code to infect a system. Fileless attacks often exploit vulnerabilities in legitimate software or operating system tools, such as PowerShell, to execute malicious code in memory and avoid detection by traditional antivirus solutions. Specialized security solutions, such as endpoint detection and response (EDR), may be more effective in detecting and mitigating fileless attacks.
-
Traditional antivirus relies on signature-based detection, which means it needs to recognize a threat by its signature before it can block it. Zero-day attacks are those that exploit unknown vulnerabilities, so traditional antivirus cannot protect against them using signature-based detection. However, some traditional antivirus solutions may have other layers of protection that can detect and block zero-day attacks.
-
Traditional antivirus may not be effective against some types of ransomware because it relies on signature-based detection, which may not be able to detect new or evolving variants of ransomware. Ransomware can also use advanced evasion techniques, such as encryption or polymorphism, to bypass traditional antivirus. However, many traditional antivirus solutions have added behavioral-based detection and other security measures to better protect against ransomware.
-
Endpoint Detection and Response (EDR) solutions are a popular alternative or supplementary security solution to traditional antivirus. EDR uses advanced behavioral-based detection and response techniques to detect and respond to threats that traditional antivirus may miss. It also provides enhanced visibility and control over endpoints, including the ability to monitor and track activities in real-time. Other supplementary solutions may include firewalls, intrusion prevention systems, and security information and event management (SIEM) solutions.
-
Traditional antivirus may not be effective against phishing attacks, which often rely on social engineering to trick users into giving away sensitive information or downloading malware. However, some traditional antivirus solutions may include phishing protection features, such as URL filtering and email scanning. It is important for organizations to provide security awareness training to employees to help them recognize and avoid phishing attacks. Additionally, supplementary security solutions such as email security gateways and web filtering solutions can also help protect against phishing attacks.