Pub. 6 2017 Issue 3

21 f a l l | 2017 B A N K B Y T E S The Cons Many antivirus definitions or signatures rely on a fingerprint of a malicious executable to compare to an executable being analyzed. Often these fingerprints are comprised of items like a hash value, compile date and time, file size, strings con - tained within the file, and what certain pieces of code might be doing within the executable. However, all of these items can be easily manipulated by attackers to make a malicious executable not match the known fingerprint. This is done by changing the code in a minor way, recompiling the execut- able and obfuscating it with methods such as encryption or software packing. The result is that a previously known piece of malware can run on a system with up-to-date antivirus soft- ware. The reason is that while the code has the same function, it looks completely different. The Pros Luckily antivirus software is not like the flu shot. We are not limited to getting an antivirus update once a year and that update covers many more than just three or four malicious ex- ecutables. Often antivirus definitions are updated many times a day and contain multiple new fingerprints for malicious executables each time. What amazes me most about antivirus software is the global network that works to get new malicious executable samples in the hands of many antivirus companies based all around the world. One example that end users can access is the website VirusTotal (https://www.VirusTotal . com). Files uploaded to VirusTotal are run through over sixty antivirus programs to determine if the file is malicious. If it matches as malicious, the user who uploaded the file gets detailed information on what was detected. All files get shared with the antivirus vendors who then do further analysis to de- termine if the uploaded executable is a new variant or totally new malicious file. The Conclusion Antivirus software has drawbacks and can be bypassed. How- ever, it is still an essential piece of a defense-in-depth strategy. One program can protect you from millions of pieces of mal- ware and can quickly update to protect against new malware. Antivirus software vendors have also begun to introduce some newer functionality that seeks to determine abnormal behavior of executable files. This coupled with traditional signature or definition based analysis, should make you pro antivirus. Ty Purcell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create and maintain their Informa- tion Security Program. Visit our website at www.conetrix.com to learn how CoNetrix can improve your Cybersecurity maturity.