Antivirus For Small Businesses

Antivirus software, commonly known as AV, is a program designed to detect and remove malicious software from computers and networks.

As with firewalls, most people have some familiarity with AV software. For example, the Microsoft Defender Antivirus comes with the Windows operating system, and it does a great job!

In fact, AV often serves as an important shield against viruses, malware, ransomware, and other cyber threats that could compromise sensitive data and disrupt operations.

In this lesson, we will cover how AV works at a high level so that small business owners can have a solid understanding of how to best make use of it. As with other topics in cybersecurity, by learning this information we will also grow our vocabulary and comprehension so that we can build on it in later sections. For example, it can be difficult to understand the difference between antivirus (AV) and endpoint protection (EDR/MDR) – in particular, how and why endpoint protection is much more effective than AV in many common cases – without having a basic understanding of AV and how it works.

But before we get into the details of AV, we do want to stress some key points for small businesses:

  • There are excellent free AV solutions for almost all systems and we usually don’t promote purchasing premium AV (but there are always exceptions).
  • We do recommend small businesses investigate adding MDR (Managed endpoint Detection and Response) to their security stack. You can think of MDR as a turbocharged version of AV. This isn’t actually the case as it doesn’t take the place of AV but instead works alongside it. However, it can be helpful to think of MDR as similar to AV but much more effective.
  • We absolutely recommend having AV (at least) or MDR (recommended) installed on every company device.

How Antivirus Works

What AV does, is provide the ability to detect and respond to malicious applications. At this point, we can introduce the terms ‘detection‘ and ‘response‘.

These terms are really important, and they mean specific things!

Detection refers to the ability to detect malicious activity. Different types of security software do detection differently; some are more effective than others.

Response means that the application or service takes action when it detects something malicious. Common actions include: preventing a malicious application from running, deleting it, quarantining it, performing sandbox testing, and issuing alerts to the user.

How Antivirus Software Works

Antivirus works by regularly scanning files on the filesystem, as well as when a file is first downloaded, and when it is run by the user. It uses a variety of methods to detect potentially malicious code within files, which we’ll cover now.

Signature-Based Detection

The most common method is signature-based detection, where the AV program compares files on a system to a database of known malware signatures.

A ‘signature‘ is a unique characteristic of the malware that can be used to reliably identify, or fingerprint it.

There’s a global consortium of cybersecurity professionals who work together to keep an enormous database of malware signatures up to date (check out https://virustotal.com).

Examples of malware signatures include:

  • A hash of the entire file or part of the file. A hash is simply a unique value generated using the file.
  • A unique part of the file, like a sequence of specific characters that don’t occur in any other known file.

If a match is found, the antivirus software takes action to quarantine or delete the malicious file.

It’s important to realize that even the most advanced antivirus software primarily uses signature-based detection. This is one reason we don’t recommend that small businesses invest in souped-up antivirus; free antivirus like Windows Defender does just as good (and often a better) job than expensive AV solutions. Instead, we recommend investing in a solution that includes fully managed detection and response – like our own Security Essentials.

Behavior-Based Detection

With behavior-based detection, the AV program analyzes the behavior of other programs to identify suspicious activities.

Behavior-based detection in AV software involves identifying malware based on its actions and behaviors rather than relying solely on predefined signatures. can be much more effective than signature-based detection alone. Here’s how behavior-based detection works:

  1. Monitoring System Activities: The AV software continuously monitors the system for suspicious activities and behaviors that are commonly associated with malware. This includes observing file modifications, network activity, registry changes, and processes.
  2. Identifying Anomalies: Behavior-based detection looks for deviations from normal system behavior. For example, if a process suddenly starts modifying system files, attempting to disable security software, or establishing unauthorized network connections, these activities could be flagged as suspicious.

Heuristic-Based Detection

While often included within the category of ‘behavior-based’ detection, heuristic-based antivirus detection is a bit different.

In essence, heuristic-based detection attempts to perform a deeper analysis of the file vs. just signatures alone. It looks at the code itself and tries to determine if there are features that correspond with malicious programs. For example, malware authors use a variety of techniques such as packing to try to defeat traditional antivirus software. The heuristic engine in an AV application may detect the use of common packers, indicating that the program is indeed malicious.

Some AV software also uses sandboxing to further analyze the file. A ‘sandbox’ is a controlled environment that can be used to study a potentially malicious application. This allows the AV software to execute the file and observe its behavior in a safe space, without risking the actual system. If the file exhibits malicious behavior in the sandbox, it can be flagged and quarantined.

How Good is AV?

Given all of these detection mechanisms, it might seem like AV should be really good at preventing malicious files from being executed.

And antivirus is great at doing exactly (and only) what it does – which is detecting malware.

The problem is that attackers today can get around AV relatively easily because they don’t need to use malware. There are many ways to attack a computer or a network without the use of malware.

For example, AV can’t detect things like:

  • An attacker directly attacking or moving through the network.
  • An attacker getting remote access to a computer.
  • An attacker working manually without using malware (this is called ‘living off the land’).
  • An attacker running files directly in memory (without ‘touching disk’).
  • Custom written or modified, or otherwise sufficiently stealthy malware. All it takes is a small amount of modification to an existing, known malware, to make it invisible to AV.

It’s hard to describe how easy it is for a skilled attacker to defeat AV. But as an example, using the msfvenom tool (https://www.offsec.com/metasploit-unleashed/msfvenom/) we can create a wide variety of malware that evades AV, using a single command. This is an extremely common task in the field of ethical hacking/penetration testing.

While AV is extremely easy for skilled attackers to evade, using MDR (managed endpoint detection and response) will significantly enhance a system’s security and make things much more difficult for the bad guys.

This is why we recommend using MDR for any devices that in some way could be of use to an attacker targeting an organization.