Security in Plain English: How does Anti-Malware Work?

May 29, 2018

This week's user-submitted question: "My company has made anti-virus software mandatory on all machines, including my home machine since I access email on it. How does this software work, and will it impact my machine? Why is it necessary when there are built-in tools?"

Anti-Malware systems (which are the current evolution of anti-virus tools we've used for quite a while) are a critical part of what is known as Endpoint Security. Meaning, they help protect the endpoint - networking equipment that connects directly to the Internet, desktops, and laptops that talks directly to the Internet, etc. They evolved from anti-virus because attackers now use a broader set of tools than the more simple viruses of the past, and can protect against many more types of threats on your desktop or laptop.

What is malware and how is it different from a virus? Malware is a catchall term for any software that can disrupt your computer or cause actual damage to data or the computer itself. A virus is a self-replicating software program that does this, but it is not by far the only type of harmful program. Ransomware, trojan horse software, crypto-currency miners, and many other things can create problems for you and your company data-systems, so the technology industry started using the term malware as a more complete term several years back.

Here's how they work:

First, anti-malware software regularly scans all files that either exists on your machine or that your machine can see on network shares and other connected systems. Secondly, they often also contain real-time scanners that check any incoming web pages, files, and emails for malware as they download to your machine without having to wait for the weekly scan to take place.

Some anti-malware simply compares the structure of the files to a known database of malware files to see if they match. This method isn't the best as malware is constantly changing and evolving, so a file that looked benign based on the database may actually have changed a few things to evade detection but still be very dangerous. Modern anti-malware tools use something known as a heuristics engine to not only compare the file as a whole to the database, but the file structure and overall coding to determine if it appears to be close enough to a known malware sample to likely be malware itself.  Many anti-malware tools can also look inside compressed files (like zip files) to see if the files inside them are dangerous. These more complete types of tools are much more effective at catching malware that’s been altered but is still dangerous.

Native Operating System tools are good, but not great. Most will do regular scanning (usually weekly) to try to catch any malware that’s downloaded or installed on a machine. However, if the malware itself is fast moving, this can mean that your system is already infected by the time the scan catches the malware in question. This means that the damage is already done, and therefore isn't the best method for making sure your system stays safe. Those built-in tools that use real-time scans and heuristics are better, but may only update periodically and may not be able to catch fast-moving malware very effectively. Finally, native Operating System tools rarely scan within third-party software like email programs or other tools.

Let’s say your company has chosen an anti-malware software package that updates itself regularly, performs on-access scans of everything the company uses (including 3rd-Party software), and uses heuristics to catch evolving threats faster and more effectively. While requiring you to install and use them on all devices that connect to company resources can be extra work, it definitely helps keep both your company and you safer in the long run. These commercial tools can also be connected to central command and control systems your company uses. This means your company can control the updates these tools get for new malware definitions and detection techniques and ensure that everyone's software is kept up to date much more easily than having to individually manage hundreds of desktops and laptops.

The impact of the commercial anti-malware tools on your system is minimal at best. While some tools can have a large impact, your company will typically avoid those - if for no other reason that your IT department doesn't want to deal with a steady stream of complaints. The better commercial anti-malware tools run with so little overhead they're difficult to even notice running at all.

So, if you run a commercial anti-malware system on your machine already, ask your company if you can continue running that one instead of the company-selected tools. If it is your own machine, and the product in question is well-known to your IT team to work well, then they'll probably let you keep running that one. On your company-owned desktops and laptops, you will have to use what the company says to use - that comes along with using company equipment. The good news is that you won't need to pay for the subscription for the tools they provide, and they will probably work as well or better than the tools you installed yourself; as they can now leverage a company-wide control system that makes them even more intelligent and keeps everything updated automatically.

In short, you need anti-malware tools beyond those installed with the Operating System by default (yes, even on Mac and Linux devices). Your company can provide those for any computers that access corporate resources, and do so with minimal impact to the system and with a high level of protection to boot.

SecureAuth have created the power of identity security automation, bringing together Identity and Security to accelerate more efficient and effective cybersecurity.  

Learn more about our Identity Security Automation here or contact us today! 

  • Product: IdP

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!