Signature recognition or behavioral analysis – Which is better?

If you closely read the program description of Emsisoft Anti-Malware you will probably notice the term “Double real-time protection”. Sounds good, sounds safe. However, what this really means and what technology lies behind this is not always clear to those who are not IT experts. This is reason enough for us to put aside all the marketing terms and bring some light to the topic.

The first computer viruses were detected in the wild in the middle of the 1980’s. This topic first became really interesting through the increasing number of computers in private homes at the beginning of the 90’s. A special mention should be made here of a pest called “Michelangelo” that became famous and feared in 1992 through many media reports.

An antidote to prevent the spreading of these relatively harmless viruses was naturally sought. The solution was to search an infected file for significant virus characteristics. These are patterns and regularities that only apply to the one specific virus. When you summarize this characteristic information you end up with a so-called Signature. This is metaphorically similar to a human fingerprint. A scanner examines the internal structure of all possible files on a computer and attempts to recognize potential pests based on their Signatures (fingerprint patterns).

These days, there are not only Viruses but also Worms, Trojans, Spyware and other types of nasty pests that are collectively known as Malware. This means a great deal of work for the manufacturers of hard drive scanners: A new Signature must be created for every new pest and even for every variant of an already known pest. With an estimated 3,000 new pests per day this is a time-consuming exercise.

This brings us to the basic problem with Signature-based Malware recognition – a pest that has been specially developed for a particular attack cannot be detected in principle. The security software manufacturers only receive a sample of the pest, and can create a Signature for their scanners, when a particular level of distribution has been reached. The flip-side of this is that the recognition is relatively reliable, benign software is rarely notified as being damaging.

These days, most pests come from Eastern Europe or Asia and are usually intended for targeted attacks on specific networks, or they are even commissioned online by Mafia-like organizations. Anti-virus laboratories rarely see this type of Malware and thus cannot provide Signatures for them.

Emsi Software already presumed many years ago that purely Signature-based protection of domestic computers would sooner or later become inadequate. To address this problem, a second protection feature was integrated into Emsisoft Anti-Malware: The Malware IDS (IDS = Intrusion Detection System) is able to recognize damaging behavior and thus belongs to the category of “Behavior Blockers”. All active programs in the system are permanently monitored for this. As soon as a program exhibits potentially damaging behavior it is stopped and a notification is generated. This prevents further execution of a suspicious program at the wish of the user – completely without Signatures.

In addition to Behavior Blockers, another technology is becoming increasingly popular, the HIPS (Host-based Intrusion Prevention System) approach. These tools provide notification of attempts to manipulate many system interfaces such as autostarts, device drivers, services, the network, etc., but they do not provide exact information as to whether an action is actually damaging or not. You can imagine this as a type of personal Firewall that initially produces many (false) alarms until the software has been correctly trained. The user must decide whether simply a new driver is being installed or a malignant Trojan. In contrast to HIPS programs, the Malware IDS only provides notification of truly potentially damaging software and minimizes the number of false alarms. This is especially suitable for inexperienced users, whereas professionals can activate the “Paranoid” option in Emsisoft Anti-Malware and achieve functionality as similar to HIPS as they wish.

Both approaches, Signature-based scanners and Behavior-based Malware protection, have their strengths and weaknesses. Emsisoft Anti-Malware combines both technologies in a single product and thus offers extremely good protection with simple operation and almost no false alarms. However, if you already have a Signature-based scanner and wish to also have the functionality of a Behavior Blocker, then you should take a look at the new Mamutu 1.0. Mamutu provides you with a stand-alone version of Malware IDS without an built-in scanner.

Information on Mamutu: http://www.mamutu.com/

Have a Great (Malware-Free) Day!