Signature recognition or behavioral analysis – Which is better?

If you closely read the program description of Emsisoft Anti-Malware you will probably notice the term “real-time protection”. Sounds good, sounds safe. However, what this really means and what technology lies behind this is not always clear to those who are not IT experts. This is reason enough for us to put aside all the marketing terms and bring some light to the topic.

Signature-based protection: The virus antidote

The first computer viruses were detected in the wild in the middle of the 1980’s. This topic first became really interesting through the increasing number of computers in private homes at the beginning of the 90’s. A special mention should be made here of a pest called “Michelangelo” that became famous and feared in 1992 through many media reports.

An antidote to prevent the spreading of these relatively harmless viruses was naturally sought. The solution was to search an infected file for significant virus characteristics. These are patterns and regularities that only apply to the one specific virus. When you summarize this characteristic information you end up with a so-called Signature. This is metaphorically similar to a human fingerprint. A scanner examines the internal structure of all possible files on a computer and attempts to recognize potential pests based on their signatures (fingerprint patterns).

These days, there are not only viruses but also worms, trojans, spyware and other types of nasty pests that are collectively known as malware. This means a great deal of work for the manufacturers of hard drive scanners: A new signature must be created for every new pest and even for every variant of already known ones. With an estimated 3,000 new types of malware created per day, this is a time-consuming exercise.

This brings us to the basic problem with signature-based malware recognition – malware that has been specially developed for a particular attack cannot be detected in principle. The security software manufacturers can only get their hands on a sample and create a signature for their scanners once a particular level of distribution has been reached. The flip-side of this is that the recognition is relatively reliable, benign software is rarely notified as being damaging.

These days, most malware comes from Eastern Europe or Asia and is usually intended for targeted attacks on specific networks; some are even commissioned online by Mafia-like organizations. Antivirus laboratories rarely see this type of malware and thus cannot provide signatures for them.

A complementary approach: Behavior-based protection

Emsisoft already presumed many years ago that purely signature-based protection of domestic computers would sooner or later become inadequate. To address this problem, a second protection feature was integrated into Emsisoft Anti-Malware: The Malware IDS (IDS = Intrusion Detection System) is able to recognize damaging behavior and thus belongs to the category of “Behavior Blockers”. All active programs in the system are permanently monitored for this. As soon as a program exhibits potentially damaging behavior it is stopped and a notification is generated. This prevents further execution of a suspicious program at the wish of the user – completely without Signatures.

In addition to Behavior Blockers, another technology is becoming increasingly popular, the HIPS (Host-based Intrusion Prevention System) approach. These tools provide notification of attempts to manipulate many system interfaces such as autostarts, device drivers, services, the network, etc., but they do not provide exact information as to whether an action is actually damaging or not.

You can imagine this as a type of personal firewall that initially produces many (false) alarms until the software has been correctly trained. The user must decide whether simply a new driver is being installed or a malignant trojan. In contrast to HIPS programs, the malware IDS only provides notification of truly potentially damaging software and minimizes the number of false alarms. This is especially suitable for inexperienced users, whereas professionals can activate the “Paranoid” option in Emsisoft Anti-Malware and achieve functionality as similar to HIPS as they wish.

Both approaches, signature-based scanners and behavior-based malware protection, have their strengths and weaknesses. Emsisoft Anti-Malware combines both technologies in a single product and thus offers extremely good protection with simple operation and almost no false alarms.

Have a great (malware-free) day!