Cyberthreats are a common phenomenon and antivirus programs only prove effective if they keep pace with the evolution of cybercriminals and work with innovative solutions. In this article, we take a closer look at the differences between traditional antivirus strategies and modern Endpoint Detection and Response (EDR) technology. How do the different approaches to detecting and defending against cyberthreats differ and what are the advantages of the newer strategies?
Classic signature-based virus protection programs
Virus scanners have been accompanying Windows users for many years. Ever since the first commercial virus protection program, which was developed by G DATA for the Atari in 1987, the topic has been on the minds of computer users. Although a lot has changed since then, the basic functionality of classic antivirus programs is still the same. Anti-virus programs use so-called signatures. To create these, they generate the hash value of a unique part of the malicious code of the malware. This hash value is then saved as a signature in the database (see also the info box below).
When the antivirus program scans a file on a system, it can first calculate the hash value of the file and then compare it with the signatures stored in its database. Using hash values as the basis for signatures improves the efficiency of identifying malicious content, as the hash value on its own can be compared much faster than the entire malicious code.
Overall, the combination of signatures and hash values enables efficient and accurate detection of malicious content. However, the approach does not provide complete protection across the board.
What is a signature?
A signature is a combination of various parameters that can be used to clearly and reliably identify malware. It could, for example, consist of the following information:
- Unique file name or text lines in the software
- Behavior of the software: Which files are opened by the software? Which files are written to?
- File size of the software or individual files
- Hash value of the entire software or individual parts
The signatures are created by the manufacturers after they have analyzed malware. They are then distributed to customers, or generally the antivirus program downloads the updates in the background without the user noticing.
What is a hash?
A hash is a value that can be calculated from a file. The same file always produces the same hash value (regardless of who, when or where it is calculated). Even a tiny change to the file results in a completely new hash value.
To illustrate this, here is an example using the well-known MD5 hash function:
- The MD5 hash value of the sentence «This is a test» is: 6cddeb6a2f0582c82dee9a38e3f035d7
- The MD5 hash value of the slightly modified sentence «This is a test» (lower case t instead of upper case T) is: fe9b72fa5eb7e62ad04ece3c230cf94f
>> A small change to the initial value has therefore fundamentally changed the hash.
The problems associated with signatures and hash values
The following three problems impair the security of the signature-based approach:
- All of the above information can only be analyzed AFTER a copy of the malware has already been made available for analysis; it is therefore not possible to provide preventive protection.
- The signatures created must be sent to the users and installed there before they can become active. If they are to provide protection, they must always be up-to-date.
- Both the above-mentioned information and the associated hash values can be changed very easily by the author of the malware.
Manufacturers of virus protection programs pursue various approaches to avoid or mitigate these weaknesses - but the fundamental problems remain.
The approach with Endpoint Detection and Response (EDR) pursues a different strategy that is not affected by these problems.
Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) is a type of security technology that aims to detect and respond to threats on endpoints (such as computers, servers or mobile devices). EDR systems continuously monitor the behavior of endpoints in real time to identify suspicious activity or anomalies that could indicate a potential security breach.
EDR protection programs work differently from signature-based antivirus programs. While signature-based antivirus programs concentrate to a large extent on the signatures shown, EDR is primarily based on the analysis of program behavior.
EDR is an important part of modern cybersecurity strategies as it helps to detect and respond to security breaches at an early stage to prevent or minimize potential damage.
Examples for suspicious behavior that EDR can detect, can be:
- An open Word file attempts to start a Powershell process in the background or to download further data from the Internet.
- Software (or the user) attempts to deactivate the protection solution.
- There are an unusually high number of failed login attempts to a computer or software.
- Unusual network accesses or unusually high network traffic are detected.
- A quick creation of many file archives (.zip) or the encryption of many files is registered.
Such signs are referred to as «Indicators of Compromise(IOCs).They can be indications of the presence of malware. An EDR solution then has various options for responding:
- Isolation of the affected computer (deactivation of the network)
- Closing or terminating the affected application
- Preventing further processes or the start of further applications
- Removing infected files
In a nutshell: The main functions of EDR include:
- Real-time monitoring: Continuous monitoring of endpoint behavior in real time to quickly pinpoint unusual activity.
- Recognizing threats: Identification of anomalies or suspicious activities that could indicate possible security breaches.
- Responding to security incidents: Ability to react automatically to detected threats and take measures to ensure the security of the system. For example, the isolation of an affected endpoint or the removal of malicious code, etc.
- Logging and reporting: Recording of activities on endpoints to obtain a comprehensive overview of security incidents. This also allows incidents to be analyzed after they have been detected.
A small disadvantage: «false positives»
The starting points for classic signature-based antivirus programs and EDR antivirus programs are different: While the signature-based approach contains the information «this software is unwanted», the EDR approach only provides the information «this could be unwanted software».
The confidence interval indicates the range in which the true value of a parameter lies with a certain probability. The confidence interval of signature-based protection programs is higher than that of EDR programs. This also results in a higher probability of false positives with the EDR approach. These always occur when the EDR solution prevents the execution of an application even though it is actually harmless. Of course, such false positives can be very annoying for employees.
False positives cannot be completely avoided. However, to minimize their occurrence as far as possible, a training period is planned when introducing EDR software. During this period, the software can already check all actions on the systems and «learn» normal behavior without influencing the execution of the programs.
In this way, potential later false positives are also recognized and the system is trained accordingly. For example, industry software or old, so-called «legacy software» regularly triggers false positives, which can then be declared harmless in the software (so-called «white listing»).
So what are the advantages of EDR software?
EDR software is able to detect and analyze new, previously unknown malware and prevent it from being executed before it can cause any damage. EDR software is therefore much better adapted to the modern, fast-moving Internet era than conventional signature-based protection software. In addition, because it analyzes the behavior of software, it cannot be so easily tricked by the authors of malware. Whereas with signatures, a slight adaptation of the malware program code can be enough to outwit protection software, this is not possible in the same way with EDR protection programs.
Extended Detection and Response - a further development of EDR
Extended Detection and Response (XDR) is the next logical step in the development of EDR. While EDR analyses the behaviour of programs on a client (and on every client in an organization independently), XDR correlates data from different sources.
For example, XDR also integrates data from network devices such as firewalls or external applications such as cloud applications. This enables a more comprehensive situation analysis. By analyzing network traffic, they provide further insights into communication between applications and also make it possible, for example, to prevent unwanted network traffic.
We will be happy to advise you on the use of virus protection programs that provide your IT with optimum protection against attacks. Contact our IT Security Consultant Marius Dubach or take a look for yourself at our IT security products.