After a new wave of malware and cyber security threats devastated major enterprise companies in 2017, it became apparent that a weakness had been created with endpoint devices and new anti-virus solutions were needed. However, in the overcrowded, modern-day antivirus space, differentiating anti-malware products can be cumbersome and overwhelming. SparkCognition has put together a simple three-step guide to help.
Interested in Advanced Endpoint Protection?
- Types of Threats
Before testing the effectiveness of your antivirus, it is important to understand the different types and severities of threats. Malware has three most notable variations:
- Prevalent malware is simply common malware, and is typically easy to prevent.
- Polymorphic is malware that has been specifically altered to evade antivirus, making it difficult, but not impossible to combat with antivirus.
- Zero-day is malware comprised of never-seen-before threats, and without the help of artificial intelligence can pose significant problems for antivirus software.
There are several commercial companies that provide antivirus for prevalent and polymorphic malware, but zero-day malware is a different beast. This is where antivirus products with machine learning, like SparkCognition’s DeepArmor®, shine. Machine learning systems are specifically designed to learn and adapt beyond their initial programming input, meaning these products are able to detect mutated malware, even if the turn-around is less than 24 hours. First-generation signature-based antivirus cannot accomplish this.
- Create a Safe Testing Environment
When comparing antivirus products, the best way to get the most accurate readings on each products’ success is to test it against real malware. However, if the antivirus fails, the malware is then installed with no working line of defense, and the results can devastate your network. Thus, the safer method is to create a “safe” testing environment, or a virtual machine (VM). Virtual machines are operational computer systems that runs from within another system. They operate the same as your network, but instead of uploading malware directly to your network, the malware is uploaded to an inception-like version of your network, and the antivirus can be tested in a more controlled, safer manner.
There are still risks to using VM’s: to get the most accurate readings of effectiveness, the VM should be exposed to high-levels of malware, but with more malware comes more risk of a breach. However, the risk of infecting your computer is significantly less with VM’s, and is a safer method when it comes to testing antivirus. Currently available virtual machine software programs are VMWare Workstation and Oracle Virtualbox, both of which are available on Windows, Macintosh and Linux.
- Testing Antivirus Products
Testing antivirus can be a tedious task, as there are multiple levels of testing to undertake on each program, but ultimately it generates the most accurate results. Testing can be active (executing a file and trusting the antivirus to prevent it) or passive (having an antivirus product scan a file), and both are crucial to test the antivirus’ ability to identify the original malicious file, as well as replicated, slightly altered versions of it.
- Passive Testing: typically the safest place to start, passive testing requires users to upload a malicious file to their VM and point their antivirus directly at it. Once scanned, the file should be replicated, altered, moved to a different location, at all levels testing the antivirus to see if it follows these changes and still identifies it as a threat. Since these actions are very deliberate and controlled, passive testing is the best place to start to test antivirus products without overexposing your network.
- Active Testing: this method is a bit like a trust fall. In active testing, a user would upload and execute a malicious file, and hope that the antivirus will prevent it’s execution. With more complex and altered files, it is possible for the malware to slip passed the antivirus and infect the VM and potentially the network. Therefore it is safest to first test the antivirus through passive testing, and follow-up with active testing once the effectiveness is determined.
These active and passive tests should be run for prevalent, polymorphic, and zero-day malware to accurately test each product. When comparing the antivirus softwares, the one with the highest rate of detection in passive testing and prevention in active testing would be the most effective in comparison to other products. In addition, multi-scanning websites are also great resources to compare antivirus products.
As the world increases in connectivity, we strongly recommend that consumers find an antivirus product to protect themselves against zero-day and polymorphic threats (DeepArmor being our top recommendation, of course).