Cybersecurity Insights & Analysis

If you think your antivirus programme is protecting you, think again! 🫣

If you think your antivirus programme is enough to protect you from someone like me, think again! In this short article, I will explain why antivirus programmes are no longer enough to protect you from cyber criminals.

Almost everyone has an antivirus programme installed (including Windows Defender), however it seems that few people outwith the cybersecurity community ever question if their antivirus solution is actually working. 

In the ever-evolving landscape of cybersecurity, the reliance on traditional antivirus software as the sole line of defence is a notion that demands reconsideration. While antivirus software has been a cornerstone in protecting systems for decades, the digital battlefield has transformed, rendering some conventional defences inadequate against modern threats. It’s time to challenge the assumption that your antivirus software alone is an impenetrable shield.

Hackers and security practitioners are playing a never-ending game of cat and mouse. When a new antivirus technology is created, it won’t be long until a new exploit is created to bypass it.

In the early days of antivirus, vendors adopted a ‘signature analysis‘ approach by which each of the millions of malicious software programs were assigned a unique ID, or a hash. When one on these IDs were found on a client’s computer, it would trigger an alert. However by using crypting services, the signature analysis approach was struck a hammer-blow. We will explore each of these concepts towards the middle of this article. 

We will start with a quick history of antivirus software, from its emergence to its application in contemporary times. I will then explain succinctly how antivirus programs work, namely through a signature based approach, heuristic analysis and machine learning.

There are over 20 major antivirus software vendors in the market today, with plenty of startup companies creating new antivirus offerings every year. 

My top Antivirus programs for 2024

In January 2024, I have taken at least twenty hours to analyse a variety of modern antivirus solutions. I have consulted research papers and impartial bodies, such as AV Test. I have also tested each product myself, with my own malware I wrote.

A quick history of antivirus software

The history of antivirus software traces back to the early days of computing when the concept of malicious software, or malware, began to emerge. In the 1970s, the first instances of computer viruses appeared, often spread through floppy disks. These viruses were relatively simple compared to modern-day threats but marked the beginning of a cat-and-mouse game between cybercriminals and cybersecurity experts.

One of the earliest antivirus programs, named “Reaper,” was developed in the early 1970s to remove the “Creeper” virus from infected computers. Following this, various other antivirus tools emerged in the 1980s and 1990s, each designed to detect and remove specific types of malware.

In the 1990s, as the internet became more widespread, the threat landscape expanded dramatically. This led to the development of more sophisticated antivirus software capable of detecting and neutralising a wide range of malware, including viruses, worms, Trojans, and spyware.

We will now look at the emergence of signature analysis, heuristic analysis, and machine learning antivirus software solutions. I will explain how each of these work in the next passage. 

The turn of the millennium saw the rise of signature-based antivirus solutions, which relied on a database of known malware signatures to identify and eliminate threats. However, cybercriminals soon adapted by creating polymorphic and metamorphic malware, which could change their appearance to evade detection.

To counter these evolving threats, antivirus vendors began incorporating heuristic and behaviour-based detection techniques into their products. These methods allowed antivirus software to detect malware based on its behaviour and characteristics, rather than relying solely on predefined signatures.

In recent years, advancements in machine learning and artificial intelligence have further enhanced antivirus capabilities, enabling more accurate and proactive threat detection. Today, antivirus software plays a crucial role in protecting users and organisations from a wide range of cyber threats, including ransomware, phishing attacks, and zero-day exploits. As cyber threats continue to evolve, antivirus software will undoubtedly continue to adapt and innovate to keep pace with the ever-changing threat landscape.

so... How do antivirus programs actually work? 🧐

In any modern antivirus solution, there are multiple methods of detecting and responding to malware. There are several types of malware, which I have explained in my ‘fourteen types of malware’ post that you can access by clicking here. 

As we explored in the previous passage, signature analysis was the earliest antivirus solution. This was followed by heuristic analysis, and then in contemporary times machine learning has received the most attention.  

Let’s look at each of the main components of a modern antivirus solution, before we turn our attention to how antivirus programs can be bypassed:

Signature Analysis

Signature analysis, also known as signature-based detection, was one of the earliest methods employed in antivirus solutions. This approach relies on a database of known malware signatures, which are unique identifiers or patterns specific to each piece of malicious code. 

When the antivirus software scans files or processes on a computer, it compares them against this database of signatures. If a match is found, indicating the presence of malware, the antivirus program takes appropriate action, such as quarantining or deleting the infected file. 

Most antivirus vendors will share their databases of known malware with each other. This collaborative approach allows for the collection of millions of malware signatures.

While signature analysis is effective at detecting known threats, it can be less effective against new or previously unseen malware variants, making it important for antivirus programs to continually update their signature databases to stay ahead of emerging threats.

Hackers can simply use obfuscation techniques which we will cover later in this article. In other words, if I tried to infect a computer with malware that is already known to antivirus software, I could simply change some elements of the code in order to bypass the antivirus solution. 

Most free antivirus solutions (except Windows Defender) will rely solely on signature based approaches to detecting malware, which is essentially useless now. 

Heuristic Analysis

Heuristic analysis, also referred to as heuristic-based detection, improves upon signature-based methods by using a set of rules or algorithms to identify suspicious behaviour or characteristics commonly associated with malware. Instead of relying solely on predefined signatures, heuristic analysis allows antivirus software to detect previously unseen malware based on its behaviour or attributes.

In other words, signature analysis simply compares every file on your computer to a database of known malware. Heuristic analysis takes this a step further and analyses the behaviour of all your files and programs for telltale signs of malicious activity. 

This approach is particularly useful for identifying polymorphic or metamorphic malware that can change its appearance to evade traditional signature-based detection methods. Heuristic analysis may flag certain files or processes as potentially malicious based on deviations from normal behaviour, allowing the antivirus program to take proactive measures to prevent infection.

While heuristic analysis can be more flexible and adaptable than signature-based detection, it may also result in false positives if legitimate software exhibits behaviour that resembles malware.

Heuristic analysis also is reliant on a predefined set of rules that analyses the behaviour of the malware, and not all malware will fit the mould. 

Finally, through using the obfuscation techniques I will explain later, malware can still slip through the net.

Machine learning approaches

Machine learning represents a significant advancement in antivirus technology, leveraging algorithms and statistical models to analyse large volumes of data and learn patterns indicative of malware.

By training on vast datasets of both benign and malicious samples, machine learning algorithms can automatically identify and classify new threats without relying on predefined signatures or heuristic rules.

This enables antivirus software to adapt to evolving threats in real-time, improving detection accuracy and reducing false positives. Machine learning algorithms can detect subtle similarities and anomalies in code or behavior that may indicate the presence of malware, even in previously unseen variants. This proactive approach to threat detection enhances overall security posture and helps mitigate the risks posed by advanced and sophisticated cyber threats.

Sandboxing

Antivirus sandboxing is a proactive security measure employed by antivirus programs to analyse potentially malicious files or programs in a controlled and isolated environment, known as a sandbox. Instead of immediately executing or opening suspicious files on the user’s system, the antivirus software first runs them in the sandbox, which simulates the operating environment of the host system.

The sandbox environment is typically segregated from the user’s system to prevent any potential harm caused by the analysed files. Within the sandbox, the antivirus program observes the behaviour of the suspicious files, monitoring for any malicious activities such as attempts to modify system files, network communication with known malicious servers, or unauthorised access to sensitive data.

By analysing the behaviour of files in the sandbox, antivirus programs can determine whether they pose a threat to the user’s system. If the file exhibits malicious behaviour, the antivirus program can take appropriate action, such as quarantining the file, blocking its execution, or alerting the user to the potential threat.

However, some malware has sandbox protection to prevent being detected in a sandbox.

Incident response

Incident response is a critical component of any modern antivirus solution, encompassing a range of actions taken in response to a detected security incident or malware infection. The incident response feature of antivirus solutions are only activated once malware has been identified on a device.

This includes isolating infected files or processes to prevent further spread of malware, quarantining suspicious files for further analysis, and remediation efforts to remove or mitigate the effects of malware. Incident response procedures may also involve notifying users or administrators of security breaches, performing system scans to identify additional malware infections, and restoring affected systems from backups if necessary.

Timely and effective incident response is essential for minimising the impact of cyber attacks and restoring normal operations as quickly as possible. Antivirus software plays a vital role in incident response by providing automated tools and features for detecting, containing, and mitigating security threats, helping organisations effectively manage and respond to security incidents.

Three reasons why antivirus programmes are no longer enough

By now, I have explained the history of antivirus software and how antivirus software works. Now that we have covered these topics, it is time for us to reach the climax of this article: how antivirus software is no longer suitable as a single security solution.

There are several concerns and weaknesses of antivirus solutions, namely: 

The sophistication of modern malware

Antivirus programs primarily rely on signature-based detection and heuristic analysis to identify known patterns or behaviours of malware.

However, modern malware has become increasingly sophisticated, employing techniques such as polymorphism, encryption, and obfuscation to evade traditional detection methods. As a result, antivirus programs may struggle to keep pace with the rapidly evolving landscape of malware, leading to missed detections and vulnerabilities in cybersecurity defenses.

Malware can now in essence detect if it is being monitored or sandboxed by an antivirus program and respond accordingly. So as the antivirus programs have become smarter, the malware has become increasingly wittier. 

Traditional malware is typically used by scriptkiddies, and experience hackers will often avoid it, using the likes of a reverse shell instead. Antivirus is often simply ineffective against an experienced hacker or an Advanced Persistent Threat (APT)

The emergence of FUD techniques

Over the past decade, hackers and cybercriminals have adopted a FUD (fully undetectable) method to compromise computers by using something called a ‘crypting service’. These crypting services work by obfuscating the code so that it is unrecognisable by antivirus software. 

Worryingly, most of the malware that you find online will be purchased on the darknet, and then cybercriminals, or unsophisticated script kiddies, will use this malware to infect devices. 

Polymorphic malware

Antivirus software faces an ongoing challenge in coping with the escalating prominence of polymorphic malware. Polymorphic malware represents a sophisticated breed of malicious software that constantly mutates its code, making it exceptionally difficult for traditional signature-based detection methods employed by antivirus programs to keep pace. This dynamic characteristic enables polymorphic malware to alter its appearance and structure, generating new variants that can easily evade detection by relying on static, predefined patterns.

The struggle for antivirus software intensifies as polymorphic malware employs advanced techniques like encryption, obfuscation, and code rewrites to disguise its true nature. These tactics are purposefully designed to thwart traditional antivirus solutions that primarily rely on recognising known patterns or signatures associated with previously identified malware strains. As polymorphic malware evolves, it poses a considerable challenge to antivirus tools that may struggle to adapt quickly enough to detect and mitigate the continuously changing variants.

Moreover, the increasing sophistication of polymorphic malware extends beyond evasion techniques, encompassing dynamic behaviors that can adapt in real-time to circumvent traditional security measures. This adaptability allows polymorphic malware to remain elusive, making it a persistent and formidable adversary in the ever-evolving landscape of cybersecurity threats.

The continuous evolution of polymorphic malware, coupled with its ability to outsmart conventional antivirus solutions, necessitates a paradigm shift in cybersecurity strategies. Detection methodologies must transition towards more dynamic and behaviour-based approaches, leveraging advanced heuristics and machine learning algorithms that can identify patterns of malicious behavior rather than relying solely on static signatures. Additionally, the collaborative efforts of cybersecurity professionals, researchers, and software developers are crucial to staying ahead of polymorphic malware threats, ensuring the development and implementation of proactive and effective countermeasures.

Diverse attack vectors

Antivirus programs primarily focus on detecting and blocking malware infections on endpoints such as desktops, laptops, and servers. Whilst this would have sufficed in the initial emergence of the internet, technology has moved on and emerged considerably. 

However, modern cyberattacks often target multiple attack vectors, including network infrastructure, cloud services, mobile devices, and Internet of Things (IoT) devices. Antivirus programs may not provide comprehensive protection across all these attack surfaces, leaving organisations vulnerable to exploitation through unsecured endpoints or network vulnerabilities.

As cyber threats continue to evolve and diversify, organisations must implement a multi-layered approach to cybersecurity that includes additional measures such as intrusion detection and prevention systems, security awareness training, and regular security assessments to augment the capabilities of antivirus programs.

With antivirus, you sacrifice your privacy for security

If privacy is one of your primary concerns, then antivirus solutions are, by default, designed to compromise your privacy in return for increased security. In order for antivirus solutions to work, they need to monitor almost everything that you do on your computer. This usage data is then sent back to the ‘mothership‘, in other words, your antivirus vendor and all the third party services that the software integrates with.

There are a few reasons for this, namely:

  • Data Collection: Many antivirus programs collect user data for various purposes, such as improving threat detection algorithms, analysing trends, and enhancing product functionality. This data may include browsing history, search queries, installed applications, and even personal information. While antivirus vendors claim to anonymise this data, there’s always a risk of potential privacy breaches or misuse, especially if data is shared with third parties.
  • Traffic Monitoring: Some antivirus software includes features for monitoring network traffic to detect and block malicious activity. While this is crucial for preventing cyber threats, it also means that the antivirus program can potentially intercept and analyze all incoming and outgoing data packets. This raises concerns about user privacy, as sensitive information transmitted over the network may be subject to surveillance by the antivirus software.
  • Behavioural Tracking: To identify and block potential threats, antivirus programs often monitor user behaviour and system activity in real-time. This includes tracking application usage, file access patterns, and system settings. While these monitoring activities are necessary for effective threat detection, they also raise privacy concerns, as users may feel uncomfortable knowing that their every action is being scrutinized by the antivirus software.
  • Third-Party Integrations: Many antivirus programs integrate with third-party services and tools for additional functionality, such as cloud storage, password managers, and VPNs. While these integrations can enhance the overall security of the user’s system, they also introduce potential privacy risks. Users must be cautious about the data shared with these third-party services and the privacy policies governing their use.

Zero-day exploits and advanced persistent threats

Antivirus programs are often ineffective against zero-day exploits, which are vulnerabilities or attacks that are previously unknown and for which no patches or signatures exist. Additionally, advanced persistent threats (APTs) are sophisticated, targeted attacks designed to evade traditional security measures, including antivirus programs.

APTs may use tactics such as social engineering, targeted phishing, and lateral movement within networks to infiltrate systems and remain undetected for extended periods, rendering antivirus programs insufficient for detecting and mitigating these threats.

The global, real time threat map

Russian cybersecurity vendor Kaspersky have created an interactive global map where you can see, in real time, statistics showing the sheer scale of malware infections. I recommend viewing this 

What happens next?

As antivirus software becomes increasingly ineffective against sophisticated cyber threats and as privacy concerns surrounding its use continue to mount, it is evident that a reevaluation of cybersecurity strategies is imperative. 

The limitations of traditional signature-based detection methods, coupled with the growing complexity of malware and the potential privacy compromises inherent in antivirus solutions, underscore the need for a multifaceted approach to cybersecurity. 

Organisations and individuals alike must explore alternative security measures, such as endpoint detection and response (EDR), threat intelligence sharing, and behaviour-based anomaly detection, to better defend against evolving threats while safeguarding privacy. 

By embracing a proactive and holistic approach to cybersecurity, we can mitigate risks, enhance protection, and preserve privacy in an increasingly interconnected digital landscape.

Hey! Can we make it official? 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe 😇

More Cybersecurity Insights & Analysis

Fifteen Steps to maximising firefox privacy 🔒✅

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity. 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me 😇

Access free subscriber only content 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties 😇

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.