Why anti-malware software doesn’t always work
Operating systems were designed to have an open software architecture. An open software architecture makes it possible for anyone to add, update or replace certain pieces of the operating system to extend its functionality. Many applications have an open software architecture as well, making it possible for third-party developers to create plug-ins. This openness allows third-party developers to significantly enhance software beyond what the original developer provided to the end customer. Without an open architecture, we would be at the mercy of the original developer’s ability to enhance software to meet our needs.
Unfortunately, hackers take advantage of this open architecture as well. Once a hacker obtains the necessary permissions, he too can add or replace certain pieces of the operating system and other applications, change configuration settings and disable certain software, including anti-malware software. Because the operating system can’t differentiate between authorized and unauthorized changes, it just lets the hacker have his way with a computer.
As you know, the role of anti-malware software is to identify malicious code and either kill it or flag it as malicious and let you decide what to do with it. It does this by matching the malware’s executable code against a database of known malware and by using heuristic analysis to determine that something is malware, even if it doesn’t have a signature. Hackers know this of course and as a result, they test their malware to make sure it doesn’t match any known signature and isn’t detectable by heuristic analysis engines. Until an anti-malware vendor becomes aware of new undetectable malware, a hacker can install his malware on any number of systems on which he can obtain the necessary permissions. One of the reason why there are so many malware signatures, is because hackers keep having to replace their malware with new versions that are undetectable!
One last thing you need to know, is that not all vendors become aware of all new malware and not all heuristic engines work the same. As a result, detection rates vary between products. That’s why many people advocate running more than one anti-malware product. The more products you use, the better your chances that one of them will catch something the others didn’t catch. But don’t run so many products that your system slows down to a crawl. In addition, some anti-malware products don’t do well together, so you need to do some testing to figure out what combination works best.
Are you fascinated by all of this? Want to learn more? Want to know other ways that hackers avoid detection? Read my book!