With the increasing threats to the data security and integrity, antivirus was designed to prevent, detect, and remove malware infections on a single computing device, networks, and IT system. They are meant to detect and eliminate the wide variety of malware threats, including different types of malicious software such as keyloggers, worms, browser hijackers, rootkits, spyware, botnet, adware, and ransomware.
By running as a background process, antivirus software scans scanning computers, servers or mobile devices to detect and confine the spread of the malware.
While all the antivirus programs may be promising you complete security, it is a fact that they cannot provide complete security to our sensitive data. Since the outset, the antivirus software vendors are lying about their accuracy and effectiveness. Most of them claim that 100% precision in detecting bad programs. The exploitation of the user’s data is still continued even if we have an antivirus installed on every computer connected over a network.
Even the most popular antivirus engines often miss a submitted sample for days. The antivirus vendors play a trick here, and they won’t also let Google’s ‘Virus Total’ share the accurate stats of individual engines.
These antivirus vendors have worked for their interest and developed their own list of ethical testing style steps. These attempts have been indicted for dirty business measurements. The antivirus software that gets a 100% result after detection and the ones that point out flaws in the test—none of them are 100% accurate, no matter what type of analysis is carried out.
So, how to determine the real accuracy of an antivirus?
Well, for this, few factors would help you in determining the real accuracy of an antivirus. Mentioned-below are some of them.
- The significance of Malware Dwell Time
Across all the managed devices, what matters the most is how accurate an antivirus product is in your environment. And, nobody cares whether the antivirus declare100% accurate when your environment is getting malware programs that an antivirus product misses!
Hence accuracy is not the issue; one should also care about the dwell time!
The dwell time is not predicted by any of the malware software, i.e., for how long the malware program stays active before it detects and eliminates it from your device. Most antivirus programs take days to detect the sample of new malware. Also, the detection time differs from antivirus to antivirus, and as per the experts, none of them is a quick dog on all malware.
It may not be the vendor’s self-interest to inform you of how long their product would take to detect and remove a malware program. Well, for what is going on in your environment, you shouldn’t care about antivirus tests in thousands of malware samples. You want your antivirus programs to precisely accurate, quick, and useful.
For keeping your antivirus vendor accountable for deleting malware accurately in your environment and decreasing the dwell time, there is a way out! All you need to do is capture every newly executed program, process the related files.
Most of the computers already come with an in-built program that can do this. Since the very beginning, Microsoft Windows was endowed with this ability, but Microsoft’s application control programs, e.g., AppLocker, are way better.
The distros of Apple and Linux vary as to their process tracking capabilities, but the majority of them can be configured to capture the crucial information. If you wish, you can download an open-source or commercial third-party application.
Each time, when a new program/process runs on a managed device, you should write the exact details to a central database repository. You will require capturing at least the device identifying information, user, time, date, process, and the identifying information of the process. Most users love how Applocker and other application control programs, as with these programs, you can report only new methods that were performed after you took a snapshot of the device in its baseline state. This process will help in cutting down on irrelevant noise.
Once you are backed up with this information, now whenever antivirus reports detections and also the related removal, to be on the safer side, compare the new data point with the process or program was executed firstly on your device. It may be possible that you would want to see the majority of the detections that were immediately noticed—i.e., “0 seconds” dwell time.
Well, the task is easy, and there is no risk. It implies defensive controls working as intended.
What more you should be interested in is—how many antivirus malware detections had non-zero dwell time. Not only this, but another concern— how the malware got into your environment, whether it was via phishing, unpatched software, buffer overflow misconfiguration, etc. Any of the malware programs that has been detected having dwell time more than a few seconds is a prominent risk to your environment. The cybersecurity risk of your organization is directly proportional to the increase in the dwell time of the process.
- How to capture malware dwell time?
Capturing dwell time would enable you to do a few essential things. First, it enables you to make practical decisions depending upon the dwell time. Do you inform the user? Well, here, all you can do is informing the user that there is some malware program detected or removed. If the dwell time is known, the end-user can be informed with something like:
Antivirus has detected and removed the following malware program, which possesses the following malicious capabilities (the name of the risks). The malware program is found to be active on your computer X minutes ago; it was detected and removed. Based on this information, you can quickly assess the risk of your activities and even to the organization.
Information such as: were you using logon credentials? Did you access other systems with other credentials? Did you access sensitive information? Did you send confidential information?
With all this information, you will be able to report any type of risk that has been hovering around your organization and can be assisted within remediating.
You can do this by starting tracking malware dwell time as the significant key that would indicate for each device, user, department, configuration, and organization full. Track down for the individual indicators whether they are going up or down over time? Has any particular user or configuration seen dwell time rise-up? Check out whether the dwell time is going up in individual malware families or classes and, of course, the reasons why?
If you see an increase in the dwell time, instantly contact your antivirus product vendor and have them involved.
By handing over the data to them can help you decrease the dwell time if it’s in their hands. Else, you can try out other antivirus software and check whether antivirus product’s hit on performance and false-positive hits. But if you don’t know how well antivirus software is doing in a particular environment, do the rest of the situations and consequences really matter?
All of this is not rocket science; you can carry out this process for free in your facility. It involves that you capture all the new executions and report them to a centralized database by comparing against an already accessible database you have for the detection of the malware. All you got to do is run a few queries, and there you have a useful new critical data-point in your mission against the threats for cybersecurity.
How did malware enter your environment?
For several security reasons, you also want to know how a malware program has managed to get into your system to execute. Was it social engineering, or any misconfiguration, or unpatched software! You will be able to figure this out with a little more effort.
Surprisingly, most malware attacks are detected to be coming from well-known web exploit kits—which typically use a few known exploits against unpatched software. Go through a little research and try to find out what can utilize those finicky malware programs. Then, put those exploits in another database, and when your antivirus software detects that malware, find out which of the unpatched programs were on the computers that have been exploited by the malware. In case all the included software was patched, then it is more likely to launch using social engineering. Also, if you see defensive gaps that let malware in, try to work on filling them first.
Mostly, antivirus warns you with a message “we have detected something. ” The most crucial information, such as the malware that is being downloaded and executed in your environment, can help you. Not to mention, the dwell time holds the same importance. By making some adjustments, adding a database or two, and some queries that work great against those databases is a great way to increase your knowledge on how lucrative the benefit of your chosen antivirus program is to your organization. And, of course, you can do more!