9

I do not understand very well the difference between signature based vs behavior based antiviruses. Please clarify the distinction between the two.

Karan Bansal
  • 258
  • 1
  • 2
  • 7
  • 1
    One says "Hey, I've seen this program before. My database says it's a virus!", the other says "Hey, this program seems to be doing something suspicious. It must be a virus!" – Ajedi32 Jul 29 '15 at 13:48

3 Answers3

10

Signature-based AV compares hashes (signatures) of files on a system to a list of known malicious files. It also looks within files to find signatures of malicious code.

Behavior-based AV watches processes for telltale signs of malware, which it compares to a list of known malicious behaviors.

The reason many AV products are add behavior-based detection is because many malware creators have begun using polymorphic or encrypted code segments which are very difficult to create a signature for. An easier way to detect these is to watch for a particular pattern of behavior to identify the malware.

ztk
  • 2,247
  • 13
  • 22
1

Signature based virus detection succeeds only with old viruses because they did not exists in different variants as it occurs nowadays. The signature can be MD5/SHA1 hashes for example. See this post for more information: What patterns does a signature based anti-virus look for?. Whereas behavior based detection (called also heuristic based detection) functions by building a full context around every process execution path in real time.

  • This might be an oversimplification. Old viruses had variants, too, but as new code morphs, the signature approach isn't scalable. Behaviour-based approaches can also be much simpler than your example. E.g. no user-land process should be writing to System32. – schroeder Jul 28 '15 at 17:37
  • No serious A/V uses cryptographic hashes as its primary blocking tool (though many use it as a cache to prevent scanning something twice). All A/V engine signatures are robust, keying on just the malicious part of a file. Some mutations will be caught by signatures, others will not. MD5/SHA1 is incapable of catching a mutation. – Adam Katz Jul 28 '15 at 22:41
1

Well, let me try and explain it as neatly as possible. These 'signature' based and 'behavior' based scanning tend to be offered as antivirus features. Viruses have signatures like you have. Some tend to have static signatures while others tend to have polymorphic ones. Imagine you could change your signature and try and get away with it (from your bank or any such institutions).

In static signatures, the antivirus has a predefined database of known signatures and hence while scanning, it creates the appropriate signature for each file (using MD5 or other hashes) and compares them with the predefined list. If they match, the file is treated as a 'threat'. This antivirus database is updated on you click the update button in your AV interface which provides you with a list of known signatures and adds it to the existing database thereby protecting you against latest threats.

Hackers have become smarter and try to evade static signature detection techniques by coding the virus in such a way so that it can change it's signature. Threat protection experts then starting using 'heuristic' techniques to identify viruses. For e.g. Imagine you are a burglar and are planning to break into a house. You try to gain as much information as much as possible about the house and its residents by using surveillance. Then you go to a weapons shop to pick up a weapon that can be used 'just in case'. You reach the store and there is the police with handcuffs. The 'behavior' based antivirus works in the same way. It tries to identify the 'behavior' of a file. E.g. an mp3 file trying to modify a system file or something like that which is unacceptable under normal circumstances. This is hence treated as 'dangerous behavior' and hence the antivirus classifies it under 'threat' category.

@schroeder: Treat the police as the antivirus and the burglar as the virus. The burglar is planning to attack an house. Imagine if the police were monitoring each and every citizen and flag this particular 'potential burglar' under a 'possible threat' scenario since he is showing signs that he 'can perform a burglary'. He takes a round about the same house every night at 9:00 and then calls up the same number with some ideas. I meant it that way. The antivirus tracks the 'behavior' that the file is exhibiting. Too much RAM, frequent connections to random IP's, unauthorized access to modify a file etc.

user2339071
  • 271
  • 1
  • 8
  • 1
    I'm not sure that your burglar scenario works. You might need to clarify how it applies to heuristic analysis. – schroeder Jul 28 '15 at 17:40