A common misconception about antivirus file scanners is that they simply look for known patterns in files in order to determine if a file is good or bad. Actually, modern antivirus solutions go beyond simple pattern matching and apply generic and heuristic techniques when looking for threats. In fact, the best antivirus engines provide multiple methods for identifying known and unknown threats. Symantec’s file-based protection is one such technology.
File-based security has a long history as one of the cornerstones of our protection technologies. STAR continues to invest in and drive innovation to our file-based security to keep current with the latest developments on the threat landscape. Having infected files on a target machine is one of the main methods for threats to maintain a presence on a machine beyond the initial attack. Because of this, file-based protection will always be instrumental in detecting, neutralizing and removing threats on our customers’ machines. Common threat vectors that file based technology protects against include:
- Malware and Viruses
- Targeted Attacks including Advanced Persistent Threats (APT), Trojans and general Malware
- Social Engineering Attacks – FakeAV and Fake Codecs
- Bots and Botnets
- Malicious PDFs and Microsoft Office Documents (PowerPoint, Excel and Word)
- Malicious compressed files
- Spyware and Adware
In order to address these threats, four components form the core of our file-based protection technology: the antivirus engine, Auto Protect, the ERASER engine, and our heuristic technologies, Malheur and Bloodhound.
Symantec's unique scanning engine is broadly deployed on over 350 million machines. It is a stable, high-performance security technology providing advanced detection against the latest threats. The engine is frequently updated in the field via LiveUpdate to seamlessly respond to new threats. This allows us to update the detection capability of our product without requiring a complete product update.
Symantec’s real-time file scanner detects threats being written to or from a file system. Written at the kernel level, Auto Protect is a high-performance and low-footprint scanning engine that protects against the latest threats while staying out of the user's way. When files are written to a machine’s disk, Auto Protect is triggered and uses the antivirus, Malheur and Bloodhound engines to scan the files. By running at such a low level, Auto Protect can block an infected file before it has a chance to run and infect the system. In addition to file protection, Auto Protect delivers key functionality for Download Insight, part of our advanced analytics reputation technologies.
Symantec’s ERASER engine provides repair and removal capability for threats found on a customer’s system by our various detection technologies. ERASER is also responsible for checking that drivers and applications that run at startup are not malicious. To ensure that our product is not being tricked by rootkits or other malware, ERASER uses a number of techniques that bypass regular system registry and disk lookups. These technologies allow ERASER to perform direct registry and direct disk access.
Malheur & Bloodhound
In addition to signature based detections, we provide technologies that can convict a file that has never before been seen, but has characteristics common to malicious files. This heuristics-based protection is provided in our Malheur & Bloodhound technologies. Heuristic signatures can detect unknown malware based on file attributes,attempts to exploit vulnerabilities, and other common actions found in known malware.
A Deeper Dive into Features
Each of the following sections describes a file-based technology feature that is intrinsic to the core components explained above.
Broad File Support
Compressed files and files embedded inside other files are among the broad set of file types that can be examined for hidden malware. A partial list of analyzed file types include:
DOC, .DOT, .PPT, .PPS, .XLA, .XLS, .XLT, .WIZ, .SDW, .VOR, .VSS, .VST, .AC_, .ADP, .APR, .DB, .MSC, .MSI, .MTW, .OPT, .PUB, .SOU, .SPO, .VSD, .WPS, .MSG ZIP, .DOCX, .DOCM, .DOTX, .DOTM, .PPTX, .PPTM, .PPSX, .PPSM, .XLSX, .XLSB, .XLSM, .XLTX, .XLTM, .XLAM, .XPS, .POTX, .POTM, .ODT, .OTT, .STW, .SXW, .eml, .MME, .B64, .MPA, ,AMG, .ARJ, .CAB, .XSN, .GZ, .LHA, .SHS, .RAR, .RFT, .TAR, .DAT, .ACE, .PDF, .TXT, .HQX. .MBOZ, .UUE, .MB3, .AS, .BZ2, .ZIP, .ZIPX
In some cases, malware will use “packer” technology to obfuscate their files in an attempt to avoid detection by simplistic pattern matching algorithms. Our Unpacker Engine can:
- Decompresses affected executable files.
- Recognize hundreds of distinct packer families.
- Recursively unpack files that are multiply-packed until the core malware is reached.
Generic Virtual Machine
The GVM allows code to be executed in a sandboxed safe-environment.
- Byte code-based system like Java or C#, making it extremely safe to rapidly produce new protection technologies without crashes or hangs.
- Applies extremely complex heuristics and family signatures, for threats like Trojan.Vundo.
- Performs all scanning of non-traditional file formats; e.g., PDF, DOC, XLS, WMA, JPG, etc.
Includes advanced CPU emulation technology to trick polymorphic malware into de-cloaking.
Symantec has 3 different anti-rootkit technologies designed to find and remove even the most stubborn rootkits like Tidserv and ZeroAccess, working around stealthing techniques commonly used by rootkits. The techniques include:
- Directly access the hard drive volumes Direct Registry Hive scanning.
- Kernel memory scanning.
Includes advanced hashing techniques to simultaneously scan for millions of Trojans and spyware threats in microseconds.
- Locates and extracts key file regions known to contain malware logic.
- Takes cryptographic hashes of each section and looks them up in the fingerprint database.
- Advanced algorithms enable the Anti-Trojan Engine to simultaneously scan for tens of millions of malware strains in literally microseconds.
Uses 'fuzzy' signatures to identify both known and new, unknown malware variants.
- Scans files using hundreds of thousands of fuzzy signatures simultaneously, drastically improving scan performance.
- The fuzzy signatures can detect entirely new malware strains the moment they're released.
Advanced Heuristic Engines
Focused detection of server-side polymorphed strains.
- Over a dozen different heuristics (and growing) search for different suspicious file characteristics.
- All suspicious files are correlated against Symantec’s reputation cloud and our digital signature trust list.
- Engines use context to adjust heuristic sensitivity; e.g., heuristics are more suspicious of newly downloaded files than of installed applications.