Differences

This shows you the differences between two versions of the page.

--- antimalware_software [2025/08/30 14:12] – ultracomfy
+++ antimalware_software [2025/09/24 20:43] (current) – ultracomfy
@@ Line 3: / Line 3: @@
 </WRAP>
 ~~Title:Antimalware Software~~
 <WRAP centeralign>Information Technology/Cybersecurity/\\
-<fs xx-large>Antimalware</fs></WRAP>\\
+<fs xx-large>Antimalware Software</fs></WRAP>\\
 An antimalware program is a type of software used in the detection of and defense against malicious programs and exploits.
@@ Line 56: / Line 55: @@
 ===== 4. Behavioral Detection =====
-Behavioral detection is what truly distinguishes good products from terrible ones. It is, however, also the hardest to get right, if you get it working at all. Of course we as humans don't care about cybersecurity in terms of software or code. As a company, you don't want internal documents to be exfiltrated to a hacker group - what you want is a system that can stop //that//, not just "programs that look like they're evil". The malware sample used to do nefarious things is just that - a sample used to do nefarious things. What you care about is stopping the nefarious thing. If you understand this, Behavioral Detection is just for you.
+Behavioral detection is what truly distinguishes good products from terrible ones. However, it is also the hardest to get right, if you get it working at all. Of course we as humans don't care about cybersecurity in terms of software or code. As a company, what you care about is to prevent data exfiltration, not the semantics used to get there. The malware sample used to do nefarious things is just that - a sample used to do nefarious things. We don't care about the sample, we care about what it does. If you understand this, Behavioral Detection is just for you.
 When Signatures, Static Analysis and Sandboxing all return negative, it probably is time to let the program execute. But, behavioral detection keeps watching. If a program acts up and starts doing funny things - for example if it starts encrypting files - it will notice and shut that program down. If a program suddenly starts deleting a bunch of shit, or gives orders to another program to delete a bunch of shit - shut it down. If a program does funny things with your boot configuration, your autoruns, downloading files from the internet or uploading stuff from your PC - very suspicious. Behavioral detection is my favorite type of detection, because it addresses the exact thing that we, you and I, are ultimately talking about: the malicious action itself.
-The cool thing about behavioral detection is that it works entirely independently and does not discriminate. Even the most trusted corporation on the planet might one day get hacked and publish a malicious update that will harm your computer/data - but behavioral detection does not care whether something is done by a program from a trusted source or by a program your internet friend told you to download((And then "disable your firewall before running".)). The location in which your browser's session cookies are stored is //sacred// and nobody should get to access it and then just casually make a sneaky transmission over the internet without someone raising a hand. That's potentially an infostealer. No program should be able to load hundreds of files into memory per minute, garble their contents and then save them back to disk. That's definitely ransomware. Windows does //not// like programs that it does not know. It is quite hard these days to run scripts and programs you, or someone you know, made. Sometimes it will just refuse outright. But behavioral detection can genuinely make a difference here.
+The cool thing about behavioral detection is that it works entirely independently and does not discriminate. Even the most trusted corporation on the planet might one day make a mistake and publish an update to their software that has a vulnerability. Or maybe they got hacked and are now being used in a supply chain attack - behavioral detection does not care whether something is done by a program from a trusted source or by a program your internet friend told you to download((And then "disable your firewall before running".)). Games on Steam are generally considered to be "safe", but fake Steam games exist and can live for over a month before being taken down. The location in which your browser's session cookies are stored is //sacred// and nobody should get to access it and then just casually make a sneaky transmission over the internet. No program should be able to load hundreds of files into memory per minute, garble their contents and then save them back to disk. Windows does //not// like programs that it does not know. It is quite hard these days to run scripts and programs you, or someone you know, made. Sometimes it will just refuse outright. But behavioral detection can genuinely make a difference here.
-The advantage of this approach is that, regardless of whatever program you throw at it - known or not, popular or not, new or not, published by a trusted source or not, system online or not, downloaded from a shady website or not, ran from an unknown USB drive or not - behavioral detection can spot them all (while non-malicious programs are fine). Additionally, behavioral detection can spot all other kinds of exploits not delivered directly through an executable file. Even if a trusted program is weaponized, even if the source of the problem is a malicious image file or sound file, [[https://en.wikipedia.org/wiki/Log4Shell|even if the source of the problem is a programming oversight in the code of a programming library which lets remote hackers send arbitrary code to your machine, which it will then execute]] - behavioral detection sees that. Even supply chain attacks wherein bad actors gain access to a trusted program's development structure and insert malicious code into it, which will then be distributed quickly to a vast number of people, especially businesses, can be caught by behavioral detection.
+The advantage of this approach is that, regardless of whatever program you throw at it - known or not, popular or not, new or not, published by a trusted source or not, considered perfectly safe or not, system online or not, downloaded from a shady website or not, ran from an unknown USB drive or not - behavioral detection can spot them all (while non-malicious programs are fine). Additionally, behavioral detection can spot all other kinds of exploits not delivered directly through an executable file. Even if a trusted program is weaponized, even if the source of the problem is a malicious image file or sound file, [[https://en.wikipedia.org/wiki/Log4Shell|even if the source of the problem is a programming oversight in the code of a programming library which lets remote hackers send arbitrary code to your machine, which it will then execute]] - behavioral detection sees that. Even supply chain attacks wherein bad actors gain access to a trusted program's development structure and insert malicious code into it, which will then be distributed quickly to a vast number of people, especially businesses, can be caught by behavioral detection.
 The downside is that behavioral detection is //hard//. To understand which system operations exactly are //malicious// is already difficult enough for humans to agree on. Then putting that from words on paper into actual code, all the while working around the limitations and kinks of the operating system's own security measures... yeah, it's a pain. But - the ambition is there and some of the results are quite impressive. It is, like all other things, just yet another layer of protection, and all layers of protection have cracks and weaknesses. Seriously, as much as I am praising behavioral detection here, I am praising the //concept// of behavioral detection - actual implementations vary in quality and are often held back by serious capability restrictions or just plain poor quality - current behavioral detection products on the market are //not// to be relied upon. In fact, no one single product should ever be solely relied upon.
@@ Line 68: / Line 67: @@
 ====== How protection doesn't work ======
 ===== 1. Common Sense =====
-Common sense is the single most frequent advice that can be found on the internet. And it's true - human judgement can be a good and sometimes even the most effective layer of protection against threats of all kind. But.. who doesn't use common sense? I don't think most people would say that they are being irrational as they carry out an act that is irrational. Human judgement is prone to failure - that's why car accidents happen all the time. That's why most plane crashes happen. To say that you should primarily use common sense is to say that you should just drive better. Giving common sense as advice is to say "just don't make mistakes". Clearly, this is not how reality works.
+<WRAP box right centeralign 18%>
+{{::human.png?nolink&100|}}\\
+You are perfectly right, humans are the biggest threat to their PC. Therefore, we should not trust humans with keeping a PC safe. Not this guy, not your mom, not you - regardless of good you think you are. Get proper antimalware.
+</WRAP>
+Common sense is the single most frequent advice that can be found on the internet. And it's true - human judgement can be a good and sometimes even the most effective layer of protection against threats of all kind. But.. who doesn't use common sense? I don't think most people would say that they are being irrational as they carry out an act that is irrational. Human judgement is prone to failure - that's why car accidents happen all the time. That's why most plane crashes happen. To say that you should primarily use common sense is to say that you should just drive better. To say that you should just "not make mistakes". This is not how reality works.
 With heavy and potentially dangerous machines, operator training and safe handling standards are one half of the equation. The other half sits in the design department with skilled and knowledgeable people who recognize that even the most knowledgeable and experienced operator will make a mistake. Just a lapse of judgement. A brief moment of distraction, inattention. Tiredness, exhaustion or sometimes maybe just plain stupidity. Confirmation bias, pilots have to learn about this a lot. In fact, pilots will know best that the biggest threat to modern airplanes is the human sitting in the cockpit, and they are extensively trained to resist the kind of errors humans often make. To deny this reality is to deny decades of statistics and the science of risk management. Human factor is rule number #1. Don't fall victim to rule #1.
@@ Line 76: / Line 79: @@
 Risk management, a proper science that would //never// even //think// about suggesting something as ridiculous as this, is about minimizing risks at every stage of the process - at the human level, sure, but also at the mechanical level. That's why 50% of the resources of product design go into researching how humans could possibly fuck up using the product, and then minimizing the ways in which it can happen in the first place or how to minimize the potential damage.
-And that still doesn’t cover risks beyond your control. Supply chain attacks, insecure devices on your network, careless family members, colleagues, or even vendors whose own security might be weak—all are threats you cannot fix with judgment alone. The digital landscape has countless entry points far beyond simply “not downloading shady files", and treating common sense as the primary defense ignores the true scale of the problem.
+And that still doesn’t cover risks beyond your control. Supply chain attacks, insecure devices on your network, careless family members, colleagues, or even vendors whose own security might be weak, remote code execution vulnerabilities, all of these are threats you cannot fix with judgment alone. The digital landscape has countless entry points far beyond simply “not downloading shady files", and treating common sense as the primary defense ignores the true scale of the problem.
-===== 2. What not to rely on: Windows Defender? =====
+===== 2. Windows Defender? =====
 There is a pervasive myth that common sense plus Windows Defender are enough to keep you safe. Or that Windows Defender is as safe or safer than other products on the market. Obviously, "safe" isn't a binary. It's not that you are either "safe" or "not safe", the only truth here is that different combinations of precautions lead to different levels of //risk//. But still, the idea is that Common Sense plus Windows Defender is enough for the risk to be "low enough" for these people.
 Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.” The only real shift is that now we’re debating Defender itself.
-For years, Defender was a failure. The most basic job of antivirus is keeping a signature list of known malware. Any serious product should ace this by default. Defender didn’t. It consistently missed well-known, widely publicized malware, including samples that were years old. Tests showed detection rates around 40%-60%, while products like Kaspersky or Bitdefender hit 98%. Despite that, people insisted Defender was “good enough", indicative of a complete lack of understanding of risk management or cybersecurity.
+For years, Defender was a failure. Keeping a signature list of known malware is the most basic form of antimalware, and any serious product should ace this by default. Defender did not; it consistently missed well-known, widely publicized malware, including samples that were years old. Tests showed detection rates around 40%-60%, while products like Kaspersky or Bitdefender hit 98%. Despite that, people insisted Defender was “good enough", indicative of a complete lack of understanding of risk management or cybersecurity.
 Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative.
 Even so, Defender still has major shortcomings. Its scanning is largely signature-based, with minimal static analysis and weak behavioral detection. There’s some anti-ransomware with protected folders, but reliability is questionable. Worse, it has glaring design flaws: A single shell command can disable it completely, delete its signature definition files, or set the whole PC as an exception. Registry tweaks and group policy edits can bypass it in seconds. These are not obscure attacks - they’re widely known in the cybersecurity community, and in some circles defeating Defender is treated like a sport. Microsoft is patching, but the holes remain.