Methods of protection
Traditional methods of protection from malware
The first antivirus worked on signature-based technologies (comparison of suspicious code to virus bases). But with the growth in the number and diversity of malware, it became clear that protection by this method only is not effective. Before new malicious code will get in virus database, it can cause substantial harm. Therefore antivirus companies started to develop a proactive technologies that allowed to deal with new threats. Below you can read the list of modern methods of protection, which anti-virus programs use to struggle with all types of malicious code including spyware.
This technology analyzes the code of a program, script or macro and detects sections of code that is responsible for malicious activity.
The efficiency is not high, because the user is faced with a large number of false alarms due to the increased sensitivity of the analyzer. In addition, the malware authors have learned to circumvent the heuristic component of the antivirus program.
Emulation technology allows you to run a suspicious program in the environment, emulating the behavior of the OS or CPU. In this mode, the program will not be able to harm the computer of the user, as malware will be blocked by the emulator.
Unfortunately, and this method has its drawbacks – emulation takes too much time and computer resources, which negatively affects the performance. In addition to this drawback, modern malware is able to detect the fact of their accommodation in an emulated environment and may to cease working in it.
Behavioral analysis technology monitors all activity on your computer and captures all the important system functions. It allows you to evaluate not only a single action, but also a chain of actions that increases the efficiency of anti-malware. Behavioral analysis is the technological basis for a whole class of programs – behavioral blocker (HIPS). In terms of dealing with spies that intercepts keyboard input and make screenshots, behavior analysis technology can not determine whether these actions are legal – were they initiated by user or by malware? Therefore, any new legal software user must include in a “white list”, otherwise he/she will not be able to use it.
Sandboxing – restriction of privileges execution.
Sandbox technology works on the principle of limiting the activity of potentially malicious programs so that they could not cause any harm to the computer.
This is achieved by running unknown applications in a restricted environment, called the “sandbox”. The program does not have access to a critical system files, registry and other important information from sandbox. This is efficient technology, but the user must possess the knowledge for the proper evaluation of an unknown application.
Desktop virtualization environment.
Using system driver virtualization technology allows intercepting all requests to write to the hard drive, and instead of recording on a real hard disk, writes to a special disk area – buffer. Therefore, even if the user running malicious software, it will live no further than the buffer, which by default will be cleaned when the computer is turned off.
But virtualization technology working environment will not be able to protect from malicious programs whose primary purpose is to steal confidential information, because read access to the hard drive is not prohibited.
As we can see from the above descriptions of traditional technologies of protection of the user, all of them along with the advantages have disadvantages. The more methods you use, the greater degree of security. But from new spyware, even several of the aforementioned technologies are unlikely to protect. So, which method of protection against spyware, more reliable?