How we go deeper to protect you from new threats

New! Read our free whitepaper about F-Secure DeepGuard, our proactive protection against new and emerging threats. Read it here.

You may know that F-Secure won the Best Protection Award – twice in a row. But if you’ve ever wondered about how we actually go about protecting our customers from malware, this post is for you. We do it by going deeper. Let me explain.

Traditional antivirus software looks at the outward characteristics of files to see if the characteristics match those of previously seen malware files. If they match, the antivirus program knows to block the file.

For this system to work, antivirus labs need to have a sample of the malware file in order to analyze its characteristics so they know exactly what they need to block.

This is a very effective method for blocking most malware seen to date, and this is how F-Secure protects you from existing malware we already know about.

Of course, it takes time for antivirus labs to receive a malware sample and analyze it so we can effectively block it. That means brand new malware created just in the past few days or weeks that we haven’t yet had a chance to analyze, can get past traditional scanning systems.

Complicating the issue, cybercriminals who create malware nowadays are very clever at avoiding detection by antivirus programs. One way they do this is by creating new, different variants of their malware. These variants are still the same malware at the core, but they appear new and different on the outside. Like a criminal who dresses in disguise to avoid being recognized, the malware file is disguised to avoid detection by antivirus software. There are automated malware creation kits that do this for the cybercriminals, making it easy to spit out thousands of new variants.

To be able to protect from brand new malware, then, and to protect from all the new variants of existing malware, it is crucial for F-Secure’s software to be able to detect a malware file even before our Labs have ever received a sample of it.

So how do we block malware strains we’ve never seen? We examine not just a file’s outward characteristics, but we also monitor its behavior for suspicious activity. Like I said, malware can change in appearance and characteristics. But one thing never changes: Malware always does malicious things. So if we’re not sure if a file is malicious or not, we watch to see how the program behaves.

We call our behavioral analysis technology DeepGuard. DeepGuard observes a program’s behavior and prevents potentially harmful actions from successfully completing. This way, we can block even brand new malware files that haven’t yet been analyzed. And we can stop malicious files that are disguised as something else.

When the user opens a file, any file, DeepGuard instantaneously checks for suspicious behavior, and if it finds something, it will block the program from launching. Since some malware hide their malicious behavior until after the program launches, DeepGuard still continues monitoring programs while they are running, watching for and blocking suspicious actions.

DeepGuard is a feature of F-Secure’s products, working in tandem with our other protection layers (browsing protection, traditional signature scanning, file reputation analysis, and prevalence rate checking) to provide the very best protection. Our newest version, DeepGuard 5 with exploit protection, has already been rolled out, so customers with the latest versions of F-Secure products are already benefiting from the latest technology.

And that’s how we protect you.

More posts from this topic


Cyber Monday Mythbusting

It's Cyber Monday, and marketing companies expect online shoppers to flock to websites and apps in order to take advantage of holiday sales. And naturally, this causes concerns about what kind of risks people are taking when they shop online. But F-Secure Security Advisor Sean Sullivan says any security warnings focusing on Cyber Monday are simply part of the hype. “Cyber Monday is no more or less safe than any other day of the year. People just expose themselves to more online threats when they do more stuff online, but that really has nothing to do with Cyber Monday. And people that tell you otherwise aren’t doing you any favors.” So there you have it. On the other hand, Sullivan does point out that holiday shoppers should beware of the extent to which they expose themselves while online shopping, which is becoming more popular during the holidays. Adobe is projecting an eleven percent increase in online spending during the holidays this year, amounting to a whopping 83 billion dollars. So that’s 83 billion dollars that will be up for grabs (compared to just 3 billion on Cyber Monday), so it’s naïve to think that criminals are just going to ignore the opportunity. Last year, F-Secure Labs registered a sharp increase in ransomware detections during November and December, including a 300 percent increase in the Browlock police-themed ransomware family. Sullivan published a recent blog post examining the Crytowall ransomware family, which he says is prevalent during the holiday season but virtually disappears in early January – when people celebrating Orthodox Christmas in Russia begin their holidays. One easy way to protect yourself from ransomware and other online threats while holiday shopping is to be conscious of the threat landscape. Its trends like these that Sullivan pays attention to, and warns others to do the same. “It would be safe to say that people should be worried about ransomware this holiday season, and probably through next year. I expect that we, or at least security researchers, will look back on 2016 as the year of extortion.” For example, even though mobile device are now widespread and used by many people, they’re not necessarily good tools to use for making financial transactions while online shopping. “I use an iPad running Freedome for the vast majority of my online browsing, which works great for me because it’s easy to use and I can bring it with me if I leave the house. And between the security benefits of a VPN and the relatively small amount of malware targeting iOS devices, I feel pretty confident in using it to casually window shop on different websites. But I always use a PC to make actual purchases. I trust that my PC is secure and the actual keyboard makes it easier to enter financial data.” You can find more great advice on how to stay safe while online shopping here. [Image by Atomic Taco | Flickr]

November 30, 2015

Why Cameron hates WhatsApp so much

It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks. It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this: “In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.” David Cameron Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four. But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them? The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to. More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break. But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before. WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality. WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default. Apple's iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either.   Safe surfing, Micke   PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret.   Image by Sam Azgor

November 26, 2015
Secure Wordpress site, mobile blogging, tablet by the bay

This is why you need to protect your WordPress username and password

If you run a Wordpress site, you know that criminals around the world would love to use it to spread malware. Last month, F-Secure Labs spike in "Flash redirectors" that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites -- specifically Wordpress sites. This isn't a new find for the Labs but what is unique is one of the tactics of the attack -- seeking out Wordpress usernames. Why? "After obtaining the username, the only thing that the attacker would need to figure out is the password," Patricia from The Labs explains. "The tool used by the attacker attempted around 1200 passwords before it was able to successfully login." If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you. Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your Wordpress username AND always use a unique, strong password. "Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything," Patricia notes. You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog. It's pretty amazing what people can figure out about you with just your login and password. But when you're running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can't be figured out by anyone but you. And turn on two-step authentication if you haven't already. Cheers, Jason

November 26, 2015