Now that the first victims of the Heartbleed web vulnerability…
How we go deeper to protect you from new threats
New! Read our free whitepaper about F-Secure DeepGuard, our proactive protection against new and emerging threats. Read it here.
You may know that F-Secure won the Best Protection Award – twice in a row. But if you’ve ever wondered about how we actually go about protecting our customers from malware, this post is for you. We do it by going deeper. Let me explain.
Traditional antivirus software looks at the outward characteristics of files to see if the characteristics match those of previously seen malware files. If they match, the antivirus program knows to block the file.
For this system to work, antivirus labs need to have a sample of the malware file in order to analyze its characteristics so they know exactly what they need to block.
This is a very effective method for blocking most malware seen to date, and this is how F-Secure protects you from existing malware we already know about.
Of course, it takes time for antivirus labs to receive a malware sample and analyze it so we can effectively block it. That means brand new malware created just in the past few days or weeks that we haven’t yet had a chance to analyze, can get past traditional scanning systems.
Complicating the issue, cybercriminals who create malware nowadays are very clever at avoiding detection by antivirus programs. One way they do this is by creating new, different variants of their malware. These variants are still the same malware at the core, but they appear new and different on the outside. Like a criminal who dresses in disguise to avoid being recognized, the malware file is disguised to avoid detection by antivirus software. There are automated malware creation kits that do this for the cybercriminals, making it easy to spit out thousands of new variants.
To be able to protect from brand new malware, then, and to protect from all the new variants of existing malware, it is crucial for F-Secure’s software to be able to detect a malware file even before our Labs have ever received a sample of it.
So how do we block malware strains we’ve never seen? We examine not just a file’s outward characteristics, but we also monitor its behavior for suspicious activity. Like I said, malware can change in appearance and characteristics. But one thing never changes: Malware always does malicious things. So if we’re not sure if a file is malicious or not, we watch to see how the program behaves.
We call our behavioral analysis technology DeepGuard. DeepGuard observes a program’s behavior and prevents potentially harmful actions from successfully completing. This way, we can block even brand new malware files that haven’t yet been analyzed. And we can stop malicious files that are disguised as something else.
When the user opens a file, any file, DeepGuard instantaneously checks for suspicious behavior, and if it finds something, it will block the program from launching. Since some malware hide their malicious behavior until after the program launches, DeepGuard still continues monitoring programs while they are running, watching for and blocking suspicious actions.
DeepGuard is a feature of F-Secure’s products, working in tandem with our other protection layers (browsing protection, traditional signature scanning, file reputation analysis, and prevalence rate checking) to provide the very best protection. Our newest version, DeepGuard 5 with exploit protection, has already been rolled out, so customers with the latest versions of F-Secure products are already benefiting from the latest technology.
And that’s how we protect you.