9. The Application of Cybersecurity: Principles and Practices 245 9.2.3.3 Run Antivirus Software It is disconcerting when a person’s computer starts behaving weirdly, and he begins to fear that he may have been hacked. Maybe the computer seems slower than normal, programs start running randomly on their own, or some system settings have apparently been changed. These could be indicators of compromise, but they could also be due to hardware issues, software bugs, or software bloat that has built up over time. It can be difficult to determine the root cause and to rule out the possibility that malware has been installed or other malicious activity has occurred, and without knowing for sure, users can feel anxious. Running antivirus software can help users have peace of mind and not jump to the conclusion that they have been hacked. Antivirus software is a program that scans files to identify malware. Windows ships with Microsoft Defender Antivirus and macOS ships with XProtect. These included antivirus programs are pre-configured and run by default and meet typical home computing needs. They can be turned off, but this is not advisable. Before antivirus software was built into operating systems, there was a major market for either free or paid antivirus programs. The market for these types of products is diminished since they provide at most only an incremental benefit over the pre-installed versions. However, Linux systems do not ship with built-in antivirus software, so Linux users should consider installing either a free or paid for product. Users should only change the default behavior of their antivirus programs if they are confident they know what they are doing and why a change is necessary. Any warning or alert that an antivirus program raises needs to be taken seriously and reviewed before proceeding. Antivirus software uses signature detection. Signature detection scans software looking for malware signatures—a specific sequence of 1s and 0s in known malware. False positives are rare due to the improbability of two different files having the same signature. Some users may install a program that triggers a match on purpose, maybe for the purpose of cybersecurity testing, but this does not really count as a false positive because the malware was accurately identified. In these instances, a user could ignore the warning if he is confident that he understands the risk. False negatives, on the other hand, are relatively common for signature detection. A false negative is when malware is able to slip past the antivirus program undetected. If a piece of malware has not been cataloged by the antivirus vendor, then it will evade detection. This is true of all novel malware, but is also true of known malware that has been modified. A best practice in hacking is to subtly transform malware so that its signature changes but not its functionality. This makes it more likely that antivirus programs will not identify it. Signature detection also suffers from the problem of an ever-increasing catalog of signatures. There is a limit to the number of samples that software can be compared against. Therefore, malware scanners prioritize some signatures over others, and this sometimes means that even known malware can evade detection. A more advanced type of protection system is called an intrusion detection and prevention system (IDPS). These systems can perform anomaly detection in addition to
RkJQdWJsaXNoZXIy MTM4ODY=