Chapter 3: Antivirus Software - Windows Defender

This chapter provides a description of antivirus software, focusing more on Microsoft’s product, Windows Defender.

3.1 Introduction

An antivirus alone, however reliable and effective, is not protection against all existing computer viruses in the world. The reasons may be due, in addition to the attackers’ capabilities, also to errors in the classification algorithms used by antivirus software (hereinafter, AV), which lead, more often than one might think, to false positives or, worse, false negatives.

From a technical point of view, there are various methods that can be used to prevent and detect malware. In general, these methods can be divided into static analysis techniques, which are based exclusively on the analysis of the code of binary files, and dynamic analysis techniques, which are based on the dynamic execution of a file to understand its nature. In the remainder of the chapter, we will describe the main components of an antivirus and briefly illustrate the analysis techniques mentioned just now.

3.1.1 The main components

An antivirus is composed of several parts, some independent of each other. Below we report the main components of AV software and their functionality:

• The signature file; it is an archive that contains all the signatures of known viruses; it represents a fundamental and essential part for the correct functioning of any other component.
• The executable; it is the actual software capable of searching for the virus within the infected file system and which allows a series of operations to be performed on request, such as, for example, knowing the date the signature database was last updated or performing a full system scan.
• The daemon (or service); it is the binary file that is loaded into memory when the system starts up and remains running until the machine is turned off. This component calls the antivirus whenever a new file or a memory area is created or modified. It makes extensive use of system events to monitor the health of the machine in real-time.
• The update component; it is the binary that performs updates of the signature file and all other antivirus components. It can be part of the main executable or be a separate program.

Some antivirus software may lack one, or both, of parts 3 and 4 that work “in real time.” In these cases, the signature database must be updated manually and the antivirus will not perform dynamic system checks.

3.2 Static detection techniques

Static methods involve detecting malware by searching for infected code within files present on memory units or in data streams transmitted over the network. The general idea is to assign a “signature” (based on hash algorithms) to each file that uniquely identifies it and loses validity if the file is modified. The detection of specific malware is based on the identification of malicious sequences associated with the viral code. These identifying patterns are called virus signatures (Figure 3.1).

Figure 3.1. A detail of the disassembly of a file usable as a signature for the malware itself.

The security software scans the file system in search of any correspondence between the data and the sequences of known viral codes. The use of this technique implies the knowledge and analysis of all malware; it is, therefore, effective against known attacks, but completely useless against so-called zero-day attacks. In the days following the creation of a new viral code, it will not yet be present in the antivirus database and, therefore, cannot be detected. Antivirus manufacturers address this problem by periodically releasing updates for the signature database, thus allowing AV software to recognize new malicious codes.

3.3 Dynamic detection techniques

To protect the system from the day of the malware’s release until the database is updated, detection techniques based on heuristics are used. These particular functions allow recognizing malicious code with a high level of accuracy without, however, using signatures. Each single heuristic refers to a particular viral characteristic, such as, for example, the presence of junk or encrypted code, the use of unusual libraries, or the presence of instructions not usually generated by compilers. Depending on the score returned by the heuristic, the content of the file can be classified as clean, suspicious, or infected.

In recent years, artificial intelligence techniques have become increasingly widespread for studying and classifying the entity of a file. In particular, machine learning and pattern matching techniques are used to identify sections of malicious code within files, even large ones. This has been made possible by the unlimited availability of infected and non-infected files with which to train the algorithms and, furthermore, by the increase in the computational capabilities of computers. This type of analysis, for obvious reasons, is not carried out directly by the user’s machine, but rather the suspicious files are sent to the AV vendor’s server where the antivirus AI will analyze them and, if they are labeled as dangerous, will return a warning to the user who, therefore, will activate the appropriate procedure.

To hide from static antivirus checks, malicious agents adopt various code “obfuscation” techniques to make it illegible or changeable over time. The basic idea is that the body of the malware (i.e., the sequence of binary instructions that constitute it) is encrypted so that it cannot be identified by static analysis. The encrypted part cannot, however, be executed if it is not first decrypted; therefore, there must also be unencoded binary instructions, executed at the start of the malware and capable of decrypting and properly starting the core of the program. It is precisely these “clear” parts that very often “nail” the malware.

When no static technique is able to correctly report malware, dynamic analysis techniques come into play, which execute the code and check its behavior at run-time. The behavior monitor (also known as “behaviour blocker”) is a component of the antivirus, usually resident in RAM, which controls running programs in real-time looking for suspicious behavior. In practice, these programs analyze all the operations carried out in the system, such as, for example, those of reading and writing to disk or access to particular memory areas. Based on these symptoms, the security software is able to detect malicious programs and, therefore, can block their operations before they can cause damage. The user, in these cases, can choose whether to let the suspicious program continue its task, whether to block it, delete it, or put it in quarantine. The weak point of the monitor is that, before its real nature can be understood, it must execute the malware on the system.

To avoid this problem, some antiviruses emulate an ad hoc environment to control the behavior of a malware without damaging the real system. What is done is to analyze an encrypted code by executing it on a dedicated virtual machine, commonly called a sandbox. In this case too, malware writers have devised countermeasures to bypass the controls. There are, in fact, various tools that detect whether the program is running on a real or emulated CPU. By integrating these tools into the malware, it is possible to execute the malicious code only in the presence of a real environment, thus avoiding illicit behavior in the presence of emulation; this allows the virus to overcome security controls.

3.4 Windows Defender

3.4.1 The evolution

Microsoft Windows Defender was initially born as a simple built-in antispyware program on Windows Vista and subsequent operating systems. Until Windows 8, its task was delegated to offline analysis. It accompanied Microsoft Security Essentials (MSE) which protected against a wider range of threats and also integrated real-time protection. Starting from Windows 8, however, Defender completely supplanted MSE, including its antivirus properties and thus becoming complete software. Also with Version 8, Microsoft Defender is active by default and, only in the case of installing another antivirus, it self-deactivates in favor of its “substitute,” except for carrying out periodic scans to ensure greater protection for the system. Nowadays, Defender is perfectly integrated into the Microsoft system and offers a single homogeneous interface to manage the protection of one’s computer. Its functionalities are strictly linked to those of the operating system of which it manages to control, in an optimal way, every aspect and every process, thus guaranteeing unparalleled protection.

3.4.2 Functionality and switches

As already mentioned, Defender integrates perfectly with the Windows operating system. Its main functionalities, in addition to the obvious ones of static protection against threats, are the following:

• Real-time protection. The AV software monitors operating system events in real-time, such as, for example, newly created or modified files, or the actions that a user, or a program, performs on the system. If Defender detects threatening behavior, it can block the execution of the action and send a notification to the user through the appropriate bar; furthermore, in the case of infected files, it automatically deletes or isolates the document.
• Integration with the browser. Integration with Internet Explorer and Microsoft Edge allows scanning files as they are downloaded to detect harmful or malicious software. Since April 2018, Windows Defender is also available for Google Chrome, through the appropriate extension, and works in symbiosis with Google Safe Browse.
• Application guard. Windows Defender Application Guard is a feature released in early 2018, exclusive to Microsoft Edge, which allows you to sandbox the current Browse session. This prevents a malicious website or malware from affecting the system or the browser itself. Application Guard is a feature available only on Windows 10 Pro and Windows 10 Enterprise.

These functionalities, and more, are configurable within the appropriate system settings tab. Specifically, on the “Windows Security” page, in the section relating to Defender, we find three switches followed by as many more advanced settings for managing exclusions, file system access, and notifications. The switches on which we want to focus attention, and which will be important in the continuation of the thesis, are shown in Figure 3.2 and described in the following list:

Figure 3.2. Defender’s switches to activate or deactivate its main functionalities.

• Real-time protection: the name itself is enough to understand the importance of activating, and leaving active, this option. This functionality, in fact, allows the system to instantly analyze every modified or created file even before we can open it. This aspect guarantees the user total protection against threats, especially those due to web Browse, i.e., infected downloads.
• Cloud-delivered protection; this is by far the most powerful tool available to Windows Defender. It allows sending the files to be analyzed directly to Microsoft’s servers to take advantage of its machine learning algorithms and obtain a more accurate response on the dangerousness of the sent document. Microsoft’s AI is known for its accuracy in identifying even the newest (0-day) or obfuscated software. Furthermore, also on the parent company’s servers, files can undergo a dynamic analysis process, which is more difficult to perform client-side.
• Automatic sample submission; this last switch must be enabled to ensure the correct functioning of cloud protection; furthermore, this option guarantees Microsoft an inexhaustible source of items to train its recognition algorithms.