AntiViruses under the microscope: A hands-on perspective

AntiViruses under the microscope: A hands-on perspective

AntiViruses (AVs) are the main defense line against attacks for most users and much research has been done about them, especially proposing new detection procedures that work in academic prototypes. However, as most current and commercial AVs are closed-source solutions, in practice, little is known...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security Vol. 112; p. 102500
Main Authors: Botacin, Marcus, Domingues, Felipe Duarte, Ceschin, Fabrício, Machnicki, Raphael, Zanata Alves, Marco Antonio, de Geus, Paulo Lício, Grégio, André
Format: Journal Article
Language:English
Published: Amsterdam Elsevier Ltd 01-01-2022
Elsevier Sequoia S.A
Subjects:
Anti-virus software
Cybersecurity
Machine learning
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:AntiViruses (AVs) are the main defense line against attacks for most users and much research has been done about them, especially proposing new detection procedures that work in academic prototypes. However, as most current and commercial AVs are closed-source solutions, in practice, little is known about their real internals: information such as what is a typical AV database size, the detection methods effectively used in each operation mode, and how often on average the AVs are updated are still unknown. This prevents research work from meeting the industrial practices more thoroughly. To fill this gap, in this work, we systematize the knowledge about AVs. To do so, we first surveyed the literature and identified existing knowledge gaps in AV internals’ working. Further, we bridged these gaps by analyzing popular (Windows, Linux, and Android) AV solutions to check their operations in practice. Our methodology encompassed multiple techniques, from tracing to fuzzing. We detail current AV’s architecture, including their multiple components, such as browser extensions and injected libraries, regarding their implementation, monitoring features, and self-protection capabilities. We discovered, for instance, a great disparity in the set of API functions hooked by the distinct AV’s libraries, which might have a significant impact in the viability of academically-proposed detection models (e.g., machine learning-based ones).
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2021.102500