Malware Detection refers to a collection of techniques used to detect potentially harmful malware samples. These techniques are best employed as part of a robust defense system that works to detect malware samples before they have a chance to infect a victim’s system. However, this process can also take place after an infection has occurred, and malware detection techniques may also be used as part of larger digital forensics investigations.
A robust malware detection process would usually involve several distinct approaches to maximize the likelihood of identifying harmful malware while simultaneously minimizing the likelihood of false-positive readings (where otherwise benign or useful files and programs can be incorrectly flagged as malware).
One of the most common techniques and often the first line of defense for more comprehensive security apparatuses is signature-based detection. This technique relies on confronting suspicious files when they first arrive within a system, and cross-referencing their code or signatures against vast cloud-based databases of all known patterns and signatures of previously-identified malware specimens. Such databases are constantly evolving, and as each new malware variant is discovered and identified, it is blacklisted, and its signature is added to the database. If a suspicious file or program matches against these known profiles, it may be denied entry to a system, quarantined for further analysis, or deleted outright.
Signature-based detection is a quick and fairly effective technique that is widely employed, but it fails to detect novel threats (often referred to as zero-day threats) and some malware authors have found methods to circumvent this form of detection. One such example can be seen with polymorphic malware, which is malware that constantly alters aspects of its signature to avoid detection.
In order to deal with more sophisticated forms of malware that use such evasion techniques, there is heuristic malware analysis. There are two main methods for a heuristic analysis process. The first method is static analysis, and it functions by dissecting, disassembling, and investigating the code of a suspicious program or file without executing it.
The second method is dynamic analysis which involves executing or “detonating” suspicious malware samples in a secure test environment known as a malware sandbox. This method allows security researchers to monitor the behavior of suspicious programs or files for malicious actions without risking a real system.