Anti-Malware Software – CompTIA Network+ N10-006 – 3.3

We use many different technologies to keep the malware from embedding itself in our computers. In this video, you’ll learn about host-based, cloud-based, and network-based anti-malware.
<< Previous: Operating System VulnerabilitiesNext: Switch Port Security >>

If you’re following good security best practices, then you’re probably running some type of anti-malware software on your computing device. So it’s on your laptop or your desktop or whatever you happen to use to do any of your browsing around the internet.

That means that on every device that has this anti-malware software running, it’s responsible for keeping track of signature updates and for identifying any malware that may be inbound or outbound from this particular device.

You also have to keep all of this host-based anti-malware software up to date. There are thousands and thousands of new malware signatures every day. So you always have to make sure that all of your devices are always downloading and updating with the latest signatures.

This could become a bit of a scaling challenge if you have thousands of devices in your environment. You might want to, instead, download one version of the signature update and have all of your internal devices update from that internal server.

Most large organizations also need some centralized management of all of these individually running anti-malware engines. And so you usually have some type of enterprise management console. This console is used to track when updates are available. It’s used to push those updates out to the remote devices and to confirm that those devices are running the latest version of the anti-malware signatures.

Mobile devices add a little bit more of a challenge. Because they can often be outside of your corporate network. But you still need some way to manage what’s going on those devices and to protect them from the malware. So there are usually other layered security methods that you can use to manage your anti-malware presence.

One way to do this is to have the anti-malware in the cloud. Instead of you running something exclusively on your local system, you could also have something in the cloud that’s examining all of the queries that you’re making out to servers and examining the responses that are inbound to your device.

This is very often used for email communications since it’s easy to send all of your email to one central anti-malware server in the cloud, and then have that examine all of your email, and then send you the updates to what the latest emails might be.

This also provides for very fast updates. You can update one place in the cloud. And now you’re covering all of the communication going inbound and outbound from your network. This is also one that can be updated by multiple users. So if somebody identifies malware halfway around the world, those signatures can be updated on the centralized cloud-based anti-malware service. And now you are also protected from that malware.

Because this is in the cloud, you generally don’t have to load any additional software on your devices. And mobile devices can take advantage of this without running anything extra, since all of the communication inbound and outbound is going to be examined from these cloud-based services. There are also fewer resource requirements on the inside of your network. All of the really hard work is being done by the anti-malware that’s in the cloud.

You could also run the anti-malware inside of your network on your infrastructure devices. It’s not uncommon to have anti-malware running on firewalls or proxies. And all of the network communication going through those devices is examined for any type of malware the might be going through.

These are generally completely invisible to your users. Because they’re simply part of your normal network infrastructure. And because they are so seamless, they can block the malware and allow the good traffic without your users even knowing that that’s going on.

These are usually signature-based. They’re looking for a very specific stream of information. And if it identifies that stream, then it has identified that as malware. This is stream-based because it is one of the fastest ways to examine traffic that might be coming through.

There’s not enough time to put an executable into a sandbox and run the executable and see what’s happening. Because this is real-time on the network. And the only way that you’re going to be able to maintain those high bandwidths is with a signature-based scanning system.

These don’t replace anything that’s on your host. They don’t replace the cloud-based systems. This is something you would layer with the rest of the security that you’re using. There’s not any one thing that’s going to stop 100% of your malware. So you want to layer that security as much as possible.