As we referenced in our last post, one of the most important things a healthcare practice can do to protect themselves from ransomware is install a good antivirus program. But once you start looking for one, vendors will immediately assail you with all sorts of fancy jargon. “Deep learning”, “smart analytics”, “sandboxing”, “next-generation endpoint response”. All these marketing buzzwords sound great, but what do they mean? More importantly, do they matter? None of the hype you see serves to answer the question you really want answered: “Will this antivirus product actually protect the things I care about?”
We’re sure you’ve realized that answering that question is challenging. That’s why Jennifer and Mark wrote this quick physician’s guide to antivirus software. No technobabble, no sales pitch, just simple, actionable info that empowers you to answer that question for yourself.
Heuristic Vs. Signature-Based Antivirus Programs
Stripping away all the techspeak and marketing lingo, most antivirus products can be broken down into two types, “signature-based” and “heuristic”.
What’s the difference between the two types of antivirus, you may ask? Here’s a quick analogy. When you sign some paperwork, you normally sign it in a standard way, “John Smith”. That’s your signature. Everyone knows it and is happy to accept it. But what if you decide to sign something as “John A. Smith”, or “J. Smith”, or “John Smith, DPM”? You know that all those still tie to you and your identity. But some people who don’t know you may not know that’s still your signature. They may not realize that your middle name is “Adam”, or that you’re a practicing podiatrist. Because of that, they may choose to ignore any signature not exactly like the only one they know, “John Smith”.
Antivirus programs work the same way. “Signature-based” antivirus programs only know they should block the program signed as “John Smith”. But any variant on that will confuse them, and chances are the antivirus won’t know the variants are bad and will let them through. “Heuristic-based” antivirus programs won’t rely on that exact name. They know all the ways the program “John Smith” will work, and will block that, “J. Smith”, and any other variant.
Takeaway: Signature-based antivirus detects viruses and malware based on a given program’s “signature”, the exact way it’s coded. Heuristic antivirus programs look at how the program acts, then determines if that program is malicious based on what it does.
Which One is Better?
Signature-based antivirus software works great for blocking malware we already know a lot about. Let’s say some random script kiddie tries to infect your clinic’s computers with WannaCry without changing anything about the virus itself. A signature-based antivirus will know what to block since the hacker never modified the virus code itself.
But what if the hacker knows what they’re doing? Let’s say that script kiddie adds a new function in the WannaCry code to delete files if a ransom isn’t paid in seven days. And they want to add the line “Written by 1337_H4X0R_69” in the code, so other hackers are suitably impressed by their mad hacking skillz. Congrats, they just changed the fundamental way the virus works – the code they added modified its “signature”. Now your signature-based antivirus checks out this virus. They get the virus’s “signature”, check it in their database. Whoops, no match, this file should be okay. Since your signature-based antivirus tool doesn’t recognize this new virus variant, the antivirus won’t do anything to block it. Now your clinic has ransomware on your network, and you’ve lost.
Heuristic antivirus programs, on the other hand, will check to see how the script kiddie’s new variant actually works. Does it access files it has no reason to, like the original WannaCry? Does it call an encryption algorithm without any reason? Does it try to connect to a known malicious website? Yes, yes, and yes? Then the heuristic antivirus will flag the script kiddie’s variant as malicious too. Now it’s the script kiddie who’s out of luck.
Takeaway: Generally speaking, you want a heuristic antivirus program. Heuristic antivirus programs with some signature-based functionality (to block the no-effort attacks) work even better. Most good heuristic antivirus products will have a signature-based module anyway, but you should double check to be certain.
What Should a Physician Look For Then?
- Don’t use signature-based antivirus programs only. As we saw above, any competent hacker can circumvent the “protections” signature-based antivirus offers. Hackers must try a lot harder to avoid heuristic antivirus.
- Don’t use the free or home versions of antivirus software. They often come installed on new pre-built PCs. Sounds easy to get running, right? Wrong. These cheaper tools occasionally have the amazing ability to flag themselves or Windows OS files as viruses themselves! In 2015, the Panda antivirus tool flagged itself as malware, causing some machines with Panda installed to become permanently unusable. Even worse, in 2017, Webroot actually flagged essential Windows components as malware, destroying up to 30 million customers’ computers. Larger, business-focused antivirus products rarely have this issue. We recommend uninstalling any free, home, or trial editions of antivirus products you’re using and purchasing a quality enterprise-focused antivirus.
- Don’t use Kaspersky or other Chinese or Russian antivirus software. We naturally avoid discussing the politics of US/Russia or US/China relations. But we’ll say this. In 2017, the New York Times reported that Russian intelligence services used Kaspersky antivirus tools to break into American government computers and steal classified intelligence. The American intelligence community reported that senior Kaspersky executives knowingly gave Russian spies a backdoor in their software for this exact purpose. If the Russians easily compromised some of the best-protected computer networks in the world through this backdoor, what chance do you and I have? Stay away from antivirus products built in countries known to attack American and European IT systems.
- Finally, don’t be afraid to ask for help from experts. We intended this post to be a quick, non-technical basic guide on antivirus software. Of course, there’s a lot more to cover. Check reviews from PCWorld, Tom’s Guide, or other trusted review sites. The professional articles and forum discussions can help steer you in the right directions. Or ask us at Keyqo Security. Mark actually used to build antivirus tools. Mark even built malware while getting his Master’s degree in computer science at Georgetown, under the tutelage of Dr. Wenchao Zhou. You can check out the code here, if you’re curious.
We’re always happy to assist healthcare professionals in choosing the right antivirus solution for their IT systems. Feel free to get in touch; we’re here to help.