Comodo: Cloud Native Cyber Security Platform

What is the Difference Between Signature-based and Behavior-based Detection?


Malware has come a long way from how it started in the eighties. It continues to evolve, threatening computers, networks, and different devices alike.

While there are two types of technologies that can address threats like malware, most organizations use the old signature-based detection. There are still those who are not familiar with behavior based endpoint protection, which is an advanced way of detecting malware.

Signature-based malware detection can spot known malware. On the other hand, behavior based detection can determine benign files from malignant ones by analyzing them thoroughly.

Signature-based Technologies Study Known Threats

When talking about computing, all objects have qualities that can make a unique signature. Algorithms can scan these objects swiftly, figuring out their digital signature.

As anti-malware solutions ascertain objects as malicious, their signature is included in a database of known malware. These data repositories usually hold millions of signatures that determine malicious objects.

Behaviour Based Endpoint Protection

This way of identifying malicious objects is the fundamental procedure used by antivirus products today. It remains as the primary approach used by firewalls, as well as email and network gateways.

Signature-based malware detection has its strong suits, and one of which is its popularity. It’s also quick, easy to use, and widely available. Most of all, it secures devices against millions of older yet active threats.

The Problem with Signatures

Confirming malicious files can be sophisticated and time-consuming. Oftentimes, when the malware is determined, it has already evolved.

Studies found that some malware files evolve within 24 hours after its identification. The slow process of identifying malware can bring damages to organizations.

Modern malware hits systems in a short period of time. For instance, HDDcryptor affected 2000 systems at the San Francisco Municipal Transport Agency right before they were found.

Another issue in today’s advanced malware is its ability to modify its signature to dodge detection. Signatures are created by probing the internal components of an object and malware authors alter these parts while keeping the object’s functionality and behavior.

Some examples of transformation techniques include:

  • code permutation
  • register renaming
  • expanding and shrinking code
  • insertion of garbage code or other constructs

Behavior Based Endpoint Protection

Behavior based endpoint protection assesses an object based on its assumed actions prior to executing that behavior. An object’s behavior or potential behavior is analyzed for dubious activities.

If you try to execute actions that are abnormal or unauthorized, they will be flagged as malicious or suspicious. There are different behaviors that tell you when there is a potential danger. Some of these include:

  • any attempts to find a sandbox environment
  • disabling security measures
  • installing rootkits
  • registering for auto start

Behavior based endpoint protection evaluates malicious behaviors through a process called dynamic analysis. Potential threats or malicious intents are also evaluated through static analysis, wherein dangerous capabilities within the object’s code and structure are searched for.

Although there’s no perfect solution, behavior based endpoint protection is the most advanced one among its competitors. It reveals new and unknown threats in almost real-time.

Some examples of the core functions of behavior based solutions:

  • Defending against new and previously unimagined malware threats
  • Identifying a single case of malware that has been aimed at a specific person or organization.
  • Recognizing what the malware does when files are opened in a certain environment
  • Getting detailed information on the malware

However, you should take note that analyzing behaviors of objects may take time. Even though static analysis can be carried out in real-time, dynamic analysis may introduce dormancy while the object is being assessed.

Not All Behavior Based Technologies Are Similar

Traditional sandbox systems have limited insights and can only assess how an object interacts with the operating system. By observing the actions of a malicious object completely, Chief Security Officers (CSOs) are able to evaluate the malware’s communications with the OS and the instructions processed by the CPU. This is despite the fact that CSOs already assigned those actions to the operating system or other programs.

Understanding the Workings of Behavior Based Solutions

Advanced malware detection solutions examine and evaluate every line of code carried out by the malware. All requests for access to certain files, processes, connections, or services are analyzed. This includes all instructions performed at the operating system level and any other programs that have been invoked, as well as low-level code hidden by rootkits.

The technology identifies all malicious activities, which collectively, makes it clear that a file is harmful before it is released onto the network.

Organizations that handle sensitive data or critical operations should protect their system with behavior based endpoint protection.

To augment the abilities of your existing security tools, you can use behavior-based solutions like Comodo. It intercepts all the files executed in your network and assesses their safety before allowing them to run. Contact us today for more information.

Scroll to Top