Malware Protection - Bitdefender TechZone

Antimalware modules prevent new malware threats from entering the system by scanning local and network files when they are accessed (opened, moved, copied, written, or executed), boot sectors and potentially unwanted applications (PUA).

Malware protection behaves differently depending on how the security agent installed on endpoints is set up to run:

Malware protection can be customized across various tiers. Within the Policies configuration, administrators can set it up in both the On-Access and On-Demand scanning sections.

Depending on the chosen scanning option, administrators have the flexibility to select from three predefined profiles, each offering varying levels of protection. Alternatively, they can create a custom policy and fine-tune the configuration to their specific requirements. These profiles define the trade-off between security and system performance, allowing for tailored security measures.

The Permissive Profile selectively scans newly modified or updated local and remote files, as well as Potentially Unwanted Applications (PUAs). This profile can be beneficial for systems with lower processing power or older hardware, although it is important to note that it is not the recommended choice for optimal security.

In contrast, Aggressive Profile offers the highest level of protection by thoroughly scanning all types of malwares. In addition to what the Permissive Profile scans, it also includes the scanning of archives, boot sectors, and keyloggers, providing a comprehensive defence against potential threats.

The administrator faces the challenge of striking a balance between system protection and performance optimization when configuring their settings. There is no one-size-fits-all recommendation, as it depends on the specific needs and capabilities of the system.

For instance, consider the functionality of scanning inside archives, which is known for being a slow and resource-intensive process. Archives containing infected files may not pose an immediate threat to system security; their impact is only realized if the infected files are extracted and executed. The primary configuration mechanism designed for detecting Keyloggers possesses the ability to both recognize and prevent any endeavours to capture keystrokes and transmit them to a malicious operator over the Internet. Thanks to the robust, multilayered security approach and the presence of overlapping protective measures, even if this parameter is deactivated, other protection modules will continue safeguarding the system. Additionally, rootkits are a category of software that can potentially provide an attacker with elevated, administrator-level access to the system. These various factors must be carefully weighed and configured according to the unique security and performance requirements of the system in question.

It is important to emphasize in this section that the Ransomware vaccine parameter provides immunity to machines against known ransomware, effectively thwarting the encryption process, even in cases where the computer is already infected. By default, the Ransomware vaccine feature remains deactivated. Bitdefender Labs continuously assesses the behaviour of prevalent ransomware strains, and with each security content update, new signatures are delivered to counter the most recent threats.

Detailed information about Malware Protection configurations can be found at our Bitdefender Support Center here.

The Malware protection features within Bitdefender GravityZone can be divided into two primary components: core functionality and Hyper Detect. In this in-depth section, we will offer an overview of both elements.

Hyper Detect

Hyper Detect is our tunable Machine Learning functionality that can be configured via the Policies configuration.

Within the configuration settings, administrators have the flexibility to fine-tune five distinct protections by levels ranging from Permissive to Normal and Aggressive heuristics detection. A higher level of aggressiveness in detection is inclined to identify new and previously unseen malware, albeit it may occasionally trigger false positives. Conversely, a more Permissive heuristic engine tends to yield a lower false positive rate but may result in reduced detection capabilities.

Detailed information about Hyper Detect configurations can be found at our Bitdefender Support Center here.

Functionality Deep-dive

Hyper Detect technology constitutes a specialized segment within the core components, featuring heightened heuristics detection capabilities aimed at identifying advanced attacks and suspicious activities during the pre-execution phase. It excels at recognizing a wide array of abusing legitimate tools, such as Rclone, Gsudo, TacticalRMM or Sysinternals suite. It is important to note that this detection is critical for maintaining the security and integrity of systems, as it helps identify potential misuse or malicious activities that could compromise data and networks. Effective detection of legitimate tools being abused allows organizations to defend against advanced threats.

From a file-centric standpoint, it is of utmost importance to identify files that have been packed with an unfamiliar packer or those utilizing a packer commonly associated with malicious intent. Additionally, discerning files compiled with well-known compilers such as Visual Studio or Delphi is equally crucial. This proactive approach helps to flag potential threats and suspicious files.

Furthermore, the capability to discern unconventional paths and names for executable files, as well as detect unusual process correlations, plays a pivotal role in comprehensive security. This includes identifying executable files with atypical directory locations and file names and recognizing processes that show abnormal parent-child relationships.

To learn more about the technologies behind the Protection layer, we recommend reading the next article Process Protection.

GravityZone Security Products official website: GravityZone Security Products