Knowing all this helps you yet again form threat models and crack down on source instead of trying to catch up flagging phishing addresses one by one. You need to know how user got to the phishing website, what website he was visiting prior, how the transfer to the phishing website happened, was it script, was it manual user click, was it from e-mail or from another webpage etc. Just knowing "oh user landed on phishing webpage" is not enough. You need to know where the sample came from (was it known browser, 3rd party binary (EXE), what was the URL it came from etc), you need to know what the sample is trying to contact and what are the protocols used, similar applies to phishing sites detection. And to have this efficient, just feeding samples is not enough.
Verdict is sent back to the user and client side antivirus flags the sample as malicious or allows it to execute. If no match is found this way, your system sends the sample to data center where above mentioned automated systems probe it and instantly classify it.
Cloud systems compare samples you've obtained to the huge databases they have on servers and instantly give a response. And those gaps in between could lead to infections and missed samples. Back in the day you downloaded detection signatures once a day, every 6 hours, every hour etc depending on antivirus design. And all this data processed in data centers is then feed back to users via cloud systems that basically all antiviruses use. Everything that is inconclusive gets on a separate feed that is checked by actual humans and then they analyze samples and fine tune the systems to deal with them automatically in the future. These days security companies run huge data centers that hoard samples automatically, feed them to these data centers and sort them automatically, form threat models using mathematical algorithms so every sample that arrives to the data center next can easily be flagged either as CLEAN or MALICIOUS. If back in the day detecting binaries and hoping users will submit you malicious samples or suspected samples, those days are long gone. AVAST Software is not really standing out because ALL antivirus companies use similar methods in one or the other way. I may not agree with them selling data anyway, anonymized or not, but I know their inner workings of malware protection side and what all is required to be efficient.
People need to learn how security software even works today and they'll understand. There is A LOT of misinformation circulating around and people just don't understand half of it.
0 kommentar(er)
