Skip Navigation
BlackBerry Blog

When ‘Signatureless AV’ Simply Means More Signatures

NEWS / 03.13.17 / The Cylance Team

With the dramatic decline in the efficacy of signature-based antivirus (AV), many vendors are attempting to confuse the marketplace by coopting terminology in their marketing campaigns that differentiates more superior emerging technologies.

They are misusing these terms in an effort to try to keep pace with more innovative solutions that are disrupting the marketplace and displacing the old AV technologies that have continuously failed to thwart crafty attackers – and now “signatureless” has become one of the most abused terms out there.

When most of these companies talk about a security tool being signatureless, they are really talking about the use of “generics,” which are basically still just signatures, and the “exceptions” they are dependent upon are merely signatures.

Behavioral and Heuristic Tools are Signature-Based Too

Applying generics and the long list of exceptions they often require leans more towards “behavioral” or “heuristic” approaches to combating malicious code, which previous versions of their products have already used to little effect.

Simply calling these products signatureless does not make them perform better against malware that has never been detected before, and it does not put them on par with truly signatureless solutions that leverage artificial intelligence (AI) and machine learning (ML) to prevent malicious code from ever executing.

Let’s take for example vendors who say their tools provide anti-exploitation protections. There are typically 23 classes of exploitation techniques they attempt to stop. And while it may be true that they don’t necessarily need to write a signature for each new exploit introduced in the wild, each of these classes represents a signature that was written by and needs to be updated by a human.

This is not any different than the traditional generics or heuristic approaches, but it is what is being pushed by vendors who falsely claim they offer a signatureless tool. Note also that this approach is very prone to false positives, and as such requires that they write a very aggressive generic signature and then pair that with a lot of exceptions to the generic rule.

Call them what you want, but the fact is these tools are still signature-based, and therefore ineffective against an adversary that has adapted their attack to circumvent these defenses.

It is no different with the so-called “behavioral” tools out there, which are basically the same thing as anti-exploitation tools, but for different elements. While anti-exploitation targets the behaviors used by an exploit, behavioral tools (sometimes called “anti-ransomware” because true behavioral is too hard to do) targets the actual behaviors commonly used by malware.

You can be sure that the classes of things they target are absolutely defined by signatures, regardless that they are not targeting one specific piece of malware. Why does this distinction matter? Like any signature, these generics have fixed bounds that limit their effectiveness to only those classes they have defined signatures for.

Why Signature-Based Tools Fail

Remember, with signature-based tools, the vendor must have known something about the exploit or the malware used in order to write the generics and exceptions (signatures) to make them effective. If the attack is sufficiently unique, as advanced attackers who understand signature-based defenses develop today, these defenses are practically useless.

This is because the signatures are expressed in the tool’s code, which means that any attacker can see them and write malicious code that avoids them. This leads the vendor in question to have to change their signatures – or worse yet, write even more signatures that will eventually be circumvented yet again.

Basically, this has been the logical progression for some thirty years for AV technologists who are only armed with a single tool; like the stereotypical man with a hammer, everything looks like a nail, but remember – ‘Hammer v2000’ is still just a hammer. A fancy hammer perhaps, but a hammer nonetheless. It still won’t help anyone if the right tool for the job is a saw or a drill.

For example, some behavioral approaches use certain “hooks” as the behavioral data on which they trigger their defenses. The thing is, hooks are not any different than any other behavioral signature; any skilled attacker can simply choose to avoid them at will.

This means that the capabilities of nearly every behavioral system are based on the hope that the attacker is simply too lazy or stupid to avoid them by disabling the hooks. Once the hooks are disabled, the protection is gone forever, and the techniques are easily sharable.

Of course, each new signature-based upgrade will yield a short window of protection, but only until the attackers figure out what’s going on and adjust their tactics to overcome the change, then it’s back to game on and the bad guys are running wild again.

Remember: Real Signatureless Solutions Don’t Use Signatures

As the customer of companies selling signature-based tools masquerading as signatureless solutions, your security is essentially hamstrung by the innately reactive nature of your vendor, and their ability (or inability) to understand new attack techniques and respond to them quickly enough that you are not compromised in the meantime.

Solutions that are truly signatureless, like those that leverage the power of AI and ML, require updates very infrequently, and the updates only improve the mathematical model used to determine if a file is benign or malicious.

Such solutions do not require the near-constant updates to signatures, generics or their associated exceptions, that traditional AV tools need to remain even marginally effective. Better still, they work against new attacks that have yet to be detected and reverse engineered to produce a new signature.

But you don’t need to take our word for it, and you don’t have to take the word of vendors pushing outmoded product offerings they claim to be signatureless. We suggest that you simply Test for Yourself. Thousands of customers have done so already and discovered the truth.

The Cylance Team

About The Cylance Team

Our mission: to protect every computer, user, and thing under the sun.

Cylance’s mission is to protect every computer, user, and thing under the sun. That's why we offer a variety of great tools and resources to help you make better-informed security decisions.