What types of malware does Deep Security protect against?
The Deep Security anti-malware module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, the anti-malware module checks files against a comprehensive threat database, portions of which are hosted on Trend Micro servers or kept locally as updatable patterns. The anti-malware module also checks files for certain characteristics, such as compression and known exploit code.
To address threats, the Deep Security anti-malware module selectively performs actions that contain and remove the threats while minimizing system impact. The anti-malware module can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats.
The anti-malware module protects against all kinds of file-based threats, including the following:
Viruses (file infectors)
Viruses are able to infect normal files by inserting malicious code. Typically, whenever an infected file is opened, the malicious code automatically runs and delivers a payload in addition to infecting other files. Below are some of the more common types of viruses:
- COM and EXE infectors infect DOS and Windows executable files, which typically have COM and EXE extensions.
- Macro viruses infect Microsoft Office files by inserting malicious macros.
- Boot sector viruses infect the section of hard disk drives that contain operating system startup instructions
The anti-malware module uses different technologies to identify and clean infected files. The most traditional method is to detect the actual malicious code that is used to infect files and strip infected files of this code. Other methods include regulating changes to infectable files or backing up such files whenever suspicious modifications are applied to them.
Trojans and other non-infectors
Non-infectors are malware files that do not have the ability to infect other files. This large set includes the following malware types:
- Trojans: non-infecting executable malware files that do not have backdoor or worm capabilities.
- Backdoors: malicious applications that allow unauthorized remote users to access infected systems. Back doors are known to connect to communication servers through open port numbers.
- Worms: malware programs that can propagate from system to system are generally referred to as "worms". Worms are known to propagate by taking advantage of social engineering through attractively packaged email messages, instant messages, or shared files. They are also known to copy themselves to accessible network shares and spread to other computers by exploiting vulnerabilities.
- Network viruses: worms that are memory-only or packet-only programs (not file-based). Anti-malware is unable to detect or remove network viruses.
- Rootkits: file-based malware that manipulate calls to operating system components. Applications, including monitoring and security software, need to make such calls for very basic functions, such as listing files or identifying running processes. By manipulating these calls, rootkits are able to hide their presence or the presence of other malware.
Spyware/grayware comprises applications and components that collect information to be transmitted to a separate system or collected by another application. Spyware/grayware detections, although exhibiting potentially malicious behavior, may include applications used for legitimate purposes such as remote monitoring. Spyware/grayware applications that are inherently malicious, including those that are distributed through known malware channels, are typically detected as other Trojans.
Spyware/grayware applications are typically categorized as:
- Spyware: software installed on a computer to collect and transmit personal information.
- Dialers: malicious dialers are designed to connect through premium-rate numbers causing unexpected charges. Some dialers also transmit personal information and download malicious software.
- Hacking tools: programs or sets of programs designed to assist unauthorized access to computer systems.
- Adware (advertising-supported software): any software package that automatically plays, displays, or downloads advertising material.
- Cookies: text files stored by a Web browser. Cookies contain website-related data such as authentication information and site preferences. Cookies are not executable and cannot be infected; however, they can be used as spyware. Even cookies sent from legitimate websites can be used for malicious purposes.
- Keyloggers: software that logs user keystrokes to steal passwords and other private information. Some keyloggers transmit logs to remote systems.
What is grayware?
Although they exhibit what can be intrusive behavior, some spyware-like applications are considered legitimate. For example, some commercially available remote control and monitoring applications can track and collect system events and then send information about these events to another system. System administrators and other users may find themselves installing these legitimate applications. These applications are called "grayware".
To provide protection against the illegitimate use of grayware, the anti-malware module detects grayware but provides an option to "approve" detected applications and allow them to run.
Packers are compressed and/or encrypted executable programs. To evade detection, malware authors often pack existing malware under several layers of compression and encryption. <Malware protection> checks executable files for compression patterns associated with malware.
Files detected as probable malware are typically unknown malware components. By default, these detections are logged and files are anonymously sent back to Trend Micro for analysis.
"Other Threats" includes malware not categorized under any of the malware types. This category includes joke programs, which display false notifications or manipulate screen behavior but are generally harmless.