The Art Of Proactive Detection

In the latest Virus Bulletin comparative test of anti-malware products, it was extremely heartening to see Sophos earning a very respectable score in terms of proactive detection rates (see Graham Cluley’s blog post here).

But what is meant by proactive detection?

To put it in layman’s terms, it simply means that with our current virus identities, how effective is Sophos AV able to detect both existing in-the-wild samples and future samples without requiring an update.

To give people outside the AV industry a glimpse into the world of binary analysis and what it entails, take a look at the following 3 samples in IDA (as seen from their Entry Point – EP). You can click on the picture below to see a better picture.


To the untrained eye, it might appear that these 3 samples are totally different, however, an experienced analyst would instantly pick up on subtle clues among these samples. These files in fact belong to the same malware family but which have been deliberately obfuscated by a polymorphic generator.

From these files, we then proceed to try to find common ideas, identify common themes, formulate common strategies and construct them into identities.

Such samples are part and parcel of a virus analyst’s life these days. I’ve come across code for these proactive detection identities written by various SophosLabs researchers from our different labs around the world. They can range from simple formulaic ideas to jaw-droppingly complex and abstract strategies that will test the limits of any analyst’s malware knowledge. There is no “one-size-that-fits-all” solution when it comes to creating proactive generic detection here at SophosLabs.

In addition, we try as best as we can to future-proof our identities with the greatest of care so that we do not create a detection strategy that would result in false positives.

The malware threat landscape is constantly changing so a previous proactive detection that may have worked successfully in the past week is not likely to be as effective in the future. In order for proactive detection to maintain its relevance, SophosLabs needs to constantly find and adopt new techniques.

No analyst takes the issue of proactive detection lightly as to stand still and rest on our laurels is akin to waiting for death to come knocking.

When it comes to writing proactive detection, if a particular strategy begins to fail, we endeavour to develop a new one. Sometimes, a good idea may take a few weeks to come to fruition and other times, the turnaround time can be less than an hour. To outsiders, it may appear to be an infuriating process at times as we are, after all, trying to find new ways to fix what often looks like monstrous, abstract problems. But we live for this kind of maddening work.

IMHO, the result from such work is always very gratifying because we know that whenever we create a good proactive detection, we help to better protect the customer before they even realise it.