At Malwarebytes, we're all for precision, especially when it comes to two commonly confused cybersecurity concepts that are used interchangeably all the time—antivirus and anti-malware. Sure, they both refer to cybersecurity software, but what do these terms actually mean, how do they differ, and are they both still relevant in dealing with today's digital threats?
Let's unpack these terms one at a time and take a deep dive into the world of cybersecurity semantics.
What's the difference between antivirus and anti-malware?
For the most part, “antivirus” and “anti-malware” mean the same thing. They both refer to software designed to detect, protect against, and remove malicious software. Contrary to what the name might suggest, antivirus software protects against more than viruses–it just uses a slightly antiquated name to describe what it does. Anti-malware software is designed to protect against viruses too. Anti-malware just uses a more modern name that encompasses all kinds of malicious software, including viruses. That being said, anti-malware can stop a viral infection form happening and remove infected files. However, anti-malware isn't necessarily equipped to restore files that have been changed or replaced by a virus. Both antivirus and anti-malware fall under the broader term “cybersecurity.”
What is cybersecurity?
Cybersecurity, or computer security, is a catchall term for any strategy for protecting one's system from malicious attacks aimed at doing things like hold your computer hostage, steal system resources (as in a botnet) record your passwords and usernames, and a whole host of other bad things. Such attacks might occur via your hardware (like a backdoor) or through your software (like an exploit).
Cybersecurity threats and their countermeasures are varied and nuanced nowadays, but the marketplace naturally strives for simplicity when communicating to consumers. This is why many people still see “viruses” as the biggest threat to their computer. In reality, computer viruses are just one type of cyberthreat that happened to be popular when computers were in their infancy. They're far from the most common threat today, but the name stuck. It's a bit like calling every disease a cold.
“For the most part, antivirus and anti-malware mean the same thing. They both refer to software designed to detect, protect against, and remove malicious software.”
What is a computer virus?
A computer or PC virus is a piece of (usually) harmful software defined by two characteristics:
- It needs to be initiated by an unsuspecting user. Triggering a virus can be as simple as opening a malicious email attachment (malspam), launching an infected program, or viewing an ad on a malicious site (adware). Once that happens, the virus tries to spread to other systems on the computer's network or in the user's list of contacts.
- It must be self-replicating. If the software doesn't self-replicate, it's not a virus. This process of self-replication can happen by modifying or completely replacing other files on the user's system. Either way, the resulting file must show the same behavior as the original virus.
Computer viruses have been around for decades. In theory, the origin of “self-reproducing automata” (i.e. viruses) dates back to an article published by mathematician and polymath John von Neumann in the late 1940s. Early viruses occurred on pre-personal computer platforms in the 1970s. However, the history of modern viruses begins with a program called Elk Cloner, which started infecting Apple II systems in 1982. Disseminated via infected floppy disks, the virus itself was harmless, but it spread to all disks attached to a system. It spread so quickly that most cybersecurity experts consider it the first large-scale computer virus outbreak in history.
Early viruses like Elk Cloner were mostly designed as pranks. Their creators were in it for notoriety and bragging rights. However, by the early 1990s, adolescent mischief had evolved into harmful intent. PC users experienced an onslaught of viruses designed to destroy data, slow down system resources, and log keystrokes (also known as a keylogger). The need for countermeasures led to the development of the first antivirus software programs.
Early antivirus programs were exclusively reactive. They could only detect infections after they took place. Moreover, the first antivirus programs identified viruses by the relatively primitive technique of looking for their signature characteristics. For example, they might know there's a virus with a file name like “PCdestroy,” so if the antivirus program recognized that name, it would stop the threat. However, if the attacker changed the file name, the antivirus might not be as effective. While early antivirus software could also recognize specific digital fingerprints or patterns, such as code sequences in network traffic or known harmful instruction sequences, they were always playing catch up.
Early antiviruses using signature-based strategies could easily detect known viruses, but they were unable to detect new attacks. Instead, a new virus had to be isolated and analyzed to determine its signature, and subsequently added to the list of known viruses. The antivirus user had to regularly download an ever-growing database file consisting of hundreds of thousands of signatures. Even so, new viruses that got out ahead of database updates left a significant percentage of devices unprotected. The result was a constant race to keep up with the evolving landscape of threats as new viruses were created and released into the wild.
Current status of computer viruses and antivirus programs
PC viruses today are more of a legacy threat than an ongoing risk to computer users. They've been around for decades and have not substantially changed.
So if computer viruses aren't really a thing anymore, why do people still call their threat protection software an antivirus program?
It boils down to entrenched name recognition. Viruses made sensational headlines in the 90s, and security companies began using it as shorthand for cyberthreats in general. Thus, the term “antivirus” was born. Decades later, many security firms still use the term “antivirus” to market their products. It's become a vicious cycle. Consumers assume viruses are synonymous with cyberthreats, so companies call their cybersecurity products “antivirus” software, which leads consumers to think viruses are still the problem.
But here's the thing. While “virus” and “antivirus” are not exactly anachronisms, modern cyberthreats are often much worse than their viral predecessors. They hide deeper in our computer systems and are more adept at evading detection. The quaint viruses of yesterday have given rise to an entire rogue's gallery of advanced threats like spyware, rootkits, Trojans, exploits, and ransomware, to name a few.
As these new attack categories emerged and evolved beyond early viruses, antivirus companies continued their mission against these new threats. However, antivirus companies were unsure how to categorize themselves. Should they continue to market their products as an “antivirus” at the risk of sounding reductive? Should they use another “anti-threat” term to market themselves under like “anti-spyware,” for example? Or was it a better to take an all-inclusive approach, and combine everything in a single product line that addressed all threats? The answers to these questions depends on the antivirus company.
At Malwarebytes, cybersecurity is our highest-level catchall category. And that's why it makes sense to combine our anti-threat effort into a single term that covers more than just viruses. Accordingly, the term we use to cover most of what we do is “anti-malware,” which is short for “anti-malicious software.”
“Consumers assume viruses are synonymous with cyberthreats, so companies call their cybersecurity products “antivirus” software, which leads consumers to think viruses are still the problem.”
If viruses aren't as big of a threat anymore, why do I need cybersecurity?
Viruses are just one kind of malware. There are other forms of malware that are more common these days. Here are just a few.
- Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser, but sometimes within mobile apps as well. Typically, it either disguises itself as legitimate, or piggybacks on another program to trick you into installing it on your PC, tablet, or mobile device.
- Spyware is malware that secretly observes the computer user's activities, including browsing activity, downloads, payment information, and login credentials, then reports this information to the software's author. Spyware isn't just for cybercriminals. Legitimate companies sometimes use spyware to track employees.
- A keylogger, spyware's less sophisticated cousin, is malware that records all the user's keystrokes on the keyboard, typically storing the gathered information, and sending it to the attacker, who is seeking sensitive information like usernames and passwords, or credit card details.
- A computer virus is malware that attaches to another program and, when triggered, replicates itself by modifying other computer programs and infecting them with its own bits of code.
- Worms are a type of malware similar to viruses in that they spread, but they don't require user interaction in order to trigger.
- A Trojan, or Trojan Horse, is more of a delivery method for infections rather than an infection itself. The Trojan presents itself as something useful in order to trick users into opening it. Trojan attacks can carry just about any form of malware, including viruses, spyware, and ransomware. Famously, the Emotet banking Trojan started out as an information stealer, targeting banks and large corporations. Later, Emotet operated purely as an infection vector for other forms of malware, usually ransomware.
- Ransomware is a form of malware that locks you out of your device and/or encrypts your files, then forces you to pay a ransom to get them back. Ransomware has been called the cybercriminal's weapon of choice, because it demands a profitable quick payment in hard-to-trace cryptocurrency. The cybercriminals behind the GandCrab ransomware claimed to have brought in over $2 billion in ransom payments over the course of a year and a half.
- A rootkit is malware that provides the attacker with administrator privileges on the infected system and actively hides from the normal computer user. Rootkits also hide from other software on the system—even from the operating system itself.
- Malicious cryptomining, also sometimes called drive-by mining or cryptojacking, is an increasingly prevalent form of malware or browser-based attack that is delivered through multiple attack methods, including malspam, drive-by downloads, and rogue apps and extensions. It allows someone else to use your computer's CPU or GPU to mine cryptocurrency like Bitcoin or Monero. So instead of letting you cash in on your computer's horsepower, the cryptominers send the collected coins into their own account—not yours. So, essentially, a malicious cryptominer is stealing your device's resources to make money.
- Exploits are a type of threat that takes advantage of bugs and vulnerabilities in a system in order to allow the exploit's creator to deliver malware. One of the most common exploits is the SQL injection.
- Malvertising is an attack that uses malicious ads on mostly legitimate websites to deliver malware. You needn't even click on the ad to be affected—the accompanying malware can install itself simply by loading and viewing the page in your browser. All you have to do is visit a good site on the wrong day.
- Spoofing occurs when a threat pretends to be something it's not in order to deceive victims in to take some sort of action like opening an infected email attachment or entering their username and password on a malicious site spoofed or faked to look like a legitimate site.
- Phishing is a type of attack aimed at getting your login credentials, credit card numbers, and any other information the attackers find valuable. Phishing attacks often involve some form of spoofing, usually an email designed to look like it's coming from an individual or organization you trust. Many data breaches start with a phishing attack.
How does anti-malware work?
The old school method of signature-based threat detection is effective to a degree, but modern anti-malware also detects threats using newer methods that look for malicious behavior. To put it another way, signature-based detection is a bit like looking for a criminal's fingerprints. It's a great way to identify a threat, but only if you know what their fingerprints look like. Modern anti-malware takes detection a step further so it can identify threats it has never seen before. By analyzing a program's structure and behavior, it can detect suspicious activity. Keeping with the analogy, it's a bit like noticing that one person always hangs out in the same places as known criminals, and has a lock pick in his pocket.
This newer, more effective cybersecurity technology is called heuristic analysis. “Heuristics” is a term researchers coined for a strategy that detects threats by analyzing the program's structure, its behavior, and other attributes.
Each time a heuristic anti-malware program scans an executable file, it scrutinizes the program's overall structure, programming logic, and data. All the while, it looks for things like unusual instructions or junk code. In this way, it assesses the likelihood that the program contains malware.
What's more, a big plus for heuristics is its ability to detect malware in files and boot records before the malware has a chance to run and infect your computer. In other words, heuristics-enabled anti-malware is proactive, not reactive. Some anti-malware products can also run the suspected malware in a sandbox, which is a controlled environment in which the security software can determine whether a program is safe to deploy or not. Running malware in a sandbox lets the anti-malware look at what the software does, the actions it performs, and whether it tries to hide itself or compromise your computer.
Another way heuristic analytics helps keep users safe is by analyzing web page characteristics in order to identify risky sites that might contain exploits. If it recognizes something fishy, it blocks the site.
In brief, signature-based antivirus is like a bouncer at the nightclub door, carrying a thick book of mug shots and booting anyone that matches. Heuristic analysis is the bouncer who looks for suspicious behavior, pats people down, and sends home the ones carrying a weapon.
“Heuristics is a term researchers coined for a strategy that detects viruses by analyzing the program's structure, its behavior, and other attributes.”
Advancements in cybersecurity programs
Two relatively new forms of malware have helped drive the advancement of signature-less detection methods: exploits and ransomware. Though these threats are similar to others in many ways, they can be much harder to detect. Furthermore, once you're infected, they can be almost impossible to remove.
Exploits get their name because they literally exploit vulnerabilities in a system, software, or web browser in order to install malicious code in a variety of ways. Anti-exploit measures were developed as a shield against this method of attack, protecting against Flash exploits and browser weaknesses, including new exploits that have not been identified or vulnerabilities for which patches have not yet been created.
Ransomware emerged on the malware scene to spectacular effect in 2013. Ransomware made a name for itself by hijacking and encrypting computer data, and then extorting payments as it held the data hostage. and even threatened to erase it if a deadline passed without payment.
Originally, both these threats resulted in the development of dedicated anti-exploit and anti-ransomware products. Since December 2016, Malwarebytes folded anti-exploit and malicious website protection into the premium version of Malwarebytes for Windows, and has since added anti-ransomware for even more advanced anti-malware protection.
The future of cybersecurity programs (which is already here)
Artificial intelligence (AI) and machine learning (ML) are the latest stars in anti-malware technology.
AI allows machines to perform tasks for which they are not specifically pre-programmed. AI does not blindly execute a limited set of commands. Rather, AI uses “intelligence” to analyze a situation, and take action for a given goal such as identifying signs of ransomware activity.
ML is programming that's capable of recognizing patterns in new data, then classifying the data in ways that teach the machine how to learn.
Put another way, AI focuses on building smart machines, while ML uses algorithms that allow the machines to learn from experience. Both these technologies are a perfect fit for cybersecurity, especially since the number and variety of threats coming in every day are too overwhelming for signature-based methods or other manual measures. Both AI and ML are still in developmental phases, but they hold immense promise.
In fact, at Malwarebytes, we already use a machine-learning component that detects malware that's never been seen before in the wild, also known as zero-days or zero-hours. Other components of our software perform behavior-based, heuristic detections—meaning they may not recognize a particular code as malicious, but they have determined that a file or website is acting in a way that it shouldn't. This tech is based on AI/ML and is available to our users both with real-time protection and on-demand scanning.
In the case of business IT professionals with multiple endpoints to secure, the heuristic approach is especially important. We never know what the next big malware threat will be. So heuristics plays an important role in Malwarebytes Endpoint Protection, as does AI and ML. Together, they create multiple layers of protection that address all stages of the attack chain for both known and unknown threats.
An ounce of prevention vs. a pound of cure
From desktops and laptops to tablets and smartphones, all our devices are vulnerable to malware. Given a choice, who wouldn't want to prevent an infection instead of dealing with the aftermath?
Traditional antivirus alone is not up to the task, as evidenced by the regular stream of newspaper headlines reporting yet another successful cyberattack.
So what should you do to stay safe? What kind of cybersecurity software—antivirus or anti-malware—should one choose to address a threat landscape that consists of legacy viruses and emerging malware?
The fact is, traditional antivirus alone is not up to the task, as evidenced by the regular stream of newspaper headlines reporting yet another successful cyberattack. It is inadequate against emerging zero-day threats, allows ransomware to successfully hijack computers, and doesn't completely remove malware. What's needed is an advanced cybersecurity program that is flexible and smart enough to anticipate today's increasingly sophisticated threats.
Malwarebytes for Windows fulfills this need for advanced cybersecurity (along with Malwarebytes for Mac, Malwarebytes for Android, and Malwarebytes business solutions). Malwarebytes products protect against malware, hacks, viruses, ransomware, and other ever-evolving threats to help support a safe online experience. Our AI-enhanced, heuristics-based technology blocks threats that traditional antivirus isn't smart enough to stop.
For an additional layer of protection, consider Malwarebytes Browser Guard. It's the browser extension that stops annoying ads and trackers. Plus, it's the world's first browser extension that blocks tech support scams.
Industry watchers have cited Malwarebytes for Windows for its role in a layered protection approach, providing reliable protection without degrading system performance. It removes all traces of malware, blocks the latest threats, and performs scans fast.
Regardless of the cybersecurity you choose, your first line of defense is education. Stay up to date on the latest threats and protection by making the Malwarebytes Labs blog a regular read.