Vulnerability scanners are not that different from virus scanners. In both cases, the goal of the software is to find something out of the ordinary in the target. A virus scanner scans local resources and local storage of a computer to find potentially malicious software. A vulnerability scanner scans some kind of target to find potentially vulnerable software. Both use similar techniques to do so.
Signature-Based Scanning
In the case of signature-based scanning, the scanner looks for recognizable patterns, which are either prepared by the manufacturer of the scanner or taken from a public database. For example:
- A virus scanner looks for a certain chain of bytes that are present in a malicious executable file. If it finds that chain of bytes, it assumes that the malicious file has been found.
- A network scanner looks for a certain response from the server to recognize the exact version of the software that the server uses. It may be as simple as the software actually responding with version information or more complex, for example, recognizing certain typical behavior.
There are several advantages to signature-based scanning:
- It is usually quite fast because no operations need to be performed except comparing chains of bytes from the scanner library with chains of bytes received from the target.
- It is less intrusive and has nearly no side effects.
- It is very easy for the scanner manufacturer because there is no need to write custom code. There are also public domain signature databases, which can be used to build their own database.
Unfortunately, there are some major disadvantages to this type of scanning, too:
- It is not always very precise. The signature does not guarantee that the result found is malicious.
- There is absolutely no proof that the reported result is malicious. Since the scanner only compares signatures, it does not test whether its assumptions are true.
- Most scanners are limited to known signatures and are unable to recognize mutations (for example, a signature with one different byte), irregularities (for example, a differently configured server), or new threats.
Behavior-Based Scanning (Heuristic Scanning)
The other way to scan for malicious content is by actually analyzing the behavior of the target. This means that the scanner needs to understand the way that the target works, not just compare a signature. For example:
- When a heuristic virus scanner finds a potentially executable file, it may perform reverse engineering on it to check exactly what the code does (to check whether its actions are malicious). It may also try to execute the code in a safe environment to see the results.
- When a web vulnerability scanner finds an element that allows user input, it tries to “trick the target” by sending unexpected data. It then analyzes the response of the target to see whether it succeeded.
Heuristic scanning has some major advantages:
- Theoretically, it’s able to find any kind of a threat, even a custom one or a zero-day one. Obviously, that depends on how advanced is the software.
- It’s more precise because it actually checks whether its assumptions are correct. Sometimes, it can even provide proof.
Unfortunately, heuristic scanning has some disadvantages, too:
- You may find it much more resource-intensive than signature-based scanning. A heuristic scanner needs more time to find results and it may slow down the target more than a signature-based scanner.
- Building a good heuristic scanner is very difficult and requires top talent. Unlike with signature-based scanners, every new type of attack has to be programmed and simulated. A heuristic scanner library is not just a list of strings to compare – it requires actual custom software for every type of check.
Please contact us for more information and get a free assessment.
