Understanding Antimalware Protection In Cybersecurity

Antimalware Protection In Cybersecurity: Facts To Note


The term “endpoint” is defined in various ways. For the purpose of this course, we can define endpoints as hosts on the network that can access or be accessed by other hosts on the network. This obviously includes computers and servers, however many other devices can also access the network. With the rapid growth of the Internet of Things (IoT), other types of devices are now endpoints on the network.


This includes networked security cameras, controllers, and even light bulbs and appliances. Each endpoint is potentially a way for malicious software to gain access to a network. In addition, new technologies, such as the cloud, expand the boundaries of enterprise networks to include locations on the internet for which enterprises are not responsible. This article discusses some of the facts that you need to know about antimalware protection in cybersecurity. 


Devices that remotely access networks through VPNs are also endpoints that need to be considered. These endpoints could inject malware into the VPN network from the public network.
The following points summarize some of the reasons why malware remains a major challenge:
  • According to research from Cybersecurity Ventures, by 2021 a new organization will fall victim to a ransomware attack every 11 seconds.
  • Ransomware attacks will cost the global economy $6 trillion annually by 2021.
  • In 2018, 8 million attempts to steal system resources using cryptojacking malware were observed.
  • From 2016 to early 2017, global spam volume increased dramatically. 8 to 10 percent of this spam can be considered to be malicious, as shown in the figure.
  • In 2020, it is projected that the average number of cyber attacks per macOS device will rise from 4.8 in 2018 to 14.2 in 2020.
  • Several common types of malware have been found to significantly change features in less than 24 hours in order to evade detection.


Figure 1 shows the emails per second sent from 2012 through 2016 and the increase from 0 point 5 K back in 20 12 to over 3K in 20 16. Figure 2 shows the percentage of the total span from close to 0 percent in January of 2015 to how in 2016 almost 15 percent contains malicious dot w s f, and 25 percent contains malicious dot d o c m, close to 40 percent contains malicious dot zip files, almost 50 percent contains malicious dot j s files, almost 70 percent contains malicious dot h t files, and over 70 percent contains malicious attachments based on Cisco security research.

Endpoint Security

News media commonly cover external network attacks on enterprise networks. These are some examples of such attacks:

  • DoS attacks on an organization’s network to degrade or even halt public access to it
  • Breach of an organization’s webserver to deface their web presence
  • Breach of an organization’s data servers and hosts to steal confidential information

Various network security devices are required to protect the network perimeter from outside access. As shown in the figure, these devices could include a hardened router that is providing VPN services, a next-generation firewall (ASA, in the figure), an IPS appliance, and an authentication, authorization, and accounting (AAA) services server (AAA Server, in the figure).


The figure depicts a campus area network. A cloud representing the Internet is connected to a router, labelled VPN. The VPN router is connected to an ASA firewall. The firewall has two additional connections; one to an IPS and another to a switch. The switch is connected to a DHCP server, email server, web server, and ESA/WSA.
The IPS are connected to a multilayer switch. The multilayer switch has a connection to an AAA server as well as to two layer 2 switches and a to another multilayer switch. The second multilayer switch also has connections to the same layer 2 switches, creating redundancy. Below the layer, 2 switches are three laptops and three pcs which are labelled as hosts.
However, many attacks originate from inside the network. Therefore, securing an internal LAN is nearly as important as securing the outside network perimeter. Without a secure LAN, users within an organization are still susceptible to network threats and outages that can directly affect an organization’s productivity and profit margin. After an internal host is infiltrated, it can become a starting point for an attacker to gain access to critical system devices, such as servers and sensitive information.


Specifically, there are two internal LAN elements to secure:

  • Endpoints – Hosts commonly consist of laptops, desktops, printers, servers, and IP phones, all of which are susceptible to malware-related attacks.
  • Network infrastructure – LAN infrastructure devices interconnect endpoints and typically include switches, wireless devices, and IP telephony devices. Most of these devices are susceptible to LAN-related attacks including MAC address table overflow attacks, spoofing attacks, DHCP related attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.

Host-Based Malware Protection

The network perimeter is always expanding. People access corporate network resources with mobile devices that use remote access technologies such as VPN. These same devices are also used on unsecured or minimally secured, public and home networks. Host-based antimalware/antivirus software and host-based firewalls are used to protect these devices.


Antivirus/Antimalware Software
This is software that is installed on a host to detect and mitigate viruses and malware. Examples are Windows Defender Virus & Threat Protection, Cisco AMP for Endpoints, Norton Security, McAfee, Trend Micro, and others. Antimalware programs may detect viruses using three different approaches:
  • Signature-based – This approach recognizes various characteristics of known malware files.
  • Heuristics-based – This approach recognizes general features shared by various types of malware.
  • Behaviour-based – This approach employs analysis of suspicious behaviour.

Many antivirus programs are able to provide real-time protection by analyzing data as it is used by the endpoint. These programs also scan for existing malware that may have entered the system prior to it being recognizable in real-time.


Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system. Agentless systems have become popular for virtualized environments in which multiple OS instances are running on a host simultaneously.
Agent-based antivirus running in each virtualized system can be a serious drain on system resources. Agentless antivirus for virtual hosts involves the use of a special security virtual appliance that performs optimized scanning tasks on the virtual hosts. An example of this is VMware’s vShield.


Host-based Firewall
This software is installed on a host. It restricts incoming and outgoing connections to connections initiated by that host only. Some firewall software can also prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts. This function is included in some operating systems. For example, Windows includes Windows Defender Firewall with Advanced Security as shown in the figure.
The figure shows the Windows Defender firewall with advanced security window. An interior window shows the domain profile tab that shows the firewall state as on (recommended), inbound connections: block (default), outbound connections: allow (default). Other options that can be customized included protected network connections, settings, and logging.
Other solutions are produced by other companies or organizations. The Linux iptables and TCP Wrappers tools are examples.
Host-based Security Suites
It is recommended to install a host-based suite of security products on home networks as well as business networks. These host-based security suites include antivirus, anti-phishing, safe browsing, a Host-based intrusion prevention system, and firewall capabilities. These various security measures provide a layered defence that will protect against the most common threats.


In addition to the protection functionality provided by host-based security products is the telemetry function. Most host-based security software includes robust logging functionality that is essential to cybersecurity operations. Some host-based security programs will submit logs to a central location for analysis.


There are many host-based security programs and suites available to users and enterprises. The independent testing laboratory AV-TEST provides high-quality reviews of host-based protections, as well as information about many other security products.
Search the internet for the AVTest organization to learn more about AV-TEST.

Network-Based Malware Protection

The figure shows generic icons for the following sections: next-generation firewalls, intrusion prevention systems, network access control, gateway security, and endpoint security.
New security architectures for the borderless network address security challenges by having endpoints use network scanning elements. These devices provide many more layers of scanning than a single endpoint possibly could. Network-based malware prevention devices are also capable of sharing information among themselves to make better-informed decisions.
Protecting endpoints in a borderless network can be accomplished using network-based, as well as host-based techniques, as shown in the figure above. The following are examples of devices and techniques that implement host protections at the network level.
  • Advanced Malware Protection (AMP) – This provides endpoint protection from viruses and malware.
  • Email Security Appliance (ESA) – This provides filtering of SPAM and potentially malicious emails before they reach the endpoint. An example is the Cisco ESA.
  • Web Security Appliance (WSA) – This provides filtering of websites and blacklisting to prevent hosts from reaching dangerous locations on the web. The Cisco WSA provides control over how users access the internet and can enforce acceptable use policies, control access to specific sites and services, and scan for malware.
  • Network Admission Control (NAC) – This permits only authorized and compliant systems to connect to the network.



Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNaija is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.


Fact Check Policy
CRMNuggets Whatsapp Channel

Leave a Reply

Your email address will not be published. Required fields are marked *