Detecting Malware Across Operating Systems

I'm often asked if anti-malware engines designed for Windows can detect Linux and Android-based malware. These anti-malware products were developed specifically for different platforms over a period of 20+ years. Most anti-malware software vendors have solutions for both Windows and Linux-based platforms that were first developed in the 1990's or 2000's. Conversely, the first anti-malware product for Android was released around the second half of the 2000's, as the Android platform is relatively new from an anti-malware perspective.



Given the wide range of environments and disparate time periods in which these products were developed we were curious to see if detection capabilities were specific to the product's stated platform, or if they could have a broader use. Our question: Can an anti-malware product detect malware written for another platform?

Why is Cross-Platform Malware Detection Important?



It is common to find a mixture of different server and workstation operating systems in any IT environment, so the ability to detect malware across multiple platforms is essential to maintain the security of your network. For instance, let's take a look at what happens when an incoming email is sent from a Linux-based computer, but the enduser accesses his or her mailbox from a Windows computer.

Without any anti-malware products on its mail server, the Windows computer can easily be infected by Windows malware; the same issue could occur if the anti-malware product providing protection for the Linux-based mail server isn't able to recognize incoming Windows-based malware.

You may be thinking, "This is true, but why should I worry about this? I have an anti-malware product installed on my computer!" And it's true, installed anti-malware products are sometimes sufficient to catch malware and prevent infections. That being said, it is important to note the limitations of anti-malware products and recognize that there are more effective solutions out there. Here are a few important questions to ask around that topic:

Why should we rely on the scanning capabilities of a single anti-malware engine when multi-scanning technology is available?

Why should we rely on anti-malware products installed on our computer, when we know they can be difficult to manage and ensure that they are up to date?

Why should we trust networked computers in an environment where end users often have admin privileges that could expose the network to potential threats?

Therefore, in order to achieve adequate network protection, it is necessary for anti-malware engines to detect malware regardless of platform. In theory, we should be able to use Linux-based firewalls with content filtering, Linux-based email servers, and Linux-based web proxies to catch Windows malware before it attacks our network.

How do Scan Engines Work?



At the beginning of the antivirus era, scan engines used only simple pattern matching to recognize malware, compared to the techniques they now use to detect advanced threats. This is a cat-and-mouse game because malware writers are always working on new disguises to make detection harder, such as encryption, polymorphism, and rootkit, while anti-malware vendors are working to discover new approaches for detecting these threats. Modern scan engines use CPU emulation, operating system emulation, cryptanalysis, sandboxing, heuristic and many other complex methods to detect threats. By using one or more of these technologies, scan engines can achieve an optimal detection rate and speed, depending on the type of currently analyzed file.

In order to have the right expectations for scan engines, it is useful to know how anti-malware scan engines work. Each anti-malware engine consists of two main parts: the engine core or engine binary and a signature database. The engine core is the heart of the scan engine and contains the scan logic: how to analyze different files, how to extract archives, etc. In summary, the engine core can scan files for both known and unknown threats.

The signature database checks files against lists of known malware to speed the detection process. Currently, there are more than 300 million different malware samples out there. Many anti-malware vendors are proactively using generic detection technologies to reduce the size of signature databases and to provide protection against a lot of different malware types. Despite these efforts, signature databases are quite large. Most of them are 100-200 megabytes in size and are constantly growing as vendors release new updates.

Signature updates are usually released after thorough quality testing has been performed. These tests require time and a huge amount of resources, so anti-malware vendors usually use the same database for all supported platforms to cut down on costs. Not only is the database the same, but the actual functionality of the scan engine itself is nearly the same on each supported platform, indicating that the detection capabilities should not change through the platforms.

Revealing Test Results



We collected a variety of 3rd party test results where you can check detection capabilities of many anti-malware products. AV- Comparatives and AV-Test.org are independent anti-malware testing organizations focusing primarily on anti-malware product research and product testing. They test not only Windows-based products but they also provide test results for mobile protections, mainly for Android-based security products. Their mobile protection test results include detection rates for malicious Android applications.

VirusBulletin is a UK-based security information portal and testing company, focusing on the global threat landscape. They perform anti-malware product testing six times per year. Every test is based on a different platform, including many for both Windows versions and Linux platforms. Every test includes WildList samples and recent malware samples. They test proactive and reactive detection capabilities as well.

While these organizations provide a good sense for performance of anti-malware engines, they do not include many malware samples written for Linux platforms because the Windows OS is a much more popular target for attack. So we decided to do our own research! We collected scan results from our free multi-scanning tool, MetaDefender Cloud.

We were curious about cross-platform detection capability of scan engines, so we tested over 100 ELF binaries provided by one of our vendor partners. We focused on malware for Linux platforms, as most engines in MetaDefender Cloud were Windows-based.

Fig 1: Sample multi-scanning results for detection of Linux-based malware by MetaDefender Cloud.

View full anti-malware multi-scanning results for this file.

We examined the average detection rate of five different Windows-based products and found that an average of 95% of Linux-based malware was detected by the Windows anti-malware products. When combining the scan results of these different scan engines we found 100% of the Linux-based malware sample was detected by our multi-scanning solution.





Fig 2: Detection of Linux-based malware by five Windows AV Programs vs. multi-scanning

While APK files (Android program install packages) are not as likely to be found on a corporate network as other file types, we also checked the capabilities of Windows-based products to detect malware in this format. We tested over 60 malware samples written for Android, collected primarily from androidsandbox.net, using seven Windows anti-malware products from vendors who also have an Android-based product with a detection rate greater than 95% based on our results.

Fig 3: Sample multi-scanning results for detection of Android-based malware by MetaDefender Cloud.

View full anti-malware multi-scanning results for this file.

We concluded that the vendor's Windows-based products could also detect Android-based samples with approximately the same detection level as their mobile protection product, so we can assume that these vendors have processed Android samples in their laboratory.

Fig 4: Detection of Android-based malware by Windows AV Programs

When we checked the aggregated scan results of our multi-scanning solution MetaDefender Cloud, the detection rate was again 100%.

Android and Limited Resources



As you now know, malware scanning is a quite resource-intensive process in terms of the processor usage needed to run multiple detection technologies and the amount of memory/disk usage needed to keep signature database running effectively. Although modern Android-based mobile phones and tablets have improved processor capabilities and a greater amount of memory/disk space than desktop computers did 10-20 years ago, there are still many Android devices with very limited hardware capabilities. Is their lightweight hardware able to run anti-malware scan engines and store information from large signature databases? In most cases, the answer is no. Standard anti-malware engines would overload these devices, rendering them unusable.

After quick market research, we were able to conclude that most security applications made for Android-based platforms contained a lightweight scan engine and/or signature database for detecting malicious Android applications. Our findings indicated that these scan engines couldn't detect malware that was written for other types of platforms. A few security applications used vendor cloud services to check hashes of scanned files that could provide detection for non-Android threats, but they were in the minority.

Conclusion



While Windows-based anti-malware products do effectively detect Android-based malware, the resource limitations previously discussed limit an Android-based anti-malware program's ability to detect malware written for another platform. It is important to remember that antivirus programs for Android function differently than traditional engines. On Android, a sandbox technique ensures that an application may only access its own data. These products cannot monitor file system changes to scan all files, nor can they do a full file system scan to look for malicious programs. To partially remedy this issue, third-party security applications can rely on hooks that the Android operating system provides by default, which proves effective for scanning applications, but not for catching other types of malware, such as those stored on an SD card.

This should not be an issue if we use our mobile devices carefully. Every time we make a connection to a desktop PC to transfer files between a mobile device and a PC, or we move an SD card between our devices, we have to make sure that our desktop computer has up-to-date protection. Protection is important for Android devices and Android-based platforms because malicious programs can easily place or drop malware programs to our SD card and our PC to infect further devices.

As we have seen, detection capabilities for Linux malware by Windows-based anti-malware products is quite high, so users and network administrators can generally trust that malware written for Linux will be caught by their Windows-based anti-malware products, especially if a multi-scanning solution is in place.