Yeah, AV is pretty much useless against new threats that are being released daily. Such is the nature of signature based detection. Heuristic detection can be useless also as the function is a normal computer function, just used in a malicious way.
Err, no. That would be true if signature based detection was the only thing that antivirus suites do, but that's not the case. All antivirus suites are composed of several programmes (or modules). The scanner with signatures and a blacklist is only one of them. The actual modules in the product depend on the AV and version (business vs user, premium vs normal, ...) that you use. Typical modules in an AV suite are:
- Software Updater/Patcher (to keep the programmes up-to-date)
- Exploit protection
- Behaviour blocker (potentially a very good module to prevent any kind of ransomware)
- Browser/Internet guard
- Email client protection
- Parental control
- Anti-Banker module
- Anti-Rootkit module
- Signature scanner
- Malware cleaning
Depending on the actual product there can be many more.
Also more and more AV vendors are building anti-ransomware specific modules into their products. That means the things that the free programmes like CryptoMonitor already provide have been or are being incorporated into the AV suites as well.
Ransomware is due to its nature so visible to everyone that it may seem like a threat no one can prevent. Malware has always been a problem, but often users did not notice them being on the system, because the malware tried to hide that it is there. And now you have that popular malware type that will knock on your door and shout you in the face that they are there. For the same reason they make a lot of publicity as well.
No, your antivirus suite is not useless, but it cannot protect a system from everything. As it is the nature, the professionals who create malware test and modify their programmes against the antivirus suites until they can evade detection. Antivirus vendors respond to that as fast as they can. It is always and has always been an arms race of technologies and techniques between the antivirus vendors and the bad guys and gals. As a result, the AVs prevent a lot, but not everything. Those cases where the AV or the users fail go public. But you will never see someone telling in the news that a malware incident could be prevented.
And just to be fair, although most infection vectors can be prevented by the user, sometimes it is not the user's fault. Sometimes the malware will use vulnerabilities that are yet not known to anyone to infect systems. That means the user had no chance to patch their software yet. Sometimes the emails used to spread malware are so well-done that you cannot distinguish them from legitimate ones. That is especially the case with ransomware-delivery emails that target companies via fake-applications. These are specifically written to match the job advertisment and the people working at HR often use automated systems for the mass of applications they get. They cannot even see that there is an attachment with .js extension.
I've learned that the most common form of delivery is an email attachment that downloads an executable - is there any chance that the executable changes its MD5 every time it's downloaded?
Not for every download, but this is often changed daily. Some malware delivery sites will even check first where the request is coming from just to bring you the right kind of malware that will work for your system.
Note that you just need to change one bit to change the MD5 of a file. Often they change their whole protection scheme to look different from the outside. You can compare that to changing your clothing style and haircut from day to another.
Edited by Curie, 16 April 2016 - 01:38 PM.