Daffodil International University

Dept. of CSE
Information Security

Lecture 15
Personal Device Security (Antivirus and Firewall)
 Personal Device Security

Device security refers to the protection of a devices'

hardware and the data that it holds. It can be
implemented using antivirus, passwords, encryption,
and firewalls, and denying physical access to a
computer's location.
What is Antivirus

❏ Antivirus is a kind of software / type of computer program

❏ Designed to seek out and remove computer viruses that have infected your
computer.
❏ They can also block your system from getting infected with new viruses.
❏ Antivirus software, also known as a virus scanner
How Antivirus Works

❏ When you install any antivirus software, it usually comes with preloaded information of the existing and
popular viruses in the world.
❏ When you run antivirus software, it matches your computer’s information and the preloaded information.
When there is a match, you will be notified of the same. You can delete the affected files manually by
choosing the clean, clear, or delete option in the antivirus software.
❏ In addition, you can change the settings to automatically delete such malware or viruses in the future as
well.
Features of Antivirus Software:

❏Background Scanning or on-access scanning

❏Complete System Scan
❏Virus Definition
How does an Antivirus work?
How traditional antivirus works?

❏ Signature-based detection -
❏ This is most basic in any traditional antivirus programming
❏ This is a very effective approach as it prevents from all existing viruses but as
it works only on the stored definitions of viruses, it is not effective for new virus
(or that are not stored in the library) so a regular updation is required for such
antiviruses.
How traditional antivirus works?

❏ For example a program 10235 is considered as virus and stored in the library of
antivirus as a virus signature then if the computer finds a program 10235 in the
computer while scanning then it considers it as a virus and alerts the user to
choose the required action on the virus (like remove, repair or no action).
How traditional antivirus works?

❏ Heuristic-based detection –
❏ The heuristic-based detection generally works better in combination with
signature-based detection.
❏ Both Hueristic and signature-based detection, when combined, make the
antivirus more effective.
❏ The Heuristic-based detection has been most used in all the antivirus
software.
How traditional antivirus works?
Behavioral-based recognition
❏ Behavioral-based recognition -
❏ This is also one of the main detection technique to search the virus
❏ Which is also called as intrusion detection mechanism.
❏ This detects the behavior of malware
❏ This will only detect the malware when malware tries to corrupt other
files of your computer
❏ For example, code that attempts to perform unauthorized or abnormal
actions would indicate the object is malicious, or at least suspicious.
Some examples of behaviors that potentially signal danger include
modifying or deleting large numbers of files, monitoring keystrokes,
changing settings of other programs and remotely connecting to
computers.
Data mining techniques

❏ Data mining strategies - This is one of the most recent patterns in recognizing
a malware. With an arrangement of the traits of a program, Data mining finds
if the file or an application is a malware.
How to Infect Systems Using a Fake Antivirus
Firewall
In computing, a Firewall is a network security system that monitors and controls
incoming and outgoing network traffic based on predetermined security rules.
A firewall typically establishes a barrier between a trusted network and an
untrusted network, such as the Internet.

Fig: Firewall allowing Good Traffic

Fig: Firewall blocking Bad Traffic

How Does a Firewall Work
Think of the firewall like a gatekeeper at your computer’s entry point which only
allows trusted sources, or IP addresses, to enter your network.

• Distinguishes between good and malicious traffic

• Allows or blocks specific data packets on pre-established security rules.
• Rules are based on several aspects indicated by the packet data, like their source,
destination, content, and so on
• Blocks traffic coming from suspicious sources to prevent cyberattacks.
Types of Firewall
Five types of firewall include the following:
● Packet filtering firewall
● circuit-level gateway
● application-level gateway (aka proxy firewall)
● stateful inspection firewall
● next-generation firewall (NGFW)
Packet filtering firewall :
Packet filtering firewall

● For example, it may be configured to allow only

TCP traffic from IP 192.168.1.100 to IP 10.0.0.5 on
port 80 (HTTP), while denying all other traffic. This
type of firewall is fast and simple but lacks context
awareness, as it does not inspect the actual content
of packets or track connection states. It is commonly
used in basic router firewalls and early-generation
security systems.
● Some of the attacks that can be made on packet
filtering routers are: IP address spoofing, Source
Routing attacks, Tiny Fragment attacks.
● Advantages: Simplicity, transparency to users and high speed.
● Disadvantages: Difficult to set up, lack of authentication.
 Circuit-level gateway
● Circuit-level gateways work at the session layer of the OSI model.
● A circuit-level firewall verifies TCP and UDP connections between source and destination before
data is exchanged.
● Only the header information is checked to ensure that the traffic meets the circuit-level gateway
rules, while the content of data packets is skipped.
● So, if a packet contains malware, it would pass right through.
How does a circuit-level gateway work
● Circuit-level gateways are designed to control and monitor traffic
flow based on network connections' state.
● When a user initiates a connection to a remote host, the circuit-
level gateway sets up a circuit or a virtual connection between the
user and the remote host.
● The circuit-level gateway then monitors the traffic flowing over
this circuit, checking whether the traffic belongs to an established
connection and allowing only authorized traffic to pass through.

● Validated transmission control protocol or user datagram protocol connections then interact with a destination
server on behalf of the client. Otherwise the connection is rejected, terminating the session.
● Advantages: Hides private network data, doesn't need a separate proxy server for each application, simple to
implement.
● Disadvantages: Doesn't filter individual packets, attacker may take advantage after establishing a connection.
 Application-level gateway
● Proxy firewall (application layer) operates at the application layer (application layer protocols HTTP, SMTP, DHCP,
FTP, etc…) to filter incoming traffic between your network and outside network.
● A proxy firewall is configured to allow only certain types of traffic to pass (for example, HTTP files, or web pages).
● It is also called a web application firewall.
● Like a security guard, it monitors incoming data. If no problem is detected, the data is allowed to enter.
 Application-level gateway
● An ALG firewall provides an additional layer of security
by filtering incoming traffic using a proxy to establish
connections for remote users. The client relies on a
proxy server to interact with the destination behind the
firewall. This hides and secures individual computers on
the network behind the firewall.
● Two connections are in effect here: one is between the
client and the proxy server, and another is between the
proxy server and its destination. In this model, the
proxy makes all packet-forwarding decisions. Incoming
data packets are filtered at the application OSI layer.
● Within this session between the remote user and proxy
application, a separate sub-session is created between ● Advantages: Higher security than packet
the proxy application and the internal internet server. filters, Easy to log and audit all incoming
The remote client sends a request to the proxy, while it traffic.
acts as an intermediary with the internet server. Finally, ● Disadvantages: Requires great memory and
the result is returned to the remote user if the processor resources.
exchanged packet meets the set policies.
Stateful inspection firewall
How does a Stateful Inspection work
● Stateful inspection detects communications packets over a
period of your time and examines both incoming and
outgoing packets. The firewall follows outgoing packets that
request specific sorts of incoming packets and authorize
incoming packets to undergo as long as they constitute an
accurate response. A stateful firewall monitors all sessions
and verifies all packets, although the method it uses can
vary counting on the firewall technology and therefore the
communication protocol getting used.

● For example, when the protocol is TCP, the firewall captures

a packet's state and context information and compares it to
the prevailing session data. If an identical entry already
exists, the packet is allowed to undergo the firewall. If the
match is not found, then the packet must undergo certain ● Advantages: Offer enhanced security compared to
packet filters, reduce the need for opening numerous
policy checks. At that time, if the packet meets the policy
ports, which lowers security risks, and provide better
requirements, the firewall assumes that it's for a
protection against DoS attacks, along with robust
replacement connection and stores the session data within logging capabilities for tracking network activity.
the appropriate tables. It then permits the packet to pass. If
the packet does not match the policy conditions, the packet ● Disadvantages: Complex to configure, especially in
is rejected. larger environments, don’t protect against application-
layer attacks, require more system resources, both in
terms of memory and processing power, due to the
need to maintain connection state tables.
 Next-generation Firewall

■ Next generation Firewall are evolved to block modern

threats such as advanced malware and application-layer
attacks.
■ They have the capabilities of traditional firewalls but also
have some additional features.
● Deep packet inspection allows firewall to inspects packet
payloads and application accessed by the packets
● Application awareness: Enables firewall to check which
● Advantages : NGFWs enhance security by improving
applications are running and which ports are open. network segmentation, offering real-time monitoring, and
● Encrypted traffic inspection :NGFWs can decrypt any encrypted providing detailed reporting, helping teams detect and
respond to threats quickly. They also include features
traffic, inspect it for threats, and re-encrypt it to ensure privacy
like traffic shaping and content filtering for better control.
without sacrificing security.
● Disadvantages: Next-Generation Firewalls (NGFWs)
can be costly, complex to configure, and resource-
● Intrusion prevention systems to automatically stop attacks intensive, which may impact network performance. They
against your network. can also generate false positives, requiring manual
intervention, and need continuous updates to stay
effective against evolving threats.
Differences between Anti-virus and Firewall
Thank You