Central to new updates to BullGuard Internet Security, Antivirus and Premium Protection is a new, next generation, anti-malware behavioural engine.

That’s a bit of a mouthful to digest so in simple terms this is what it means:
  • It recognises trusted websites and applications, that is sites and applications that are known to be safe and not be secretly loaded with malware
  • It continually scans for code anomalies that are typically identifiers of malware
  • Malware that is detected is locked down in quarantine and neutralised before it can cause any damage

You might reasonably ask how this differs from the previous behavioural engine.
It still fuses signature-based protection with behavioural based protection.
  • Known viruses have signatures so as soon as antivirus software detects one of these signatures it blocks it
  • Behavioural-based protection identifies malware based on how it behaves. Every piece of software has a known and predictable way of behaving. If the code behaves in a ‘strange’ way it’s often malware.

The new next-generation adds a vital component to these identification tools.
  • When the behavioural patterns of new malware are detected they are flagged up and quarantined. However, these ‘patterns’ are then added into a cloud-based malware database.
  • This means that as soon as a behavioural aberration is detected and blocked on one computer rather than the protection being limited to that computer, it is applied to all devices using BullGuard.
  • The cloud-based malware database captures the behavioural anomaly ensuring all devices protected by BullGuard are aware of it.
  • This ensures instant response capabilities for the newest, unknown malware

BullGuard protects your devices from spies, hackers and malware


In the real world

To see how this works in reality lets imagine that two cyber fraudsters, Pavel and Sergey, hatching a plot to launch a new ransomware attack.

This is a very typical scenario and is not only plausible but drawn from real world actions reflecting the nature of many current ransomware attacks.

Pavel and Sergey have a decent knowledge of how to launch phishing campaigns and recently bought up 500,000 email address that were for sale on the dark web. But that said they’re not malware coding experts.

Dark web contract

But this doesn’t bother Pavel and Sergey. They have a contact on a dark web forum who is selling ransomware-as-a-service. The contact goes by the name of Bullet, a typical hacker name, who is also offering a botnet for rent to launch attacks from.

Now rather than charge Pavel and Sergey a small fortune for their ransomware Bullet is a reasonably astute businessman. As such he offers his wares in return for a percentage of each successful ransomware attack.
Pavel and Sergey are keen but they’re hanging back from committing because they know that the ransomware offered by Bullet has been used in previous attacks. This means that its signature is known and antivirus cyber defences will block the attack.

Preparing the attack

Bullet reassures them that the ransomware code is regularly tweaked so it can slip past antivirus defences. He explains that it only requires a few changes in the code to become unrecognizable to cyber defences.

Pavel and Sergey launch an ambitious attack by sending out mails to the 500,000 email addresses they snapped up from a dark forum.

The mails include an attachment that purports to be an unpaid invoice that needs verifying by the recipient. However, if the attachment is opened it releases the ransomware which they have set at €500.

Making millions

The pair understand that many of the email addresses might be invalid but estimate that even if they get 10,000 positive hits they stand to collect €5 million. After they have paid Bullet they could recoup over €3 million and in a worse-case scenario anticipate at least €500,000 in paid ransoms.

The emails begin to hit inboxes all over Western Europe, mainly the UK. But a large proportion is targeted at Germany and Scandinavian countries. Emails land in the inboxes of a few BullGuard users.

Instant protection

The BullGuard next generation anti-malware engine immediately identifies the code as not matching known patterns. As a result it quarantines the code and sends the signature to the cloud-based virus signature. This ensures all BullGuard users are instantly protected from this ‘new’ ransomware campaign.


Unfortunately, there are lots of people who fall for the phishing campaign and are not protected. In the wake of the attack researchers monitor the Bitcoin ‘addresses that the ransoms are sent to. They have no way of tying a physical location to the addresses but can see that the Bitcoins are being cashed out.

Pavel and Sergey kick back, count their money and plan a lavish holiday to nail down the details of their next attack. BullGuard users were safe, none of them became victims. All they know of the attack is learnt from the extensive media coverage it received, given that high-profile corporates and government organisations were victims of the attack.