Agent and Malware: What is the difference?

 

Malware is a type of malicious software “Mal” stands for malicious, and “ware” stands for software. However, what we often hear in the news, articles, or conference talks is the term “agent.” So, what is the main difference between an agent and malware? What makes an agent sound more realistic and trustworthy, while malware does not?

In this article, I will answer these questions to provide valuable knowledge and insights for the malware research community. In future articles, we may also discuss implants, droppers, and other terms commonly used by malware researchers.

First of all, the perception of an agent as “realistic” and malware as “disgusting” largely depends on the intent, motivation, and functionality of the software installed on a target computer, whether in an authorized or unauthorized manner.

While the functionality of an agent is not very different from malware, agents monitor computers more comprehensively, from the user level to the kernel level that is, from Ring 3 to Ring 0. Additionally, an agent can monitor files, the registry, network activity, processes, services, and many other components that remain hidden from the user.

There are some naming conventions used by antivirus solutions, such as Trojan:Agent. From this classification, we can understand that an agent can be a trojan, and conversely, a trojan can also be considered an agent.

To be honest, based on my insights and investigations into malware, spyware, and the various types of malicious software, I can say with full confidence that all the differences between agents and malware can be summarized into the following points:

1. Agent: Can monitor files, networks, processes, and services.
   Trojan: Can monitor files, networks, processes, and services.

2. Agent: Can access the camera or microphone (if programmed).
   Trojan: Can access the camera or microphone (already programmed).

3. Agent: Can execute external scripts, such as PowerShell or batch scripts (if programmed).
   Trojan: Can execute external scripts, such as PowerShell or batch scripts (already programmed).

So, what is the difference at all? It is clear that the only real difference depends on the intent: an agent’s actions are controlled and purposeful, whereas a trojan’s actions are malicious by design.

As we can see, many Endpoint Detection and Response (EDR) solutions such as SentinelOne, Sophos, and Falcon use agents. However, they are deployed for legitimate purposes and with a different intent. Still, these agents can sometimes cause unintended malfunctions, as seen in incidents like the one reported by CrowdStrike.

Okay, we have understood that it all depends on intent and motive. But what about the names? Why do agent names sound more trustworthy, while trojan names sound malicious?

There is actually a funny example that illustrates this point: the difference between “steal” and “to take.” Sometimes, a “steal” can refer to someone taking something from another innocent person, but there might also be a context where the item is returned or “stolen back.” In this case, the word “steal” carries a negative connotation, but the action can sometimes be understandable depending on context.

Now consider “to take.” If we simply say someone “takes” something, it sounds more neutral and natural. Even if the action is technically the same as stealing, the phrase “to take” feels more realistic and trustworthy because of the way it is framed. Similarly, an “agent” can perform the same functions as malware or a trojan, but its name conveys legitimacy and trustworthiness, while “trojan” immediately signals danger. 

Finally, just because something sounds untrustworthy does not necessarily mean it is bad, and just because something sounds trustworthy does not necessarily mean it is good. We need to think critically, look beyond appearances, and carefully analyze software whether it seems good or bad to make well-informed decisions and gain a broader perspective.