Firecat
July 14th, 2007, 07:48 PM
These comments have existed on the Internet for more than a month now, I was foolish to have missed it. Anyway, there is some interesting nostalgia about the 5.0 version engine of Authentium technology on John C. Sharp's blog. You can read it here:
http://authentium.blogspot.com/2007/05/version-v50-release.html
Some interesting tidbits:
{QUOTE-> Our heuristics have been significantly improved to the point where they now beat most zero-day approaches in market. The advantage of having good heuristics is that whole specie of threats can be caught on the fly - without the need for definition files, or prior to triggering a lookup request. This improves response times, and provides additional options with respect to event chains and service levels. <-QUOTE}
{QUOTE-> The other improvements in the areas of heuristics that we're working on involve dealing with black and gray-listed "packers" - otherwise known as "Russian Dolls". This threat takes the form of a piece of malware wrapped in multiple layers of encrypted code, each of which looks to a normal scanner like a new threat. Typical approaches involve infinite "peeling back" of these layers and this can slow down devices significantly. <-QUOTE}
Does this mean a better/faster unpack engine, or packer specific detections in the heuristic engine? I'd say the latter, but the article isn't entirely clear on that.
Of course, there's also a healthy signature detection improvement:
{QUOTE-> In addition to the new heuristics, the new engine will feature more than 130,000 additional virus definitions. These are not generic definitions but absolute, bit-accurate virus definitions. <-QUOTE}
Whether all these signature detection and heuristic detection improvements come solely from the use of the F-Prot 4.x engine, or whether there is custom technology involved is uncertain (judging by the claims I'd say there is custom technology in at least the heuristics).
{QUOTE-> The addition of these def files will bring our on-demand scanner into line with real-time/DVP results and also bring our test scores into line with market (most currently published tests are of our older on-demand scanner and don't reflect our new analytic capabilities: for example, the most recent AV-Test results reference our 4.93 engine - a product that is nine months out of date). <-QUOTE}
I guess Authentium's rather average showing did put on a bit of stress on the company. Calling something a "nine month old product" and saying that it is why the detection rates were "poor" is not an excuse, after all this nine month old product was what was available in the market at the time of testing. But anyway...:)
{QUOTE-> We've spend a lot of time thinking about how we can improve ROIs in that space, and we've focused mainly on five areas consequential to operating MSSPs:
1. Detection rate
2. Speed of response
3. False positive rate
4. Speed of analysis (throughput)
5. Size of memory footprint <-QUOTE}
i.e. hopefully we can expect a pretty good product in the version 5.0 release from Authentium, and also it is possible that this time Authentium and F-Prot might differ in detection rates by more than just a few percent. Time will tell. :)
What do you guys think? :)
http://authentium.blogspot.com/2007/05/version-v50-release.html
Some interesting tidbits:
{QUOTE-> Our heuristics have been significantly improved to the point where they now beat most zero-day approaches in market. The advantage of having good heuristics is that whole specie of threats can be caught on the fly - without the need for definition files, or prior to triggering a lookup request. This improves response times, and provides additional options with respect to event chains and service levels. <-QUOTE}
{QUOTE-> The other improvements in the areas of heuristics that we're working on involve dealing with black and gray-listed "packers" - otherwise known as "Russian Dolls". This threat takes the form of a piece of malware wrapped in multiple layers of encrypted code, each of which looks to a normal scanner like a new threat. Typical approaches involve infinite "peeling back" of these layers and this can slow down devices significantly. <-QUOTE}
Does this mean a better/faster unpack engine, or packer specific detections in the heuristic engine? I'd say the latter, but the article isn't entirely clear on that.
Of course, there's also a healthy signature detection improvement:
{QUOTE-> In addition to the new heuristics, the new engine will feature more than 130,000 additional virus definitions. These are not generic definitions but absolute, bit-accurate virus definitions. <-QUOTE}
Whether all these signature detection and heuristic detection improvements come solely from the use of the F-Prot 4.x engine, or whether there is custom technology involved is uncertain (judging by the claims I'd say there is custom technology in at least the heuristics).
{QUOTE-> The addition of these def files will bring our on-demand scanner into line with real-time/DVP results and also bring our test scores into line with market (most currently published tests are of our older on-demand scanner and don't reflect our new analytic capabilities: for example, the most recent AV-Test results reference our 4.93 engine - a product that is nine months out of date). <-QUOTE}
I guess Authentium's rather average showing did put on a bit of stress on the company. Calling something a "nine month old product" and saying that it is why the detection rates were "poor" is not an excuse, after all this nine month old product was what was available in the market at the time of testing. But anyway...:)
{QUOTE-> We've spend a lot of time thinking about how we can improve ROIs in that space, and we've focused mainly on five areas consequential to operating MSSPs:
1. Detection rate
2. Speed of response
3. False positive rate
4. Speed of analysis (throughput)
5. Size of memory footprint <-QUOTE}
i.e. hopefully we can expect a pretty good product in the version 5.0 release from Authentium, and also it is possible that this time Authentium and F-Prot might differ in detection rates by more than just a few percent. Time will tell. :)
What do you guys think? :)