Regarding Cloud-Based Detection

SweX · #1 May 9th, 2011, 10:56 PM

I am requesting more detailed information about how the whole new
Cloud-based detection system works.

Regarding the Cloud-based detection, is it similar to Symantecs reputation detection "WS.1 Reputation" ? Or what will we see when the cloud detects something?

So basically, we really need more info on How it works?, What will the detections look like?. Is it behavior based?
Are the Cloud-Powered Reputation and Cloud-Based Detection systems connected? etc etc.....

Am I alone wondering this?

I got more Questions but let's start with these

Cheers!

Thankful · #2 May 9th, 2011, 11:34 PM

Not alone.
http://www.wilderssecurity.com/showthread.php?t=298882

Rompin Raider · #3 May 10th, 2011, 02:02 AM

More info is appreciated!

Marcos · #4 May 10th, 2011, 03:38 AM

The cloud system is subject to evolution. The principle behind any cloud system is collection of data that can be used to calculate the reputation of files. At this point it is not safe to flag files with low reputation as bad and we're yet to see if that will ever be possible as such detections would cause FPs on less common files.
Using cloud will reduce the number of scanned files and thus decrease scan times. It will also help ESET optimize existing or new detections for better malware variant coverage and improve scanning of files which take a lot of time to emulate.

SweX · #5 May 10th, 2011, 04:05 AM

Quote:

Originally Posted by Marcos

The cloud system is subject to evolution. The principle behind any cloud system is collection of data that can be used to calculate the reputation of files. At this point it is not safe to flag files with low reputation as bad and we're yet to see if that will ever be possible as such detections would cause FPs on less common files.
Using cloud will reduce the number of scanned files and thus decrease scan times. It will also help ESET optimize existing or new detections for better malware variant coverage and improve scanning of files which take a lot of time to emulate.

This was the particular feature that I was unsure of if you had starting to use or not. Yes I agree perhaps it will increase the FP's too much to actually be useful

. Time will tell I guess

Thanks a lot Marcos

Ego_Dekker · #6 May 10th, 2011, 09:08 AM

I really liked Cloud-based detection. I've launched malware that has been blocked by the clouds, but NOD32 was unable to clean or delete it. Is it a bug? A9ACA94F7DACE7BBCF534C7DC77C6B92 — caught by the clouds (a part of 5FB86DDC4E4C6781743805F4CB22C564), but after update all infiltrations were quarantined.

Quote:

Originally Posted by Ego_Dekker

Marcos is right, i'm wrong. Detection for that small BAT file was added long time ago, but i thought it was detected by the clouds.

cupez80 · #7 May 10th, 2011, 09:32 AM

Quote:

Originally Posted by Ego_Dekker

I really liked Cloud-based detection. I've launched malware that has been blocked by the clouds, but NOD32 was unable to clean or delete it. Is it a bug? A9ACA94F7DACE7BBCF534C7DC77C6B92 — caught by the clouds (a part of 5FB86DDC4E4C6781743805F4CB22C564), but after update all infiltrations were quarantined.

maybe by design to minimize FP. btw could you send me the sample i just wanna see the detection

Marcos · #8 May 10th, 2011, 09:49 AM

Quote:

Originally Posted by Ego_Dekker

I've launched malware that has been blocked by the clouds

That's impossible, see my previous post. There are no cloud/reputation detections, most likely it was that the detection for your malware was added in the last update.

toxinon12345 · #9 May 10th, 2011, 10:01 AM

Quote:

Originally Posted by Ego_Dekker

I've launched malware that has been blocked by the clouds

if you run an on-demand-scan on the file, is it detected?

Ego_Dekker · #10 May 10th, 2011, 10:33 AM

Marcos is right, i'm wrong. Detection for that small BAT file was added long time ago, but i thought it was detected by the clouds.

Geosoft · #11 May 10th, 2011, 10:55 AM

What are the chances that the Cloud service could be used to blacklist just added malware that isn't in the signature file yet, but will be released soon?

For example, a new Fake-AV was discovered and will be in the 6111 update (right now it's 6110 as of writing this) but the cloud service will come up with a prompt asking if we want to terminate the process.

Ego_Dekker · #12 May 10th, 2011, 10:59 AM

Incorrect cloud info?
Name: cloud_info.png
Views: 187
Size: 4.0 KB

B2DE3452DE03674C6CEC68B8C8CE7C78 (NTDETECT.COM) — clean file;
9E3C13B6556D5636B745D3E466D47467 (jeefo.a) — infected Microsoft file?

Quote:

Originally Posted by Geosoft

What are the chances that the Cloud service could be used to blacklist just added malware that isn't in the signature file yet, but will be released soon?

For example, a new Fake-AV was discovered and will be in the 6111 update (right now it's 6110 as of writing this) but the cloud service will come up with a prompt asking if we want to terminate the process.

I'd like to know too.

dorgane · #13 May 11th, 2011, 06:04 AM

Quote:

Originally Posted by Ego_Dekker

Incorrect cloud info?
Attachment 226953
B2DE3452DE03674C6CEC68B8C8CE7C78 (NTDETECT.COM) — clean file;
9E3C13B6556D5636B745D3E466D47467 (jeefo.a) — infected Microsoft file?

I'd like to know too.

infected : http://www.google.fr/search?sourceid...45D3E466D47467

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search