Cyberhawk???

I have read a bit about this program.I have 3 computers in my home.I'm running Kis6 and my 2 son's are using Bitdefender security10.Would this product benefit those security programs?Perhaps someone who runs the combos i've mentioned would share some facts on this.

 

While I currently don't use either KAV or BD, and since no one has yet to respond to your question, I figured I'd contribute a preliminary answer of sorts. Cyberhawk is a HIPS program, though perhaps it more accurately fits the characterstics of a behavior blocker. Regardless, behavior blockers and HIPS programs generally complement signature scanners such as the anti-virus programs you mentioned. One thing to consider is that KAV has a proactive defense module (PDM) that is essentially a behavior blocker, so there might be some overlap or conflict there. AFAIK BitDefender doesn't have this feature, so there shouldn't be any conflict or overlap there. Perhaps someone who has used either of these AVs with Cyberhawk could chime in and by all means correct me if I'm mistaken on any of this.

 

I agree with u.

 

TypicallyOffbeat <== What he said. Yes!

 

BD uses a heuristic engine (like NOD), in addition to using signatures. So since a heuristic engine is a 'behavior identifier' of sorts, CH is likely to be redundant to BD as well.

 

Well, file heuristics are different than behaviour identification so I don,t think that ur state is totally correct. I just rememeber that BD has some sort of behaves but I am not aware of their details. I still think CH addition here will add to the security.

 

You may be right, but tell me how heuristics are different than behavior id. ...just curious.

 

Heuristic analysis is done before the execution/read/write of a given file. Behaviour analysis is done in memory, i.e. the behavior blocker/analyzer watches how a file behaves after its execution.
Perhaps you are confused by the fact that current antivirus engines perform the so called dynamic heuristics/behaviour heuristics/code emulation. The AV engine creates a virtual machine and let the files execute inside it. Then, the AV engine does a behaviour analysis.
Both are done in memory and after execution, but in the case of the AV, it's made on a virtual machine before the real execution.
Do you see the difference?

 

I understand the distinction lucas, but now help me to understand how CH can prevent malware from harming my system if if doesn't examine the malware's behavior until after it has been allowed to execute.

 

The watchful eye of a behaviour blocker can terminate a file/process/thread which develops a suspicious activity
An example: You double-click a file which is analyzed by the resident AV using signature/generic signature/heuristics/code emulation and no malware is found. The behaviour blocker will keep an eye on this file. After a certain amount of time, that file tries to inject some code into explorer.exe and attempts to download some files from remote servers. The behavior blocker should prompt you about these highly suspicious activities.

 

After execution of malware, as soon as it tries a suspect behaviour/ action( say copying itself in multiple locations that is typical of worms) CH just kills the process.

Edit: Lucas explained it well.

 

Can you give an example of the type of file you are referring to? and how it would get on to your computer?

Do you have an example of such a file that waits before injecting code? How much time are you referring to? What triggers the code injection?

What types of files? Executables or data files?

thanks,

-rich

 

I was trying to demostrate some abilities of behaviour blockers.

Double-clicking a file (i.e. give it execution permissions) is a dangerous activity Obviously, that file was downloaded/arrived as a mail attachment/etc.

I was thinking in a time-bomb malware. Time-boms are not very frequent these days, but they serve as a fine example.

In most cases, executables

 

OK, thanks. I've been looking at threads about behavior blockers after receiving an email recently from an acquaintance at college - her first year. She was in a discussion about computers and the concensus of the group was that you needed a 'behavior blocker' to really be secure.

Most of the discussion was beyond her, so she asked me about it. Not knowing much myself, I started reading.

From what I've seen, it seems to me that these programs work on malware that has gotten onto your computer, as in the example you give about the attachment.

So, it's really detection after the fact, rather than prevention before the fact, if I understand correctly.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

You got it It's the same case as leaktests. They work after execution.
Some time ago, there was a discussion about proactive detection generated by AV-Comparatives' tests. Some people argued that Kaspersky had far better protection than NOD 32 because KAV's PDM (Proactive Defense Module, a behaviour analyzer/blocker) detected close to 99 % of malware against 53 % of NOD's heuristics. Obviously, people was comparing apples to oranges.