F-Prot version 4 -- any news?

It is now sounding more and more like it will happen very soon.

Here's another sign: http://www.frisk.is/fpwini.html. I have no idea what most of the site says, but there are two things I noticed:

• It is now called F-Prot Antivirus in Iceland (used to be Lykla-Pétur). It looks like they are trying to get people over there used to a new name (well, new for them). This seems like a strange thing to do if something new isn't real close to arriving.
• Notice the new product logo? This has been used for the Exchange version of F-Prot on the U.S. site for a while, but this is the first time I have seen it used for the regular antivirus program.
  

I really do hope it gets here soon.

 

Latest news on F-Prot 4 is as follows,

soon.

Private email removed except one word - Ron

 

Hopefully, this "soon" will not be 2007.

 

No worries.

 

I can confirm that. I mean the beta product i got was far more mature than any beta program i've tested so far. Thats certanly a good sign. I can't tell for the engine part though (Thats Inspector's playground hihi), but everything else was already very polished. All i can say is stay tunned and you'll see

 

@Clouseau What about the Armadillo unpacker mentioned in your blog? DilloDie is far too slow and too unreliable to be implemented into an AV scanner. Is your unpacker so much faster?

 

So nothing more can be disclosed at the moment because of the non-disclosure agreement for the being a beta tester?

Some say the next version will be F-PROT 4 while some say it is F-PROT 6. May I know if F-PROT 4 or 6 will include anti-spyware functionality?

 

v6 with spyware detection..

 

Well Inspector said it's engine version 4 and interface version 6.
Thats why the 6 in the program...

Pretty similar with BitDefender. Their engine is version 7, but program is already at version 10.

 

I hope F-Prot can catch up with the other top preformers again. I'll keep an eye on it.

 

yes it will

 

Sounds like the long-long wait is going to have a very good finish for the folks at Frisk..

 

I can't wait to test it....it was a time when I used it and thought it was number one. Hope this version will make me reconsider it again as the best.

 

Inspector is working pretty hard according to his blog Adding generics and stuff

 

yeah...now I've read again its blog...seems promising.

 

So you and Inspector were selected beta testers of internal builds of F-PROT?

F-PROT, Norman Virus Control and Sophos have very good detection rates in the past, but they are somewhat lagging behind now. Some users in the Norman forum are also looking for Norman 6, but techincal support replied that it is still not yet ready for beta.

 

Just me. He's part of FRISK team

 

WOW!!! Inspector should put a thread here when F-PROT 6 is available. Want to have first hand information

 

I read the Inspector's blog about his work on generic banker trojan detection. I had NO idea that developing a protection for only ONE threat could be such a time-consuming & highly skilled job.

Since MANY new threats appear daily, how in the world do AV/AT outfits keep up? I am especially concerned about the capabilities of small outfits like BOClean. As far as that goes, I'm fairly certain that Frisk doesn't have hundreds of employees, either.

Does anyone have an idea as to *about* how many folks the large outfits (like Symantec & Kaspersky) have on their staffs who are doing the same sort of job that the Inspector is doing for F-Prot?

 

Of course you don't spend so much time on every single threat. You can usually add them via signature/crc match which means this sample would be just detected. If you write a generic detection for a special malware type (in this case the banker trojan family) you have to spend more time and efford into researching and developing. Because you need to know "in advance" how new banker trojans will look like even if you do not have them yet as samples.
But this makes sure that you can detect a huge amount of new variants from this malware family - even if the code seems to be completely rewritten. You have to deal here with special cases, such as that the code you are looking for could be on-the-fly encrypted/decrypted (has nothing to do with simply runtime packed where the unpacking engine / emulator takes care of) - i posted several complex banker reversing informations already in the malware research forum. For instance the strings it uses to watch bank connections are usually encrypted. Sometimes they are encrypted in this way that you will not see them in plain text even if you make a memory dump because they are "on-need" decrypted and later encrypted again. As i wrote already in my log, we have somewhat above 4 Gigabytes (even 2 Gigabytes more with samples which are close to banker family but they aren't really) so that takes also a huge amount of time for the viruslab to include these critters if you get several new samples every day. Besides the generic way of detecting them is a better detection for the users since a proper written generic deticated special routine will tell you exact that we have a new banker variant, regardingless with what it would be packed. (Some other vendors flaging this as a variant if it's for instance just repacked - i do not mean just repacked here in this case)

 

Dear Inspector,

With great respect for all your explanations, I am enjoying your Weblog for 500 %. Man, it must be great living in a beautiful country like Iceland. Great pictures, great stories. It's great to hear some inside information about working on a virus scanner, very interesting.
But working on that and living like you do, I wouldn't mind swapping for a while.....!!!!
Good luck with F-Prot and keep up the good work!

 

Just curious. Is Authentium involved in beta testing F-PROT 6? Just wonder if Authentium will continue to license the F-PROT version 4 engine in future versions of Command AntiVirus.

 

@Mike

Let me know when generic banker detection has been implemented. I would like to verify whether my various "investment bankers" are also detected ;-)

hxxp://img85.imageshack.us/img85/6725/investmentbankers4ez.png

 

Can you send this sample to me that i can check if the emulator goes through this?

 

I have already uploaded it to (your? and Derek's forum). See the unpacking section. (Regardless of whether it's detected or not I would be interested in your opinion on the relevance of the technique used.)