Recent evolution of proactive methods

Hi,

I'm trying to get a clear picture of recent evolution of proactive
methods used in anti-virus softwares. My feeling is that these
methods are more and more relying on the behavior of the analyzed
files (rather than on dead listing analysis).

I thus tried to summarize functionnalities offered by the most
recent versions of the most popular antiviruses in that matter.
However, I'm not familiar with all these applications, and could not
test/review it. I therefore rely on the information published on
AV company websites. The result is presented in the table below.

I'm sure I missed some AVs/functionnalities. Any correction/addition
will be greatly appreciated.

Code:

---------------------------------------------------------------------------------
    \     ||Behavior     |On execution  |Live       |ACLs on specific |Outbreak  |
AV   \    ||based        |behavioral    |reporting  |actions/API      |protection|
      \   ||heuristics   |detection     |of 0days   |calls            |(throttle)| 
=================================================================================
KAV       ||             |Proactive def.|           | Proactive def.  |          |
---------------------------------------------------------------------------------   
NOD32     ||Advanced heur|              |Threatsense|                 |          |
---------------------------------------------------------------------------------
Bitdef.   ||B-Have       |              |           |                 |          |
---------------------------------------------------------------------------------
Panda     ||             |Truprevent    |           |                 |          |
---------------------------------------------------------------------------------
F-Prot    ||Maximus ???  |              |           |                 |          |
---------------------------------------------------------------------------------
Sophos    ||Behav. Genot.|              |           |                 |          |
---------------------------------------------------------------------------------
Norman    ||Sandbox      |              |           |                 |          |
---------------------------------------------------------------------------------
F-Secure  ||DeepGuard    |DeepGuard     |           |DeepGuard        |          |
---------------------------------------------------------------------------------
Antivir   ||Heuristic v2?|              |           |                 |          |
---------------------------------------------------------------------------------
McAffeePro||             |              |           |Access protection|          |
---------------------------------------------------------------------------------
Norton    ||             |              |           |                 |Worm prot.|
---------------------------------------------------------------------------------
AVK       ||(B-Have)     |              |           |                 |OutbrkShld|
---------------------------------------------------------------------------------
CA-eTrust ||             |              |           |                 |          |
---------------------------------------------------------------------------------
AVG       ||             |              |           |                 |          |
---------------------------------------------------------------------------------
Avast!    ||             |              |           |                 |          |
---------------------------------------------------------------------------------

Applications:

I will only list applications whose primary purpose is to fight against
viruses (incl. parasitic) and malwares. This does not include dedicated
anti-trojans and anti-spywares. Moreover, only applications that
used to rely mostly on "signature scanning" are selected. This could
include beta-versions of some products.

Features:

Listed features are related to proactive/early detection (or blocking,
reporting) of malicious Win32 PE executables. Based on the behavior of
the malwares rather than on signatures/patterns.


* Behavior-based heuristics: Code of analyzed executables is emulated by the
antivirus. Suspicious actions are recorded and compared with heuristic rules.
Norman's Sandbox is the typical example.

* On execution behavioral detection: Similar to above, but the file is
actually executed on the real system, and it's actual actions are logged.
If the application is classified as malicious, its execution is stopped.
There may be some funcrtionnalites to mitigate the impact of actions already
performed by the malware.

* Live reporting of 0days: The application provides an utility to submit
automatically to the virus lab malwares that have been detected on a client's
computer using a proactive method.

* ACLs on specific actions/API calls: The application provides the ability
to block some specific actions that are commonly performed by some kind of
malwares (e.g. execute files from temp directory, alter some registry keys,
etc.). This includes typical HIPS functionnalities.

* Outbreak protection (throttle): The application is able to recognize an
abnormal behaviour of the system (such as sending mails at a high rate) and
take adequate measures to mitigate the risk due to this behavior. The
application may not identify what executable or script caused the abnormal
behaviour.

Note:
While making this table, I found a funny list on Sophos website:
http://www.sophos.com/security/analyses/index_st_malicious_behavior.html
Now, you can count the number of rules used by Sophos heuristics