Cyberhawk???

Discussion in 'other anti-malware software' started by rookieman, Apr 18, 2007.

Thread Status:
Not open for further replies.
  1. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    409
    I have read a bit about this program.I have 3 computers in my home.I'm running Kis6 and my 2 son's are using Bitdefender security10.Would this product benefit those security programs?Perhaps someone who runs the combos i've mentioned would share some facts on this.:(
     
  2. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234
    While I currently don't use either KAV or BD, and since no one has yet to respond to your question, I figured I'd contribute a preliminary answer of sorts. Cyberhawk is a HIPS program, though perhaps it more accurately fits the characterstics of a behavior blocker. Regardless, behavior blockers and HIPS programs generally complement signature scanners such as the anti-virus programs you mentioned. One thing to consider is that KAV has a proactive defense module (PDM) that is essentially a behavior blocker, so there might be some overlap or conflict there. AFAIK BitDefender doesn't have this feature, so there shouldn't be any conflict or overlap there. Perhaps someone who has used either of these AVs with Cyberhawk could chime in and by all means correct me if I'm mistaken on any of this.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree with u.
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    TypicallyOffbeat <== What he said. Yes! :)
     
  5. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,400
    Location:
    California - USA
    BD uses a heuristic engine (like NOD), in addition to using signatures. So since a heuristic engine is a 'behavior identifier' of sorts, CH is likely to be redundant to BD as well.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Well, file heuristics are different than behaviour identification so I don,t think that ur state is totally correct. I just rememeber that BD has some sort of behaves but I am not aware of their details. I still think CH addition here will add to the security.
     
  7. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,400
    Location:
    California - USA
    You may be right, but tell me how heuristics are different than behavior id. o_O ...just curious. :doubt:
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Heuristic analysis is done before the execution/read/write of a given file. Behaviour analysis is done in memory, i.e. the behavior blocker/analyzer watches how a file behaves after its execution.
    Perhaps you are confused by the fact that current antivirus engines perform the so called dynamic heuristics/behaviour heuristics/code emulation. The AV engine creates a virtual machine and let the files execute inside it. Then, the AV engine does a behaviour analysis.
    Both are done in memory and after execution, but in the case of the AV, it's made on a virtual machine before the real execution.
    Do you see the difference?
     
  9. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,400
    Location:
    California - USA
    I understand the distinction lucas, but now help me to understand how CH can prevent malware from harming my system if if doesn't examine the malware's behavior until after it has been allowed to execute. o_O
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The watchful eye of a behaviour blocker can terminate a file/process/thread which develops a suspicious activity :)
    An example: You double-click a file which is analyzed by the resident AV using signature/generic signature/heuristics/code emulation and no malware is found. The behaviour blocker will keep an eye on this file. After a certain amount of time, that file tries to inject some code into explorer.exe and attempts to download some files from remote servers. The behavior blocker should prompt you about these highly suspicious activities.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    After execution of malware, as soon as it tries a suspect behaviour/ action( say copying itself in multiple locations that is typical of worms) CH just kills the process.

    Edit: Lucas explained it well.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you give an example of the type of file you are referring to? and how it would get on to your computer?

    Do you have an example of such a file that waits before injecting code? How much time are you referring to? What triggers the code injection?

    What types of files? Executables or data files?

    thanks,

    -rich
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I was trying to demostrate some abilities of behaviour blockers.
    Double-clicking a file (i.e. give it execution permissions) is a dangerous activity :D Obviously, that file was downloaded/arrived as a mail attachment/etc.
    I was thinking in a time-bomb malware. Time-boms are not very frequent these days, but they serve as a fine example.
    In most cases, executables :D
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, thanks. I've been looking at threads about behavior blockers after receiving an email recently from an acquaintance at college - her first year. She was in a discussion about computers and the concensus of the group was that you needed a 'behavior blocker' to really be secure.

    Most of the discussion was beyond her, so she asked me about it. Not knowing much myself, I started reading.

    From what I've seen, it seems to me that these programs work on malware that has gotten onto your computer, as in the example you give about the attachment.

    So, it's really detection after the fact, rather than prevention before the fact, if I understand correctly.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You got it :) It's the same case as leaktests. They work after execution.
    Some time ago, there was a discussion about proactive detection generated by AV-Comparatives' tests. Some people argued that Kaspersky had far better protection than NOD 32 because KAV's PDM (Proactive Defense Module, a behaviour analyzer/blocker) detected close to 99 % of malware against 53 % of NOD's heuristics. Obviously, people was comparing apples to oranges.
     
Thread Status:
Not open for further replies.