F Secure 2011

Does F-secure blocks files using the cloud reputation or just with the cloud blacklist?

Post the link where you found such answer.

 

They do since DeepGuard v3 (2011 products): "The biggest new feature from the lab's point of view is our "DeepGuard 3" technology which utilizes cloud based reputation systems, prevalence, source, age, et cetera."
http://www.f-secure.com/weblog/archives/00001969.html

Version 2012 will feature an updated version of DeepGuard again.

The concept of proactive malware detection is often loosely called HIPS or Host Based Intrusion Prevention System. F-Secure DeepGuard™ is a unique HIPS technology in the sense that it combines several proactive protection mechanisms together that work seamlessly with conventional definition-based scanning systems. We use techniques such as system monitoring, sandboxing, blocking of code injections, advanced heuristics and run-time behavioral blocking.
http://www.f-secure.com/en_US/products/technologies/deepguard/proactive-protection.html

More detailed on DeepGuard v2 (2010 and earlier): http://www.f-secure.com/system/fsgalleries/white-papers/f-secure_deepguard_2.0_whitepaper.pdf

It is not a coincidence F-Secure is consistent top-performer the last two years in dynamic tests. The reason why they consistently outperform Bitdefender is DeepGuard.

 

I know they collect reputation, but it is used for blocking threats?
They are saying: from the lab's point of view.

 

Are they using it (DeepGuard) in the tests at MRG? I'd assume not, judging from the results. For the record just in case anyone thinks I'm picking on F-Secure, my Av choice isn't doing so hot either.

 

I guess they will be using it, if they use default settings.
They are probably not using reputation data in the way Norton uses them, blocking everything unknown.

However, in my eyes you see with all behavior blocker type of products, that behavior blocking is not the best way for zero-day protection. I think a pure HIPS engine or sandboxing provides more potential than just behavior-based protection. Therefore in my eyes ESET made the right choice, by implementing a full HIPS engine. The challenge is just to make it user-friendly, which will take time. Also Webroot SecureAnywhere chose a near-perfect strategy (waiting for test results though). There are lots of examples of behavior-based solutions which became huge disapointments in my eyes, most notably Avira's ProActiv, but also avast's behavior shield.

 

The reputation is calculated in the server using risk information obtained from the clients as the file analysis and the users/hour .

F-Secure seems to be blocking only files in which they have confirmed the reputation (blacklisting).
When blacklisting is not available (just reputation or offline), the file can be blocked using local methods such as code and behavior analysis.


In the case of Norton, reputation-based protection can mean an increase in detection rates and false positives. Worst yet when the cloud reputation have a priority higher than local detection methods.