F-Secure's engines

Discussion in 'other anti-virus software' started by Firecat, Nov 12, 2007.

Thread Status:
Not open for further replies.
  1. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I know this is an old topic but I felt it to be worth discussion anyway. After using F-Secure IS 2008 for a few days and running it through a few samples I made the following observations:

    1) There are a small number (insignifcant) of samples detected by KAV but not by F-Secure
    2) There are also a small number of samples detected by Kaspersky but F-Secure detects these under a name that matches the F-Prot naming scheme for the malware. I wonder why this is....
    3) Heuristic detections are slightly difficult to make head or tail of; besides I have had only 2-3 detections based on Heuristics from F-Secure, the name only said "possibly infected with unknown virus"; so the responsible engine cannot be directly pinpointed :)
    4) Ad-Aware technology in F-Secure hardly seems to detect anything at least on my PC :)
    5) The scan report only mentions four engines: KAV/AVP, Libra, Orion and Draco (Ad-Aware). Gemini and Pegasus (Norman Sandbox) are not mentioned for whatever reason. Do these 2 engines only work real-time?

    While any direct conclusion cannot be obtained by arbitary observations such as the ones above, I think they do provide an interesting food for thought. :)

    The most interesting is the F-Prot named detections; F-Secure detects quite a lot of malware under F-Prot's name. I do know that F-Secure has F-Prot's macro virus detections but the names I saw were of more than just macro viruses. So what I am wondering is whether F-Secure's Libra engine still is based on F-Prot and is a "branch" of the F-Prot engine rather than a completely designed home grown engine?

    If anyone knows anything about F-Secure's engines; then the info would be appreciated!
     
  2. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    5) The scan report only mentions four engines: KAV/AVP, Libra, Orion and Draco (Ad-Aware). Gemini and Pegasus (Norman Sandbox) are not mentioned for whatever reason. Do these 2 engines only work real-time?


    I THINK the 2 engines are a part of deepguard. So they would be real-time only.


    http://www.f-secure.com/f-secure/pressroom/protected/prot-3-2006/17-459-3669.shtml
     
  3. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Hello Firecat,

    After trying FSAV with its 14 processes :eek: running simultaneously, i would say that... yes.
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    F-Secure also uses the F-Prot enigne which accounts for the similar names on some detections. I forget which engine it is, but it is either the Libra or Orion engine.
     
  5. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I noticed even more peculiarity with F-Secure today. I noticed that several detections based on the Ad-Aware engine showed up real time but never showed up in the on-demand scan. I wonder why the Ad-Aware engine is only working real-time; it is so strange....:doubt:

    BTW I think Libra is the engine based on F-Prot :)
     
  6. tiagozt

    tiagozt Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    331
    I tested some samples... When I send to Virustotal and FS detects the sample I scan in my computer... If FS don't detect I execute it... I did it many times and the samples were detected in execution...
    (It's about heuristic and not about Ad-Adware detections)
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Gemini and Pegasus work on-execution....I was talking about on-*access* protection. I saw some alerts from F-Secure for "Trojan.Win32.MatrixHasYou" and "Trojan.Win32.Crypt", both of which are Ad-Aware names. And I didn't have to execute any file to get this detection; F-Secure reported it just as I accessed the folder.

    However, using a right click context menu scan (i.e. On-demand scan) results in F-Secure not detecting the samples. :doubt:
     
  8. s4u

    s4u Registered Member

    Joined:
    Oct 24, 2007
    Posts:
    441
    Isn't it the seperate spyware scan that uses ad aware?
     
  9. s4u

    s4u Registered Member

    Joined:
    Oct 24, 2007
    Posts:
    441
    testing the latest technical preview at the moment and it contains the latest and new deepguard 2.0

    - DeepGuard 2.0
    DeepGuard can now make a query over the network as part of the proactive protection, which helps to reduce the amount of user prompting. This also brings improvements in the speed we can respond to new outbreaks of suspicious items, and improved accuracy.
     
  10. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    In my FSIS 2008 there is only an option for "quick spyware scan" and "quick rootkit scan". The other scans seem to report both spyware and malware but they do not seem to use the Ad-Aware engine.

    So does this "quick spyware scan" option use the Draco engine?
     
  11. s4u

    s4u Registered Member

    Joined:
    Oct 24, 2007
    Posts:
    441
    I think so .I will ask
     
Loading...
Thread Status:
Not open for further replies.