Proactive Protection Made Easy (by Kaspersky)

http://www.viruslist.com/en/analysis?pubid=170376619

Excellent article!!!

Regards,

Izi

 

Trend Micro uses heuristic analyzer!? Thats new...
As far as i know TM is signature only AV.

 

PC-cillin 2003 protects users from malicious code with Trend Micro’s patented heuristic scanning technology which defends users from new, unknown script-based threats based on their actions rather than how they are written, as well as its dependable pattern based technology.

Look here: http://www.trendmicro.com.au/aaa/newsroom/PR2002/PR021202_PCC2003.htm

 

Interesting read...

Thanks

 

BTW, Panda's TruPrevent protects against buffer overrun.

In the PDF summary table they didn't mention that!.

Kaspersky 4/6 | Panda 3/6
the currect is 4/6.

 

Look at this

Based on this defintion almost everything we call HIPS here, are "prehistoric behavior blockers" .

Cannot agree more.

Based on this defintion, again, we don't have IDPS software for home use.

Interesting article in general.

 

Kaspersky's view is that heuristics will result in false positives. However, rapid response updates result in false positives because of insufficient testing. There is no free lunch.

As for primitive means of blocking behavior, you only have to look at the firewall crew and their passion for leak tests. After all, legitimite programs connect out all the time.

 

Interesting bit on heuristics...that they don't include NOD32 in their comparison.

Also the articles stated heuristic detection rate of 25-30%...well, I suppose most AV's around there, or less...but, in the last av-comparatives.org proactive test, NOD32 scored 70% Bitdefender 49%, and KAV 48%.

Okay article from my viewpoint, but didn't have terribly much new to say, and appeared to sell KAV a bit too much for my taste (even though I like the product)

 

Well is this a typical result? By this I mean are there other tests where NOD32 produces a 70% performance?

Does the article state how they come by their figures? Perhaps they are using some other test?

Yeah too bad, but when you know a lot, there doesn't seem to be anything new under the sun? LOL....

It isn't meant to be a technical article obviously, Still I think it's interesting to see how KAV thinks and defines various security concepts and ideas.

 

Finding any tests on the web that give accurate results is difficult. I'm sure you know that. But the discrepancy exists.

Now that's just being plain facetious. That there wasn't much new is fact. That it is an article that sells Kaspersky is fact. And you well know just how limited my knowledge is

I would have found the article more interesting if they were honest in how they presented the article - ie Kaspersky announces the release of it's new...it has many new protective features, including...which work by... etc etc etc (or something along those lines)...but that's just me.

 

Actually, what I meant is retrospective tests is not the only or even most accurate way to test heuristics.

Whether something is new to them, depends a lot on who is reading, don't you agree?

Let's be frank here, obviously, there is some agenda here to justify the new features they have added..

Still it's an honest and neutral enough piece in that they don't claim that what they are doing unique and innovative as some companies would do. Or do you prefer an advertising "rah rah" kind of blurb?

There is even sizable coverage of what their competitors are doing (using their framework) and no hint at all that they think their own way is better.

I read this as a piece trying to introduce the ideas of adding "proactive defense" to AVs for those not familar with it. It's not really a indepth piece covering their own technology, which at this stage might not be anything "new" to those familar with it.

As I said, what I find interesting is how they conceptualise the different approaches (there are other ways to do it), what they think are its strength and weaknesses of each which gives a hint about the direction they are taking.

And they seem honest and netural enough, in the chart, you can see that their product doesn't cover all the approaches (based on their conception).

And they don't particular imply that those approaches they dont take are inferior either.

 

Heh, as I said in my first post...from my viewpoint. Perhaps the english wasn't as clear as it should be, but can't see how I could make it better. Other's very obviously will have a different knowledge to me on any given subject...some more, some less, and visa versa on any number of subjects

Heh…damned, okay, I’ll give you the very long version of my first post…though I think the first post should have been enough - qualifying everything like below is just silly.

I found the discrepancy in Heuristics stats between the KAV stats and AV-comparatives stats interesting because they were so large. A 40% difference in heuristic detection rate is not a minor discrepancy, and is not easy to explain away, even by a different method of calculating heuristic detection rate…it just shouldn’t be so large a difference (or if they were going on the median detection rate, then a special mention should be made of exceptions…but…that would obviously undo all the ‘good work’ of the article…after all, IF some other AV does achieve 70% heuristic rate…does the new KAV achieve that high a detection rate with all it's extra gadgets?

It’s fair enough that the article can conceptualise different approaches, although that is not what makes it only an ‘okay’ article to me. The article is formed and worded to innocuously push people in the direction of KAV - without it being blatantly obvious as you read it. So you don’t get the idea that it may be a KAV promotional article until KAV is mentioned a number of times in comparison to other programs...and they don’t tell you it’s sourced from KAV until at the very end (something it does with a hyperlink after the article finishes)…to me that’s dishonest, irritating, and throws a question mark over the whole article…therefore I find it only an ‘Okay’ article (and irritating, but I didn’t bother throwing that in in my first post).

Because I was irritated with the article, I also added that there was nothing new in it - which there isn’t <shrugs>.

Personally if someone is going to try and sell something to me, I like to be informed upfront. And I’d like them to tell me if there’s a comparable product…which in this case may have been purposely left out to make KAV seem better…so as I said – dishonest.

 

Vikorr

You are are reading an article on Kaspersky's Viruslist.com and you're complaining that people are being pushed towards Kaspersky........dishonest, no........promotional, yes.

Nod is the only one to have score 70% in AV-comparatives, this is done with a small testbed, could it be you wouldn't see anything like 70% if you tested against all malware, which is most likely why the 30% is listed, since Kaspersky themselfes scores 48% at AV-comparatives. Nod is not in the article btw.

The article is about the pro's & con's as Kaspersky see's it 2005, you can't exactly be surprised that they think the route they are taking is the one most promising can you......be honest.

As for your "question" about how Kaspersky 2006 would compare to the 70%, i actually think they would be disappointed with 70%, if heuristics, procesguard and the registryguard couldn't catch more than that.

 

I really shouldn't need to repeat myself. But I don't think that one test result from one source should be seen as gospel. Until I see more evidence that even supports this figure vaguely, I don't think it's fair to say for sure that the correct figure is the high end figure rather than the low end figure and beat the article over it.

And yes, discreptancies (even of such size) in such tests are expected, you don't need for me to tell you that, in for striaght forward ondemand tests, much less attempting to measure heuristics.

Those more knowledgable in this area can probably back me on this, that in general the figure has tended to be much lower than the one result you are quoting from. So it would be more conservative to state a lower figure than the 70% based on only one study, achieved by only one AV.

Whether this figures holds up and is confirmed by future tests, or whether the difference is due to some testing conditions, is interesting, but just because the article doesn't go into it, doesnt mean it's a bad one

Secondly, the article is obviously talking about heuristics as a class , why would it need to mention "Median" ? So It just happens that *one* AV happens to have higher results, in just *one* test, so because of that the whole article is flawed? Come on...

*One* AV, in *One* test under certain conditions. Sure they could have mentioend it, but until we can confirm for sure that this holds up in further testes and isn't merely a random flucation, why make a big deal about it.

Huh? Say what?

Hmm did you miss the rather generous mentions of Trend, Mcaffee, bitdefender, Panada etc? Each had one whole paragraph devoted to it.

Of course, I'm not going to deny that KAV is trying to promote their own products, but so what?

I don't want to argue for the sake of arguing further really. . But it seems to me you are bashing the article because it doesn't answer the questions you want (kind of hard to do for the writers unless they can read your mind), rather than judging it on its own merit



****************************88
"StormFront, the first product in the new generation of commercial proactive protection systems based on behaviour blockers, was released by Okena, a company specializing in development of intrusion detection and protection systems. In January 2003 Okena was acquired by Cisco Systems, and StormFront was released as Cisco Security Agent. This product is a classical behaviour blocker designed for corporate customers. The product needs to be set up by a qualified administrator before it can be used.

McAfee is actively developing proactive protection technologies incorporated into products in the McAfee Entercept family. These products are able to close a computer's vulnerabilities to a new threat before anti-virus database updates are released (IPS/IDS). This involves blocking ports, i.e. the possibility of infection penetrating into the computer and further reproducing, creating policies to limit access to directories or individual files, detecting a source of infection on the network and blocking further communication with it. In addition, these products are able to prevent buffer overruns for approximately 20 most common programs and Windows services, including Word, Excel, Internet Explorer, Outlook and SQL Server, which can also be regarded as proactive protection. Personal products use only WormStopper, an improved heuristic technology detecting Internet worms distributed via e-mail and blocking suspicious activity on a computer, such as sending a large number of unauthorized e-mails to people in the address book.

Panda TruPrevent is comprised of three components: a process behaviour analyzer, which analyzes the behaviour of processes running on the system and detects suspicious actions, a heuristic analyzer and a set of IDS functions detecting malicious packets and protecting against buffer overrun. The product is positioned by Panda Software as the second line of defence against any unknown malicious software (a classical anti-virus solution is should be used as the first line of defence) and is designed to detect unknown malware launched on the computer. The product is intended for end-users (not an administrator).
The second-generation behaviour blocker has an important feature: “rollback” of actions performed by malicious code.

In Symantec products, pro-active protection incorporates a built-in heuristic analyzer capable of detecting unknown virus modifications based on their characteristic actions on the system, as well as Norton Internet Worm Protection, a set of IPS/IDS (Intrusion Prevention/Detection System) components blocking the most common paths used by malware to penetrate into the system (Prevention) and detecting suspicious actions (Detection). Also, the company offers Outbreak Alert, a feature providing alerts on particularly hazardous internet threats (supplied as part of Norton Internet Security 2005). In addition, at the service level Symantec offers Early Warning Services (EWS), a service providing early alerts when vulnerabilities are identified. The service is now being integrated into a new system, Global Intelligence Services.

Microsoft is also developing proactive methods of protection against malicious software. The details and time frame are unknown.

Trend Micro's PC-cillin Internet Security 2005 incorporates a heuristic analyzer and an Outbreak Alert System providing proactive notification of new impending threats. Its corporate product, Trend Micro OfficeScan Corporate Edition 6.5, uses signatures with the Outbreak Prevention Service, which automatically configures protection rules to prevent infection from penetrating into the system even before anti-virus databases are updated. This functionality is not available in the personal product.

In BitDefender products proactive protection means a behaviour analyzer blocking malicious programs based on analyzing their characteristic actions on the system (the application monitors system files, the system register and internet activity).

 

Keh, you’re taking just one part of the reason I find the article dishonest, ignoring my other reasons for finding the article dishonest, dismissing perhaps the only thorough independent tests on the net (which had a test bed of 8000 virus/etc), and then telling me that expressing any sort of irritation at the articles dishonesty is unjustified?

As for other AV companies doing the same...so what? If I read an article that does the same thing from any company, then I'd have the same reaction. How does that change anything about why I found the article dishonest?

As to the accuracy of the av-comparatives test. I've never claimed it's 100% accurate, but I doubt that, with an 8k test bed, it'd have more than a say 10-15% leeway in it's accuracy. Besides, debating it's accuracy is pointless, because there is no other evidence to base a qualitative argument on...so I haven't bothered responding to this particular 'concern' of yours before.

I didn't miss these. However explaning the deception of the article would require the article to be pulled apart, show you the structure, sequence, and phrasing of the article; explain to you the effect of joining words/phrases; explain to you the effect of placing an argument first or last etc etc...but taking the time to pull it apart and explain it, is not worth it to me.

Hi Don

No-where on the webpage does it say Kaspersky own’s Viruslist…so any link taking a person there, would take them there without that knowledge, unless Viruslists ownership is personally known to them.

That it is an article about KAV’s pro’s and con’s doesn’t bother me at all. That it is purposely written in a way to make that as unobvious as possible does.

That would be great, I’ve been thinking of switching to KAV. I did trial it a bit back, but I think I’ll give it another trial when 2006 gets released <the article doesn’t phase me on KAV the product…my original post is simply my thoughts on the article itself>