Recent evolution of proactive methods

Discussion in 'other anti-virus software' started by Tweakie, Oct 18, 2006.

Thread Status:
Not open for further replies.
  1. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Hi,

    I'm trying to get a clear picture of recent evolution of proactive
    methods used in anti-virus softwares. My feeling is that these
    methods are more and more relying on the behavior of the analyzed
    files (rather than on dead listing analysis).

    I thus tried to summarize functionnalities offered by the most
    recent versions of the most popular antiviruses in that matter.
    However, I'm not familiar with all these applications, and could not
    test/review it. I therefore rely on the information published on
    AV company websites. The result is presented in the table below.

    I'm sure I missed some AVs/functionnalities. Any correction/addition
    will be greatly appreciated.

    Code:
    ---------------------------------------------------------------------------------
        \     ||Behavior     |On execution  |Live       |ACLs on specific |Outbreak  |
    AV   \    ||based        |behavioral    |reporting  |actions/API      |protection|
          \   ||heuristics   |detection     |of 0days   |calls            |(throttle)| 
    =================================================================================
    KAV       ||             |Proactive def.|           | Proactive def.  |          |
    ---------------------------------------------------------------------------------   
    NOD32     ||Advanced heur|              |Threatsense|                 |          |
    ---------------------------------------------------------------------------------
    Bitdef.   ||B-Have       |              |           |                 |          |
    ---------------------------------------------------------------------------------
    Panda     ||             |Truprevent    |           |                 |          |
    ---------------------------------------------------------------------------------
    F-Prot    ||Maximus ???  |              |           |                 |          |
    ---------------------------------------------------------------------------------
    Sophos    ||Behav. Genot.|              |           |                 |          |
    ---------------------------------------------------------------------------------
    Norman    ||Sandbox      |              |           |                 |          |
    ---------------------------------------------------------------------------------
    F-Secure  ||DeepGuard    |DeepGuard     |           |DeepGuard        |          |
    ---------------------------------------------------------------------------------
    Antivir   ||Heuristic v2?|              |           |                 |          |
    ---------------------------------------------------------------------------------
    McAffeePro||             |              |           |Access protection|          |
    ---------------------------------------------------------------------------------
    Norton    ||             |              |           |                 |Worm prot.|
    ---------------------------------------------------------------------------------
    AVK       ||(B-Have)     |              |           |                 |OutbrkShld|
    ---------------------------------------------------------------------------------
    CA-eTrust ||             |              |           |                 |          |
    ---------------------------------------------------------------------------------
    AVG       ||             |              |           |                 |          |
    ---------------------------------------------------------------------------------
    Avast!    ||             |              |           |                 |          |
    ---------------------------------------------------------------------------------
    
    Applications:

    I will only list applications whose primary purpose is to fight against
    viruses (incl. parasitic) and malwares. This does not include dedicated
    anti-trojans and anti-spywares. Moreover, only applications that
    used to rely mostly on "signature scanning" are selected. This could
    include beta-versions of some products.

    Features:

    Listed features are related to proactive/early detection (or blocking,
    reporting) of malicious Win32 PE executables. Based on the behavior of
    the malwares rather than on signatures/patterns.


    * Behavior-based heuristics: Code of analyzed executables is emulated by the
    antivirus. Suspicious actions are recorded and compared with heuristic rules.
    Norman's Sandbox is the typical example.

    * On execution behavioral detection: Similar to above, but the file is
    actually executed on the real system, and it's actual actions are logged.
    If the application is classified as malicious, its execution is stopped.
    There may be some funcrtionnalites to mitigate the impact of actions already
    performed by the malware.

    * Live reporting of 0days: The application provides an utility to submit
    automatically to the virus lab malwares that have been detected on a client's
    computer using a proactive method.

    * ACLs on specific actions/API calls: The application provides the ability
    to block some specific actions that are commonly performed by some kind of
    malwares (e.g. execute files from temp directory, alter some registry keys,
    etc.). This includes typical HIPS functionnalities.

    * Outbreak protection (throttle): The application is able to recognize an
    abnormal behaviour of the system (such as sending mails at a high rate) and
    take adequate measures to mitigate the risk due to this behavior. The
    application may not identify what executable or script caused the abnormal
    behaviour.

    Note:
    While making this table, I found a funny list on Sophos website:
    http://www.sophos.com/security/analyses/index_st_malicious_behavior.html
    Now, you can count the number of rules used by Sophos heuristics :p
     
Loading...
Thread Status:
Not open for further replies.