ThreatSense® Detecting Unknown Malicious Software Viruses, worms, spyware and other forms of malicious software (malware) are constantly evolving as malware writers try to evade detection by security software. In this sense, every new virus and variant of a malicious program is a "zero day attack" - malicious code that hasn't yet been analyzed in a lab. Malicious code that has been analyzed and classified as such contains a signature. Traditional signature-based anti-malware products are purely reactive - focusing on detecting such already-known malware. Instead of trying to play catch-up with the onslaught of brand new threats and threat variants, ThreatSense® keeps ESET scanning software ahead of malware authors. The ThreatSense engine combines sophisticated heuristic detection of unknown malware with effective signature detection of known malware, providing the best possible detection without compromising scanning speed. ThreatSense® Engine Need more details? ThreatSense detects known malware quickly and efficiently, but can also utilize generic signatures for the speedy detection of known malware families and new variants. Traditional signatures detect malware that has already been analyzed. But the more adaptive approach of creating a generic signature enables ThreatSense to detect variants that have not yet been reported and analyzed. ThreatSense also uses an advanced heuristics engine to dramatically extend detection capabilities - far beyond those of conventional signatures. It actually decodes and analyzes executable code in a protected virtual environment. Doing so allows it to identify the intended behavior of today's continually evolving threats - not just viruses and worms, but bots, rootkits, and other trojans. This finely tuned engine catches an outstandingly high proportion of new malware missed by vendors relying on signature updates and less advanced proactive detection. You can learn more about heuristics and other detection techniques from this ESET white paper. Run-time packing is a technique malware writers employ to evade signature-based detection by disguising known malicious code with a layer of compression and obfuscation (a "wrapper"), so existing signatures cannot recognize it. ThreatSense includes technology to unpack such malware in the same protected environment, thereby "unwrapping" and exposing it. This blended approach to detection combines the benefits of conventional signatures, generic signatures, and advanced heuristic analysis, making ESET security products the fastest, most accurate, and lowest impact solutions in the industry. An Early Warning System ThreatSense.Net® extends the analytical power of ThreatSense to act as an early warning system on a global scale. It enables customers to close the window of vulnerability to new threats by automatically (or manually) submitting samples of new suspected malware to threat lab researchers for analysis. SONAR Called the Symantec Online Network for Advanced Response (SONAR), the new security software will look at the behavior of programs running on the computer in order to decide whether they are malicious. This is a departure from Symantec's traditional signature-based antivirus protection techniques, which compare the program's code to a database of known malware. SONAR will be a free add-on to Symantec's Norton AntiVirus 2007 and Norton Internet Security 2007 products, said Ed Kim, director of product management with Symantec's consumer business unit. "We're very excited about the release of SONAR," Kim said. "It's zero-day protection that doesn't rely on threat signatures." Zero-day attacks are based on flaws that are unknown, or have not yet been patched by the vendor, and they are particularly effective against signature-based antivirus protection. SONAR uses an algorithm to evaluate hundreds of attributes relating to software that is running on the computer, so it can spot malicious software, whether it's already been identified by Symantec researchers or not. SONAR makes its determination based on whether the software does things such as add a shortcut on the desktop or insert itself into the Windows Add/Remove programs list, both of which indicate it probably isn't malware, Kim said. The software is built on technology that Symantec acquired in its 2005 purchase of WholeSecurity. Symantec already sells a similar behavior-based security product to enterprise users, called Critical System Protection, but with SONAR, Symantec is finally saying that its behavior-based techniques are ready for the consumer desktop market, said Andrew Jaquith, senior analyst with Yankee Group Research. The software comes not a moment too soon, he added. "Signature-based technologies for viruses and spyware certainly work, but their coverage is increasingly thin. So you need to bolster signature-based approaches with behavior-based approaches."