本帖最后由 360Tencent 于 2012-5-30 09:07 编辑
声明:小道消息,我在官方论坛和博客没有见到相关的信息,信不信随你
http://www.csoonline.com/article ... ws-mac-is-effective
All of this will change in June 2012 with the release of avast! AutoSandbox 7.3 (which is also in the free avast! for Home). This is the most impressive advancement in antivirus in years. Gone is the prompt asking to run in sandbox. The addition of the cloud services module adds a highly mature white listing / black listing database that now includes tens of millions of files. AutoSandbox learns from every user, everyday! With 180 million users, this database is the most extensive of its type in the world. After white listing, unknown code is analyzed for other variables, including file reputation, file origin, URL source, file signature, and code analysis. If at any stage the file is deeded safe, it is automatically executed. Polymorphic code is many times impossible to detect in these 1st stages. The file packer is embedded at the end of the code. So the initial scan had nothing to go on until this point. If the packer is known, then the Sandbox will now decrypt the file using the appropriate decompression algorithm. If the file is still not judged safe, or it uses an unknown packer (many virus writers will author their own packers) then the file is executed in the sandbox. As this code executes, it is halted at multiple intervals for structural checks, undergoing analysis for viral characteristics and behavior i.e. "start, run" or writing to the registry. At any time the code is confirmed as malicious, it is moved directly to the virus chest. Under full analysis, the user will see "This code is being analyzed" for a maximum of 15 seconds. If at any time the code is deemed safe, it is allowed to fully execute. This type of code analysis will change antivirus software as we know it!
简单概括下,据传说6月份avast 的自动沙盒(免费版也有)会有一次较大幅度的升级,内容如下(谷歌翻译+自行修改)
这是多年来最令人印象深刻的进步。在沙箱中运行的提示,询问将不复存在。云服务模块增加一个高度成熟的白名单/黑名单数据库,包括数以千万计的文件,此外 AutoSandbox还将每天从每个用户进行学习,除去白名单,未知的代码将通过其他变量进行分析,包括文件的声誉,文件的来源,来源网址,文件签名,代码分析。如果在任何阶段文件被确认安全,它会自动执行。多态代码不可能在这第一阶段中得以检测,因为文件打包机嵌入在代码末尾。接下去会执行第二阶段的分析工作,如果壳是已知的,那么软件会在沙箱中使用相应的解压缩算法解密文件。如果文件仍然无法判断安全,它使用一个未知的壳(许多病毒编写者会自己编写加壳),那么该文件会自动在沙箱中执行。当这段代码执行时,它停止在多个间隔的结构进行检查,分析病毒的特征和行为,比如“开始,运行”或写入注册表进行分析。在任何时间,如果它确认为恶意代码,它直接移动到隔离区。分析最多持续15秒。相反如果被视为安全的代码,它被允许充分执行。这种类型的代码分析将改变反病毒软件,因为我们知道它!
|
[复制链接]
发表于 2012-5-30 08:59:10
