By Grayson Milbourne and Joe Jaroch
If there is one thing that can be observed about the AV industry, it is that no solution is ever 100% effective at blocking malware. With this in mind, Webroot SecureAnywhere (WSA) was designed to protect users even in cases where undetected malicious software has made it onto the system.
AV-Comparatives recently published results for June’s “Real World” Protection Test. This test aims to replicate a real world experience for how malware would infect a PC. The scores indicate how many threats were detected vs. missed.
In June’s test, Webroot SecureAnywhere detected 93.4% of samples while 6.4% were able to “compromise” the test PC. I put compromise in quotes because WSA functions very differently from the other products in this test. The key difference is in how WSA protects its users when a malicious piece of software slips by. Unfortunately this test doesn’t demonstrate how well a user is protected in the event of an infection, or how long it takes before an unidentified infection is detected and removed. These are two very important factors which should be considered when judging WSA’s efficacy. Because of these layers and because of how our threat research process works, we’re constantly aware of how effective our solution is for our users. Since the release of SecureAnywhere, we’ve seen a massive improvement in user security based on the dramatic decrease in the number of threats we’ve had to manually remove from user systems. In addition, our support cases have decreased while our satisfaction scores have climbed well above others in the industry.
To better understand how WSA provides protection in these areas it is first necessary to take a step back and understand how WSA is fundamentally different from a traditional definition-based antivirus solution. One primary difference is WSA uses a cloud-based architecture which is populated in real time with files seen by all WSA endpoints around the globe. A major benefit of this approach is there are no definition updates to burden the system, rather WSA checks in with the cloud whenever a new file is discovered. Another major benefit is that malware researchers are able to focus on and classify new files exclusively seen by our user base, also in real time. This ability is especially important because it drastically reduces the turnaround time from discovery of a new malicious application to the classification and protection of all WSA users.
After looking at the 68 misses from June’s AV-Comparatives test, we found 65 of the samples had been classified within a few hours of their test, with the remaining three being classified minutes after receiving the samples. Of the 68 misses, 34 of the files were seen for the very first time during the test; none of our users were ever affected by them and we had never encountered those components across our entire user base. The other 932 samples were blocked automatically during the test.
So this begs the question, how did WSA protect these infected endpoints while the infections were still unknown to the cloud user base? There are two pieces to this puzzle. The first piece focuses on ensuring WSA is able to reverse all system changes made by a new unknown file and to prevent any irreversible changes from taking place. For example, if a newly discovered program makes file system, disk, registry, or memory changes, these are recorded and analyzed in real time. WSA then checks frequently with the cloud while the program runs to see if an updated classification is available for the unknown files on a system. During this period, the program is able to change the system, but it is under a transparent sandbox where all of the changes taking place are not only being analyzed for behavior correlation, but are also being recorded to see the before-and-after view of every modification to the system. If at any point the cloud comes back and indicates a file is malicious, WSA will automatically remove the infection and restore the system perfectly to a pre-infection state. WSA effectively creates its own system imaging feature that works on a per-application basis, allowing it to generically and completely revert out any threat without needing humans to write signatures. Pretty neat, eh?
The other piece to protecting an infected system is to prevent sensitive data leakage. Most often, malware is after credentials to various websites, whether that is personal email, banking sites or social networking sites. To prevent this from happening, WSA has an innovative combination of security components that are used to create a safe browsing environment which works without any requirement of user interaction. This is done by blocking the various methods used to lift keystrokes from secured browser sessions as well as the numerous new methods that threats are using today: information stealing attacks running in the browser, screen-grabber threats, man-in-the-middle attacks, and various other forms of covert information gathering.
With this layer of protection, WSA will block threats even if it doesn’t know that a file is malicious. While it is definitely best to remove any threats from your system for performance reasons, with WSA enabled, you could install an undetected, zero-day Zeus infection and continue safely banking online even with it active on your system. This layered defense allows WSA to close the gap from what it finds with pure signatures to what it is able to actually protect the user against. While detection is certainly very important, actually blocking the vectors of attack used by malware is what the goal of security software should really be.
Currently most “Real World” tests rely on automation and AV scanners are only given a single chance at detection before the test system is reverted for the next round of testing. Unfortunately this testing model doesn’t give WSA a chance to leverage our unique cloud approach as it has a very static view of the files being tested. If another scan had taken place a short amount of time later, nearly all samples would have been detected from background rules running in our cloud and all system changes would have been reversed automatically.
Webroot continues to drive innovation in our products though this isn’t always met with equal innovation in the testing process. We are actively working with various 3rd party testers to build better real world testing environments which gauge how well security software is able to mitigate the risks of infected systems along with how rapidly vendors are able to update protection to their user base after the discovery of a new malicious threat.
格雷森Milbourne和乔Jaroch的由
如果有一件事是可以观察AV界,这是任何解决方案都不是100%有效阻止恶意软件。考虑到这一点,Webroot的SecureAnywhere(WSA)旨在保护用户即使在未被发现的恶意软件到系统的情况下。
AV-Comparatives的最近公布六月的“真实世界”保护测试的结果。本次测试的目的是如何将恶意软件感染一台PC复制现实世界的经验。成绩表明,检测与错过多少威胁。
在6月的测试中,Webroot的SecureAnywhere检测样本的93.4%,6.4%,而“妥协”的测试电脑。我把引号中的妥协,因为WSA的功能非常不同于其他产品在本次测试。关键的区别是WSA的如何保护它的用户时,恶意软件的一块滑倒。不幸的是,这个测试并不能证明用户如何保护感染事件,或需要多久前被检测到并删除一个身份不明的感染。这是两个非常重要的判断WSA的功效时,应考虑的因素。因为这些层,因为我们的威胁研究过程如何工作,我们不断地了解我们的解决方案,为我们的用户是如何有效。发行以来的SecureAnywhere的,我们已经看到在用户安全大规模改善的基础上的威胁,我们不得不手动删除用户系统的数量急剧下降。此外,我们的支持的情况下有所下降,而我们的满意度得分高于他人在同行业中已攀升。
为了更好地理解WSA提供如何保护在这些领域采取退后一步,了解WSA的是如何从传统的定义为基础的防病毒解决方案从根本上不同,它首先是必要的。一个主要的区别是WSA的采用了基于云计算的架构,这是由世界各地的所有WSA的端点看到的文件实时填充。这种方法的主要好处是有负担没有定义更新系统,而WSA的检查中,每当一个新的文件被发现的云。另一个主要的好处是,恶意软件研究人员能够集中精力和分类新文件只看到我们的用户群,也实时。这种能力就显得尤为重要,因为它大大减少了周转时间从发现一个新的恶意程序,所有WSA用户的分类和保护。
从6月份的AV-Comparatives测试的68失误后,我们发现样品65个已被列为他们的测试了几个小时之内收到样品后,剩下的三个分类分钟,。的文件34 68失误,被视为首次在测试过程中,我们的用户没有受到过他们,我们从来没有遇到过这些组件在我们的整个用户群。其他932样本在测试过程中自动被封锁。
因此,这引出了一个问题,怎么WSA的保护这些受感染的终点,而感染到云的用户群仍是未知数?这个难题有两件。第一块侧重于确保WSA的是能够扭转一个新的未知文件的所有系统所做的更改,以防止发生任何不可逆转的变化。例如,如果新发现的程序,文件系统,磁盘,注册表,或内存的变化,这些记录和实时分析。WSA的检查与云频繁,而程序运行看是否有更新的分类系统上的未知文件。在此期间,该方案是能够改变的系统,但它是在一个透明的沙箱中的所有正在发生的变化不仅是行为的相关性分析,但也被记录看到的前和后视图每个系统的修改。如果在任何时候,云回来,并指出文件是恶意,WSA的将自动清除的感染和系统完全恢复到感染前的状态。WSA的有效地创建自己的系统的成像功能,适用于每个应用程序的基础上,允许它一般完全恢复,而无需人写签名的任何威胁。整齐漂亮,不是吗?
另一块是保护受感染的系统,以防止敏感数据泄漏。大多数情况下,恶意软件是对各种网站的凭据后,无论是个人的电子邮件,银行网站或社交网站。为了防止这种情况的发生,WSA的安全组件,用于创建一个安全的浏览环境,无需任何用户交互的要求,创新相结合。这是通过安全浏览器会话的击键以及威胁使用今天的许多新的方法用来解除封锁的各种方法:运行在浏览器中的信息窃取攻击,屏幕抓取威胁,人在这方面中攻击和其他各种形式的秘密信息收集。
有了这层保护,WSA的将阻止威胁,即使它不知道一个文件是恶意的。虽然它肯定是最好删除任何威胁,从您的系统性能方面的原因与WSA的启用,您可以安装漏检,零日宙斯感染,并继续安全的网上银行业务,您的系统上,即使积极。这种多层防御允许WSA的关闭从它与纯粹的签名,它是什么能够真正保护用户对发现的差距。同时检测肯定是非常重要的,实际上是阻止攻击的软件所使用的载体是安全软件的目标确实应该。
目前最“真实世界”的测试依赖于自动化和AV扫描仪只在检测前恢复为下一轮的测试,测试系统的机会。不幸的是,这种测试模型不给WSA的一个机会,利用我们独特的云方法,因为它有一个被测试的文件非常静态视图。如果发生了另一次扫描很短的时间后,几乎所有的样本会被发现从背景规则在我们的云中运行的所有系统的变化会自动得到扭转。
Webroot公司将继续推动我们的产品创新,虽然这并不总是在测试过程中的平等的创新。我们正积极与各3 路党的测试,以建立更好的真实世界的测试环境,了解如何安全软件厂商如何迅速更新后,发现能够保护他们的用户群,对受感染系统的风险是能够减轻一个新的恶意威胁。
Google翻译。
|
发表于 2012-7-21 11:14:12
楼主
二嫂偶也不感兴趣,中都中了谁管你那个嫂,当然刷测试包成绩的可以关注个