NOD32 和卡巴较上劲了
在卡巴的 BLOG 中有一篇启发式和行为分析的对比文章 >)q[�*]2�*
LbP� ts.,�
里面阐述了行为分析相对启发式的优点 �= _~]32!7
N$J.$DhzwD
结果 NOD32 前几天也在自己的 BLOG 中发表文章 \f(Xc�M6lM
/ZQSFHCf �
说明了启发式相对行为分析的优点
英文,可以用 www.google.com 上得语言工具翻译
卡巴的那篇
Virus attacks have firmly established themselves as the leading IT security threat. Not only do they result in financial losses, but they also serve as a vehicle for many other security threats, such as the theft of confidential information and unauthorized access to sensitive data. The antivirus industry has responded by coming up with a number of new approaches to protecting IT infrastructures - to name a few, these include proactive technologies, emergency updates during outbreaks, significantly more frequent antivirus database updates, etc. This paper is the first in a series of articles that will provide more information on the newest technologies used by antivirus companies and help users to judge the effectiveness of these technologies more objectively. In this article, we will focus on proactive technologies. Ha��%6NShc
BID?uVPcJ�
Virus attacks cause enormous damage and, equally important, the number of types of malicious code is growing at an increasing rate. In 2005, growth in the number of malicious programs exploded: according to Kaspersky Lab, the average number of viruses detected monthly reached 6,368 by the end of the year. Overall growth for the year reached 117% compared with 93% for the previous year. �X\Am�E"5B
*8mJx��Knb
Likewise, the nature of the threat itself has changed. Malicious programs are not only much more numerous, but also significantly more dangerous than ever before. The antivirus industry has responded to the challenge with a number of new approaches to antivirus protection, including proactive technologies, shorter response times to new threats that can cause outbreaks, as well as more frequent antivirus database updates. This article provides a detailed analysis of the proactive protection, often promoted by vendors as a panacea for all existing and even all possible viruses. KT7�q3Bt$l
3},�?c4}?
An Introduction to Proactive Technologies 5� �dFd�2,
Contemporary antivirus products use two main approaches to detect malicious code - signature-based and proactive/heuristic analysis. The first method is sufficiently simple: objects on the user’s computer are compared to templates (e.g., signatures) of known viruses. This technology involves continually tracking new malicious programs, and creating their descriptions, which are then included in the signature database. Therefore, an antivirus company should have an effective service for tracking and analyzing malicious code (that is, antivirus lab). The main criteria used to evaluate how effectively the signature-based approach is implemented include new threat response times, frequency of updates and detection rates. Ys$3}LA{
WnP�,,%��^
The signature-based method has a number of obvious shortcomings. The primary disadvantage is the delayed response time to new threats. There is always a time lag between the appearance of a virus and the release of its signature. Contemporary viruses are capable of infecting millions of computers in a very short time. pR2BEP)JW_
u6��\;�uO�
Thus, proactive/heuristic methods of virus detection are becoming increasingly popular. The proactive approach does not involve releasing signatures. Instead, the antivirus program analyzes the code of objects scanned and/or the behavior of the applications launched and decides whether the software is malicious based on a predefined set of rules. I�BV��uQ�H
rF8vBs�V �
In principle, this technology can be used to detect malicious programs that are as yet unknown, which is why many antivirus software developers were quick to advertise proactive methods as a panacea for the rising wave of new malware. However, this is not the case. To judge the effectiveness of the proactive approach and whether it can be used independently from signature-based methods, one must understand the principles upon which proactive technologies are based. }0�ilOABDg
sA�[�"��[�
There are several approaches which provide proactive protection. We will look at the two which are the most popular: heuristic analyzers and behavior blockers. m�?v�uSvpB
�LX�+�c�Z
Heuristic Analysis �~,�)o{M/�
A heuristic analyzer (or simply, a heuristic) is a program that analyzes the code of an object and uses indirect methods of determining whether it is malicious. Unlike the signature-based method, a heuristic can detect both known and unknown viruses (i.e., those created later than the heuristic). %60�`3&%s
6fSq�Lm%9@
An analyzer usually begins by scanning the code for suspicious attributes (commands) characteristic of malicious programs. This method is called static analysis. For example, many malicious programs search for executable programs, open the files found and modify them. A heuristic examines an application’s code and increases its “suspiciousness counter” for that application if it encounters a suspicious command. If the value of the counter after examining the entire code of the application exceeds a predefined threshold, the object is considered suspicious. 2A6L�]hj"
�u`T|^x&�F
The advantages of this method include ease of implementation and high performance. However, the detection rate for new malicious code is low, while the false positive rate is high. SZT; jR|!+
/@P9|c k�t
Thus, in today’s antivirus programs, static analysis is used in combination with dynamic analysis. The idea behind this combined approach is to emulate the execution of an application in a secure virtual environment (which is also called an emulation buffer or “sandbox”) before it actually runs on a user’s computer. In their marketing materials, vendors also use another term - “virtual PC emulation”. \��ABvrKb}
�~~ Sm 7�^
A dynamic heuristic analyzer copies part of an application’s code into the emulation buffer of the antivirus program and uses special “tricks” to emulate its execution. If any suspicious actions are detected during this “quasi-execution”, the object is considered malicious and its execution on the computer is blocked. zr�%?@`� 9
:� ^��(X�
The dynamic method requires significantly more system resources than the static method, because analysis based on this method involves using a protected virtual environment, with execution of applications on the computer delayed according to the amount of time required to complete the analysis. At the same time, the dynamic method offers much higher malware detection rates than the static method, with much lower false positive rates. D's�l,iZ?<
u[3U�8�Fy�
The first heuristic analyzers became available in antivirus products sufficiently long ago, and all antivirus solutions now take advantage of more or less advanced heuristics. r`b&l�M�R
JNw?� W#�/
Behavior Blockers ��Fo |yP&f
A behavior blocker is a program that analyzes the behavior of applications executed and blocks any dangerous activity. Unlike heuristic analyzers, where suspicious actions are tracked in emulation mode (dynamic heuristics), behavior blockers work in real-life conditions. :�+�.R,I<!
S"�'S��f��
First-generation behavior blockers were not very sophisticated. Whenever a potentially dangerous action was detected, the user was prompted to allow or block the action. Although this approach worked in many situations, “suspicious” actions were sometimes performed by legitimate programs (including the operating system) and users who didn’t necessarily understand the process were often unable to understand the system’s prompts. J2:8[-%oi(
s�-NZKZfF\
New-generation behavior blockers analyze sequences of operations rather than individual actions. This means that determining whether the behavior of applications is dangerous relies on more sophisticated analysis. This helps to significantly reduce the number of situations in which the is prompted by the system and increases the reliability of malware detection. �Hm|�B(��A
$6&|Dy��qi
Today’s behavior blockers are able to monitor a wide range of events in the system. Their primary purpose is to control dangerous activity – that is, analyze the behavior of all processes running in the system and save information about all changes made to the file system and the registry. If an application performs dangerous actions, the user is alerted that the process is dangerous. The blocker can also intercept any attempts to inject code into other processes. Moreover, blockers can detect rootkits - i.e., programs that conceal the access of malicious code to files, folders and registry keys, as well as make programs, system services, drivers and network connections invisible to the user. %@9T.��$g8
�Dz1zHq_<h
Another feature of behavior blockers that is particularly worth mentioning is their ability to control the integrity of applications and the Microsoft Windows system registry. In the latter case, a blocker monitors changes made to registry keys and can be used to define access rules to them for different applications. This makes it possible to roll back changes after detecting dangerous activity in the system in order to recover the system and return it to its state before infection, even after unknown programs have performed malicious activity. �?0I?Y��$D
�6"Po{�^y;
Unlike heuristics, which are used in nearly all contemporary antivirus programs, behavior blockers are much less common. One example of an effective new-generation behavior blocker is the Proactive Defence Module included in Kaspersky Lab products. NT'�|3Y| l
�g89v^�)Vl
The module includes all of the features mentioned above and also, importantly, a convenient system that informs the user of the dangers associated with any suspicious actions detected. Any behavior blocker requires input from the user at some point; so the user must be sufficiently competent. In practice, users often do not have the knowledge required, and information support (in effect, decision-making support) is an essential part of any contemporary antivirus solution. ��ciY`wbs
g�s&&9K
To summarize, a behavior blocker can prevent both known and unknown (i.e., written after the blocker was developed) viruses from spreading, which is an undisputed advantage of this approach to protection. On the other hand, even the latest generation of behavior blockers has an important shortcoming: actions of some legitimate programs can be identified as suspicious. Furthermore, user input is required for a final verdict regarding whether an application is malicious, which means that the user needs to be sufficiently knowledgeable. RNPD FkMB&
� h�&fX-f
Proactive Protection & Software Flaws 5�`3WB~=d,
Some antivirus vendors include statements in their advertising and marketing materials that proactive/heuristic protection is a panacea for new threats, which does not require updating and therefore is always ready to block attacks, even for those viruses that do not as yet exist. Moreover, brochures and datasheets often apply this not only to threats that use known vulnerabilities, but to so-called “zero-day” exploits as well. In other words, according to these vendors, their proactive technologies are capable of blocking even malicious code which uses unknown flaws in applications (those for which patches are not yet available). 3m�&��MHX
AMP.d G@Ga
Unfortunately, either the authors of these materials are insincere or they don’t quite understand the technology well enough. Specifically, combating malicious code is described as a fight between virus writers and automatic methods (proactive/heuristic). In reality, the fight is between people - virus writers versus antivirus experts. i`Fx���@x1
N? ~]PU8�
The proactive protection methods described above (heuristics and behavior blockers) are based on “knowledge” about suspicious actions characteristic of malicious programs. However, this “knowledge” (i.e., a set of behavior-related rules) is input into the program by antivirus experts and is obtained by analyzing the behavior of known viruses. Thus, proactive technologies are powerless against malicious code that uses completely new methods for penetrating and infecting computer systems, which appeared after the rules were developed – this is what zero-day threats are all about. Additionally, virus writers work hard to find new ways of evading behavior rules used by existing antivirus systems, which in turn significantly reduces the effectiveness of proactive methods. ]x�b $FM6
&l<�rl�hi{
Antivirus developers have no choice but to update their set of behavior rules and upgrade their heuristics in response to the emergence of new threats. These types of updates are certainly less frequent than in the case of virus signatures (code templates), but still need to be performed regularly. As the number of new threats increases, the frequency of such updates will inevitably rise as well. As a result, proactive protection will evolve into a variant of the signature method, albeit based on “behavior” rather than code patterns. 09.�=5MYv�
}QxK�MoU�
By concealing the need to update proactive protection from users, some antivirus vendors in effect deceive both their corporate and personal clients and the press. As a result, the public has a somewhat erroneous idea of the capabilities of proactive protection. ?��{.Usk1�
uAn1z�-�`
Proactive vs. Signature-Based Methods xd� �y��=
Despite their shortcomings, proactive methods do detect some threats before the relevant signatures are released. An example of this can be seen in the response of antivirus solutions to a worm called Email-Worm.Win32.Nyxem.e (Nyxem). m�`w��tz#M
�`@nvo�i&?
The Nyxem worm (also known as Blackmal, BlackWorm, MyWife, Kama Sutra, Grew and CME-24) can penetrate a computer when a user opens an email attachment containing links to pornographic and erotic sites or a file on open network resources. It takes the virus very little time to delete information on the hard drive. Up to 11 different file formats are affected (including Microsoft Word, Excel, PowerPoint, Access, Adobe Acrobat). The virus overwrites all useful information with a meaningless set of characters. Another distinctive characteristic of Nyxem is that it only becomes active on the third of each month. ZHG1+?M��y
u�A, (t�XY
A research group from Magdeburg University (AV-Test.org) carried out an independent study to assess the time it took different developers to respond once Nyxem emerged. It turned out that several antivirus products were able to detect the worm using proactive technologies, i.e. before the signatures were released: ��oUF&Z�$0
,F t'"#^'P
Proactive detection of Nyxem by behavior blockers pc �nZ����
Kaspersky Internet Security 2006 (Beta 2) DETECTED ~D};vs2��y
Internet Security Systems: Proventia-VPS DETECTED WEmiGI�_;/
Panda Software: TruPrevent Personal DETECTED U?k})|�sF
j=9qFT?Y�
Proactive detection of Nyxem by heuristics �w{1>y�Q�5
eSafe Trojan/Worm [101] (suspicious) �/e :w/v%]
Fortinet Suspicious ��5c@g @\�
McAfee W32/Generic.worm!p2p �HK0:*e=S
Nod32 NewHeur_PE (probably unknown virus) (i#:'W3,Vy
Panda Suspicious file BrI�xg+8Og
B2cY�y,Whi
Time of release of signatures to detect Nyxem \1"a�r.@e�
BitDefender 2006-01-16 11:13 Win32.Worm.P2P.ABM 6Nz�</b�Hn
Kaspersky Lab 2006-01-16 11:44 Email-Worm.Win32.VB.bi 7 Z2#'Oo#�
AntiVir 2006-01-16 13:52 TR/KillAV.GR '$ 6Z�v�$S
Dr Web 2006-01-16 14:56 Win32.HLLM.Generic.391 ^P�E)T\Jd�
F-Secure 2006-01-16 15:03 Email-Worm.Win32.VB.bi 86��tP} �0
VirusBuster 2006-01-16 15:25 Worm.P2P.VB.CIL �h %�Oer<
F-Prot 2006-01-16 15:31 W32/Kapser.A@mm (exact) a�Y/O�~<<I
Command 2006-01-16 16:04 W32/Kapser.A@mm (exact) 4mWc� ��BF
AVG 2006-01-16 16:05 Worm/Generic.FX �>[�PT=E��
Sophos 2006-01-16 16:25 W32/Nyxem-D ��Y7C\(9s�
Trend Micro 2006-01-17 03:16 WORM_GREW.A B�V^Lf�C�:
eTrust-VET 2006-01-17 06:39 Win32/Blackmal.F $�E00{4�
Norman 2006-01-17 07:49 W32/Small.KI @??(1y�`81
ClamAV 2006-01-17 08:47 Worm.VB-8 u_JP�)}t3+
Avast! 2006-01-17 15:31 Win32:VB-CD [Wrm] r8_�w81��,
eTrust-INO 2006-01-17 16:52 Win32/Cabinet!Worm ~�Pn"x<��0
Symantec 2006-01-17 17:03 W32.Blackmal.E@mm d� pI^uj)�
Source: Security Watch: Blackworm Blows Up On Friday (PC Mazagine, AV-Test.org) PUl, ��m`S
�i|v�4`�;i
Overall, eight antivirus products detected Nyxem using proactive methods. Does this, however, mean that proactive technologies can replace the “classical” signature-based approach? Certainly not. To be valid, analysis of the effectiveness of proactive protection should be based on tests involving large virus collections, not individual viruses, however notorious. !_Hh���^u4
x��YCA#3{C
One of the few widely acknowledged independent researchers who analyze proactive methods used by antivirus products on large virus collections is Andreas Clementi (http://www.av-comparatives.org/). To find out which antivirus programs are capable of detecting threats that do not as yet exist, solutions can be tested on viruses that appeared recently, e.g., within the past three months. Naturally, antivirus programs are run with signature databases released three months ago, so that they are confronted with threats that were then “unknown” to them. Andreas Clementi’s focus is on the results of this type of testing. ��\jI\;Te
D"7�"s/bw7
Based on the results of testing conducted in 2005, the heuristics used in the Eset, Kaspersky Anti-Virus and Bitdefender solutions were the most effective. Kd(Csr�rl`
!��^�-0vTI
The test used a collection that included 8,259 viruses. From the results above, we see that the highest detection rate in the test was about 70%. This means that each of the solutions tested missed at least 2,475 viruses, hardly an insignificant figure. �vX�2I;SnO
+uEY[>a:V
In another test of the effectiveness of heuristic analyzers conducted by experts from Magdeburg University (AV-Test.org) in March 2006 for PC World magazine, detection rates achieved by leaders of the test did not exceed 60%. Testing was conducted using one-month old and two-month old signatures. �2=+�\�1x`
XY>��W� �6
It should be noted that the high detection rates demonstrated by heuristic analyzers have a downside: their false positive rates are also very high. To operate normally, an antivirus program should strike a balance between detection rates and false positive rates. This is also true of behavior blockers. TO4�jO1� C
��e &�n}Yi
The results of the analyses conducted by AV-comparatives.org and AV-Test.org provide a solid illustration of the fact that proactive methods alone are incapable of providing the necessary detection rates. Antivirus vendors are perfectly aware of this and, for all their rhetoric on proactive technologies, continue to use classical signature-based detection methods in their solutions. Tellingly, developers of purely proactive solutions (Finjan, StarForce Safe'n'Sec) must purchase licenses for “classical” signature-based technologies from third parties and to use in their products. ? m5�A#��{
%(0 ��U'�e
Naturally, signature-based methods have shortcomings as well, but so far, the antivirus industry has been unable to come up with anything capable of replacing this classic approach. Consequently, the primary criteria to measure the effectiveness of antivirus solutions will continue to include not only the quality of proactive protection, but response time to new virus threats (the time it takes to add the relevant signature to the database and deliver the update to users) as well. �z>`i}j��M
= O'r�HB!9
Below is information on average response times demonstrated by leading antivirus vendors for major antivirus threats during 2005. The Magdeburg University research group (AV-Test.org) analyzed the time it took developers to release updates containing the relevant signatures. The analysis covered different variants of 16 worms that were most common in 2005, including Bagle, Bobax, Bropia, Fatso, Kelvir, Mydoom, Mytob, Sober and Wurmark. |O{!=r�� �
P�.}YK�$vG
Average response time 2005 �\ �2�U:X}
0 to 2 hours Kaspersky Lab oeG8�2K]�:
2 to 4 hours BitDefender, Dr. Web, F-Secure, Norman, Sophos ;lqW/r�GjN
4 to 6 hours AntiVir, Command, Ikarus, Trend Micro sP({:2F*#�
6 to 8 hours F-Prot, Panda Software ,t���4 �fH
8 to 10 hours AVG, Avast, CA eTrust-InocuLAN, McAfee, VirusBuster Z)z<4�l ?$
10 to 12 hours Symantec ,Z�w+x53Nd
12 to 14 hours — sPGW'@&e#
14 to 16 hours — KiO�py8l+�
16 to 18 hours — `mfF�8A 0
18 to 20 hours CA eTrust-VET ��lQWig-`z
Source: Ranking Response Times for Anti-Virus Programs (Andreas Marx of AV-Test.org). X']�}�D/3d
[c5�IFmgc>
Conclusions p&`�y ��}4
In summary, a number of important conclusions can be made from the above. First of all, the proactive approach to combating malicious programs is the antivirus industry’s response to the ever-growing stream of new malware and increasing rates at which it spreads. Existing proactive methods are indeed helpful in combating many new threats, but the idea that proactive technologies can replace regular updates to antivirus protection is a fallacy. In reality, proactive methods require updating as much as signature-based methods. sE"8DN$�S
F!g�Bc +J=
Existing proactive techniques alone can not ensure high malicious program detection rates. Furthermore, higher detection rates are in this case accompanied by higher false positive rates. In this situation, the new threat response time remains a solid measure of antivirus program effectiveness. `�'kcYmeE>
8 =uU�RMZ*
For optimal antivirus protection, proactive and signature-based methods should be used together, given that top detection rates can be achieved only by combining these two approaches. The figure below shows results of testing conducted by Andreas Clementi (www.av-comparatives.org) to determine the overall (signature-based + heuristic) malicious program detection levels. It may seem that the differences between programs that performed well in tests are small. Yet, it should be kept in mind that the test was performed on a collection of over 240,000 viruses and a difference of 1% accounts for about 2,400 missed viruses. au^hfux�Vz
.A)`: k�.�
Users of antivirus solutions should not place too much trust in the information they find in vendor marketing materials. Independent tests that compare the overall capabilities of products are best suited to assessing the effectiveness of solutions available on the marketplace.
NOD32 的那篇
OK, so I told you I would blog about the Spycar test file – I will, but first you need to understand behavior blocking technology for anything about Spycar to make sense. �A�,.^J$�6
Scanners and behavior blockers both attempt to stop viruses, spyware and other bad programs. The approaches used by scanners and behavior blockers are complimentary when a skilled user applies them. C|#�y<(�Jj
%�i'&zfQu
/�j~#J�&�1
q[ �.@&?LX
Traditional anti-virus products offer protection by blocking bad programs from running. There is virtually no level of expertise required by the user, the scanner recognizes a bad program and will not let it run. You might call this an intelligent approach. Good programs run without the scanner bugging you and bad programs are blocked, regardless of whether you are an expert or a novice. h�4%�:zzv�
SAb��Z{�8q
Q�x IR5XJ�
8%ag �e��S
Behavior blockers do not care what the motive of the program is, they stop certain things from happening. Airport security is a lot like a behavior blocker. It doesn’t matter if a person is the best surgeon in the world, the doctor cannot take a knife onto an airplane. Behavior blockers do not generally care what the program is, if it tries to perform a specific action the behavior blocker will stop it. If the behavior blocker is set to stop programs from writing to the registry then many bad programs will fail to work and many good programs will be completely unusable as well. r?ucv(tLm0
kL� q1-To1
q\Y4"p��`f
y)(x�Nspi�
If you wish to use a behavior blocker effectively it generally requires that you understand a lot about computers. You have to know when to tell the blocker an action is ok and when to say no. If you say no all of the time you will not be able to use much software. If you say yes all of the time a behavior blocker will not help you and it will probably annoy you so much that you remove it. !���TM"aa`
�I` &t�K-j
iCg�2$U`,1
.��TXc0KV+
Microsoft Office introduced a behavior blocker in Word 97. The blocker was macro protection. If you turned on macro protection then every time you opened a document that macros it would ask you if you wished to let macros run. If you knew when to choose no and when to choose yes then this behavior blocker could very effectively protect you against macro viruses. Most people just clicked yes and so the behavior blocker was mostly ineffective 7/RMOFS���
l_�n{C� 3�
Sd�!)f8(C
3xr � ^*,G
Is a behavior blocker right for you? It depends on how much you know and what your tolerance is for interruption. If you know what it means to write to the hosts file, the start menu, HKCU run, HKLM RunOnce, and so on then you may be able to use a behavior blocker effectively. If you do not understand when these actions are or are not ok then a behavior blocker is probably not the right security approach for you. If you try to install a networked printer a good behavior blocker will probably warn you. Will you know that it is your printer installation program that is changing your hosts file, why it is changing it, and if it is ok? Is it ok for a chat program to modify the hosts file? c" =vx��W$
�LU� �<�w"
�x-{�bG81
_;C_�X�3
Spycar does not test products to see how well they detect bad programs, Spycar allows knowledgeable users to test behavior blocking programs to see what actions, they block –regardless of whether the action is good or bad. It is up to you to determine when the behavior is good or bad. \PA:@3� Y?
De h�3�Ry}
V>|c< \s9
T���-l|�
Here is a real life scenario for you. Some Internet browser toolbars are ok. Some toolbars install spyware or adware. When you install a toolbar it will make some changes that a good behavior blocker will detect and warn you about. The behavior blocker will not tell you which toolbar is good and which one is bad, only that the toolbar is trying to do something. If you are like most people the if the toolbar with spyware looks like something really cool you will tell the behavior blocker to let you install it and your computer will become infected. If you go to install the good toolbar, but think it might be bad because the behavior blocker told you the program is doing something, you will block it and then be denied the benefits of the good toolbar. yky�AX{\VX
c!�s�t.G A
+�M~^�kxO8
H}l�D~�f*V
Behavior blockers are tools that indicate activities, not programs that detect spyware, viruses or anything else – determining whether or not the action is good or bad is your job when you use a behavior blocker. |
发表于 2006-11-11 03:24:10
发表于 2006-11-11 07:39:52
楼主