F-secure Deepguard 技术简要介绍——转译自官方白皮书——终于完结~

欧阳宣

https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf

个人在接触FS之前就对DG这种云地结合的防御技术充满了向往。它突破了以往BD系杀软与云联动不多的陋习，个人认为是云和本地两手抓两手硬的典范。

前几天逛论坛翻到了有人给出的DG技术白皮书，于是简单翻译一下，希望大家对各个杀软的特色技术都能有更加详细的了解，这对净化论坛的讨论氛围无疑是有帮助的。

每段的章节数均跟随原文：因为原文的篇幅比较长，因此只节选说明性和阐述类的文字翻译之，举例的话俺就偷懒啦。








1. The case for proactive behavioral analysis
主动行为分析的必要性

2. Multi-layered protection
多层防护

3. More about DeepGuard
DG更多细节

4. How DeepGuard works
DG的工作原理

5. Exploit interception
针对漏洞的防护

6. False positives prevention
对误报的预防

7. Conclusion
总结

附录：
THE ROAD TO DEEPGUARD
DG的演变

欧阳宣

1. The case for proactive behavioral analysis 主动行为分析的必要性

One of the most demanding challenges security programs have had to address in the last few years has been the increasing diversification of attack vectors through which malware can arrive onto a host machine, especially as more applications, networks and services become hosted on or accessible over the Internet. This has been of particular concern with the growing popularity of online-based attacks that exploit vulnerabilities in applications installed on a machine in order to run malicious code.
杀毒软件在过去几年所遇到的最重大的挑战之一无疑是病毒攻击的多样化：恶意软件如今可以进入宿主机器，正如很多其它程序，网络和服务都被转移到网络上一样。随着通过软件漏洞执行恶意代码的网络攻击变得越来越普遍，这样的担忧与日俱增。

Some of the difficulties involved in dealing with modern attacks stem from major changes in the threat landscape that have taken place in the last ten years or so, including:
最近几年来针对威胁趋势的变化作出应对遇到了许多困难，其中主要包括以下几点：

Exponential growth in malware
恶意软件的爆发式增长
Since the mid-2000s, when malware creation kits that automated the process of producing malicious programs first became widely available, the numbers of malware samples seen by antivirus labs have grown exponentially, with hundreds of thousands of new or variant strains being created and propagated every month. In addition to the overwhelming numbers, many of these variants are designed to live only for a short time, sometimes only days or hours, in a deliberate attempt to overwhelm antivirus programs by sheer volume.
从00年代中期开始，随着自动化批量生产恶意软件的工具包得到普及，病毒实验室每天所遇到的病毒样本便开始成指数级增长。每个月都有数十万个样本变种通过批量生产或是变异得来。除了数量上大大增加以外，其中的许多变种被设计为只在很短的时间内生效，有时只有几天甚至几小时。这么做的目的就在于希望通过数量来压制住杀软的检测。


Attacks move online
攻击转移到线上
The days when malware was most commonly distributed via e-mail attachments are long gone. Today, the most common attack vector is through a silent drive-by download during a visit to a compromised legitimate site or a malicious website that hijacks traffic from search engines or compromised sites. By moving distribution from direct delivery to the target machines to the nebulous online world, malware distributors and attackers not only increase their target audience but also make it much harder to prevent infections. Without a mechanism to identify the attack site and prevent users from visiting it, the user’s machine can be successfully exploited without any overt sign that an attack has occurred.
那种病毒还需要通过电子邮件附件来传播的日子早已不复存在了。如今最普遍的攻击方式是通过访客访问已中招的合法网站或者是暗中被劫持流量的搜索引擎结果和网站来执行静默下载。通过将分发恶意软件的方式从直接推送到各个机器变为通过互联网大量分发，病毒作者不仅拓宽了病毒的受众群体，也加大了检测的难度。如果没有一种机制来区分受攻击的站点并组织用户访问，那用户的机器即便在攻击发生后都感觉不到任何征兆。


Malware becomes a cybercrime tool
恶意软件变为网络犯罪的工具
The consequences of an infection have also changed as organized criminals increasingly engage in cybercrime. Data and identity theft and monetary fraud are all criminal activities that have in recent years been facilitated by malware, in some cases in staggering amounts. For example, the United States Federal Bureau of Investigation (FBI) reported in a 2012 Senate hearing [1] that $14 million in “illegal fees” were generated in the 2011 Ghost Click click-bot operation. With most real-world authorities lacking the resources or political will to prosecute cybercrimes, there is strong monetary incentive for cybercriminals to continue and improve their online activities.
感染发生之后的后果也随着有组织的罪犯参与进入网络犯罪而发生了变化。这几年恶意软件参与窃取数据，身份信息，参加涉及钱财的诈骗已是数见不鲜，有些情况下数额还特别巨大。例如美国联邦调查局在2012年的一次参议会听证会上报告指因为Ghost Click click-bot 攻击所引起的犯罪金额就超过了1400万美元。大多数现实中的政府机构都缺乏技术和决心来整治网络犯罪，而这也是罪犯不停改进和推进自己在线犯罪活动的主要动机。


Popular software is heavily targeted
常用软件被特别针对
Although almost any software can contain vulnerabilities, of particular interest to cybercriminals and other attackers are vulnerabilities in popular applications, such as Java Runtime Environment (JRE), Adobe Reader, Microsoft Office and web browsers. These programs typically have millions of users, making them prime targets for attack.
Many of these applications have multiple known vulnerabilities, and though most are fixed by security patches released from the vendors, the time needed to develop and deploy these fixes to all affected machines still leaves an interval in which the users are vulnerable. Additionally, new or zero-day vulnerabilities are periodically found for which no patches are yet available, leaving the users wide open for exploitation.
虽然几乎任何软件都可能存在漏洞，让罪犯尤其感兴趣的是在常用软件中的漏洞，比如Java运行环境，Adobe Reader，Office和网页浏览器。这些软件大多拥有超过百万的用户，这使得他们成为了主要的受攻击目标。
许多这类软件都有多个已知漏洞，虽然其中的大多数都被软件作者以补丁的方式进行了修复，但是补丁的编写和部署所需要的时间都让用户的机器有了受威胁的空档。此外，全新或者是零日的漏洞时常在毫无任何修复的情况下被发现，用户在面对这类攻击时可谓毫无防备。


Exploit kits make attacking easier
漏洞侦测包使得攻击成本降低
The advent of commercial-grade exploit kits such as BlackHole, Cool Exploit or Sweet Orange, which automate the process of scanning and exploiting a user’s machine within seconds of a visit to an attack website, have significantly lowered the level of technical expertise needed for cybercriminals to successfully infect new victims with malware.  
随着商业级的漏洞侦测包（BlackHole, Cool Exploit 和 Sweet Orange）的诞生，自动化扫描用户软件漏洞并开始攻击的过程在用户访问被攻击的网站后几秒钟内就可以开始。这无疑大大降低了漏洞类攻击的技术要求。

Exploit kits have transformed vulnerability exploitation from a niche activity into a common attack vector. The increasing number of malware being distributed using exploitbased methods have in turn led to a need for on-host security solutions that are able to identify and block attempts to exploit vulnerabilities in installed programs, before malware can be successfully dropped onto the machine.  
漏洞侦测包使得漏洞类攻击从以前的隐秘性行为变成了普遍的攻击方式。大量的漏洞类恶意软件开始广泛传播，这反过来要求hips能够识别并阻挡针对机器上软件的漏洞的攻击，即便在恶意软件能够成功释放到机器上之前。


Targeted attacks make detection harder
针对性的攻击加大了检测难度
More focused targeted attacks can involve more obscure exploits and delivery mechanisms. These attacks typically use document or executable files carefully crafted to fit the profile of the intended victim, taking into account their topics of interest, preferred operating system and any security programs they may be using. The highly specific nature of these attacks makes them particularly difficult to detect using traditional signaturebased detections.
更加具有针对性的攻击针对的是更加隐秘的漏洞和分发机制，这类攻击大多采用非常符合受害用户使用场景的文档和exe文件，充分照顾他们的关切，他们的操作系统，以及可能用到的防护软件（译者注：比如样本区超多的lnk木马，cf刷枪木马和对账单.exe）。这样针对性非常高的特点使得传统的特征库检测变得十分无力。

Identifying clean programs becomes more critical
识别白文件越发重要
The number of clean or non-malicious applications globally available today runs into the millions, far more than the normal user is likely to be familiar with at any one time. The abundance of programs, their easy accessibility over the Internet and the need to stay abreast of constant program updates all makes it cumbersome for security solutions to depend solely on local user-driven white- and black- listing to provide adequate protection.
The majority of programs seen on a typical machine are clean, so correctly identifying non-malicious software is a significant step towards pinpointing truly harmful programs for further attention. Eliminating false positives on clean files is also critical in optimizing a security program’s performance and of course, minimizing interference with the user’s experience.
每天全球产生的干净的文件有数百万之多，普通用户很难在很短的时间内完全熟悉它们。大量的软件在互联网上被分发，更新也十分频繁。这样的现状使得杀软要想完全依靠本地的判断来决定文件黑白变得艰难。
一台普通的机器上的大多数文件是干净的，所以准确识别白程序对进一步检测有害程序至关重要。从优化检测性能，减少对用户的干扰的方面来讲，消除误报同样是十分必要的。

Given the various challenges presented by today’s more complex computing realities and more fluid threat landscape, traditional signature-based scanning is now just one layer of a multi-tiered approach to endpoint security. Cloud-based file and web reputation checking, HIPS (Host-based Intrusion Prevention System) and behavior analysis have all become integral components of the modern proactive protection system.
如今的安全挑战越发复杂，威胁趋势也越发多变。传统的特征库检测只是端点防护众多层级中的一层。基于云端的文件信誉，网络信誉检测，HIPS与行为分析检测都应该是现代防护体系的有机组成部分。



2. Multi-layered protection 多层防护

F-Secure’s multi-layered approach to security is comprised of the following modules, each designed to address a particular aspect of the threat landscape and work together to provide a complete solution:
f-secure的多层防护由以下的模块组成，每一层都针对网络威胁的一个特定方面，而结合起来便是完整的解决方案。

As mentioned before, most attacks and malware downloads today take place online. Ideally, protection should begin even before the machine environment is reached, by preventing exposure to possible infection points - and so, enter Browsing Protection.
正如上面所提到的，大多数攻击和恶意软件的下载都发生在网络上。因此理想状态下防护应该在恶意软件开始到达机器前就开始生效，阻挡对可能的入口的攻击。——因此我们引入了浏览防护。
To prevent users from inadvertently visiting compromised legitimate or outrightly malicious sites, Browsing Protection provides critical assessment of a website’s security. If the site is known to be malicious, or contains features that render it suspect, the user is cautioned against entering it. To deal efficiently with the millions of sites available on the Internet and their constantly fluctuating changes in security, Browsing Protection’s functionality is based on lookup queries to F-Secure’s Security Cloud (see page 4), which includes a database of known safe and malicious files and websites. The entries are updated automatically in real-time based on rules maintained by response analysts.
为了防止用户无意识地进入已中招的合法网站和本来就不怀好意的网站，浏览防护承担了网页安全的重要组成部分。如果网站已知有害，或者包含可疑的特征，用户会在进入网站时收到警告。为了高效分类每天新上线的几百万个网站以及已有网站的各种变化，浏览防护的功能会连接F-Secure Security Cloud，它包含一个已知安全和恶意的网址库。库中的条目来自每天实时更新的规则，规则本身由响应分析师负责维护。

Though Browsing Protection is able to prevent most visits to known malicious sites, it’s always possible to stumble onto an unrated or newly compromised or malicious site, or for malware to be introduced onto the host machine some other way, perhaps on removable media. If a suspect file does successfully arrive on the machine, it is then subjected to multiple layers of security checks.
虽然浏览防护能够阻挡大多数对已知恶意网站的访问，但是你总会撞见未分级或者是新被感染的网站，或者恶意软件会通过其他途径到达机器，比如可移动存储。如果一个可疑文件到达了机器，辣么它需要经过我们提供的多层安全检测。
Whenever a file arrives on a machine, is installed or modified, it is first scanned using a traditional signature detection engine to determine if it is a known threat. The scanning engine uses custom, family, generic and heuristic detections, which respectively identify specific malware, families of malware with similar features, and broad ranges of malicious physical features and behavior patterns. If the file’s characteristics match those of previously seen malware, it is blocked.
当一个文件被写入到了机器，或者是被安装，被修改时，它会首先被我们的传统特征库检测，以确定是否为已知的威胁。扫描引擎采用了多分类，广谱，通用的启发检测方式，能够分别检测特定的恶意软件，包含相似特征的病毒家族，以及大量包含恶意特征或者是行为的样本。如果一个文件的特征对应了大多数这些已知的恶意特征，则它会被阻拦。
Though often overlooked in favor of more sophisticated technology, signature-based scanning is still an effective method of identifying and blocking the vast majority of malware seen to date, protecting users against lingering threats such as Downadup or Melissa, which debuted and peaked years ago but are still present in the wild, where they continue to infect new victims. The effectiveness of this check depends on keeping the signature database updated with the latest detections.  
虽然与更加复杂的技术相比容易被忽视，但是特征库检测仍然是检测当前大量恶意软件的有效方式。它能够阻拦一些久经沙场却仍然在造成恶劣影响的病毒家族，比如几年前即开始传播的Downadup 和 Melissa。这种检测技术的有效性依靠的是及时保持特征库为最新版本。

If the file isn’t identified as a known threat, a query is sent to F-Secure’s cloud infrastructure to gather the latest metadata available for the file. Analysis is subsequently handled by DeepGuard, which collectively handles all the behavioral analysis, process monitoring and exploit interception of suspect files, both at the point of application launch and during execution.  
如果文件没有被识别为已知威胁，那么f-secure的云端架构会收到一次上传，包含文件的一些最新的元数据。分析本身由DeepGuard操作，它将监控文件全程的行为，监控进程以及可疑文件对漏洞的利用。这种监视在程序的启动和执行过程中都在进行。

欧阳宣

3. More about DeepGuard DG更多细节

Put simply, DeepGuard observes an application’s behavior and prevents any potentially harmful action from successfully completing. The apparently simple nature of this task belies its importance however, as this proactive, onthe-fly monitoring and interception serves as the final and most critical line of defense against new threats, even those targeting previously unknown vulnerabilities.
简而言之，DG观察一个程序的行为，防止任何潜在有害的动作的发生。这个事情本身听起来十分自然，但是作为一项主动的实时监控技术，又是整个体系中针对未知新威胁的最后一道关卡，它的重要性不言而喻。

Behavior-based analysis addresses the Achilles’ heel of signature-based scanning: the need for analysts to have an actual sample of the malware in order to create the signature to identify it. Given the huge numbers of malware constantly being created and distributed, new threats will often be able to successfully infect at least one victim in the wild before most antivirus labs are able to acquire a sample, analyze it and issue a detection.
基于行为的分析检测主要弥补的是特征检测的阿喀琉斯之踵——分析师需要得到样本本身才能针对性编写签名。考虑到每天都有大量的样本产生和分发，每一个新样本在被捕捉到之前往往都能幸运地感染到一两个用户，然后再被分析，对应的检测才发布。

Behavior-based detection covers that crucial gap between the first appearance of new malware and the first signature detection being issued for the threat. By moving the focus from unique physical characteristics to patterns of malicious behavior, DeepGuard can identify and block programs performing harmful actions, even before an actual sample has been acquired and examined.
行为检测主要是弥补了从新病毒出现到首先被特征库检测中间的关键时间差。通过把注意力转移到检测恶意行为的特征上，Deepguard能够识别并阻挡程序的有害动作，即便在对应的样本被获取并分析之前。

For example, out of all Zeus crimeware infection attempts reported in April 2013, 80% involved previously unseen variants. In those cases, DeepGuard successfully prevented infection by recognizing the file’s malicious behavior and blocking the attack. Subsequently, signature databases were updated to identify these samples, but for users facing new threats, DeepGuard’s proactive analysis provides immediate protection against infection.
举个例子，在2013年四月份中间所有已探明的宙斯家族的攻击中，80%的样本都是以前未曾见过的。在这些情况下，DG通过识别恶意行为并阻挡攻击顺利预防了感染。紧接着，特征库的更新也新增了这类的检测，但是对用户来说，DG的前瞻性分析提供了提前的防护。

In 2011, an entirely rewritten DeepGuard engine was introduced that included (among numerous other improvements) a switch from using hard-coded scanning logic to an updateable detections database. Response Labs analysts constantly monitor the threat landscape and analyze the latest threats in order to determine the best way to identify malicious behavior. Being able to update the scanning engine with the results of this research keeps DeepGuard consistently effective against the latest threats.
在2011年，DG的引擎被完全重写，从原来的本地代码式的检测逻辑转向了一个不停更新的检测数据库。响应实验室的分析师不断观察威胁趋势并分析最新样本，并为检测恶意程序行为的最佳方式做出决策。这类研究的结果是扫描引擎的内容得以不断更新，从而对最新的威胁能够保证持续的效果。

Given the short-lived nature of most malware variants, signature detections tend to have narrow windows of effectiveness before the malware they detect ‘expire’. In contrast, DeepGuard detections  can effectively identify malware over a much longer time period, as malware behavior is much less mutable. For example, on 12 July 2012, DeepGuard was updated with one new detection, while the signature database received 600 new additions. Nine months on in March 2013, tests run using the same database set against a random collection of more recent malicious samples showed the DeepGuard detection blocking 12 times more infections of the newer malware than the ‘aged’ set of signature detections.
如今大部分的病毒变种持续时间都不长，特征库检测一般希望能够在这类样本失效之前保证足够的检测效率。但与此相反的是，DG对恶意软件的检测能够持续相当长的一段时间，因为病毒的行为所产生的变化一般很少。比如，在2012年6月12日，DG更新了1条新的检测定义，特征库则更新了600条。九个月后的2013年7月，再用同样的老特征库去检测当时最新的流行样本，结果表明DG即便在未更新的情况下所检测的流行样本也比未更新的特征库多出12倍。

The proactiveness and longevity of DeepGuard detections is illustrated in Chart 2 (above), which is based on detection statistics from F-Secure’s internal systems for Urausy ransomware variants. The DeepGuard detection was able to identify variants (and therefore block attempted infections) earlier and continued to do so for longer, while the equivalent signature detection peaked and then declined rapidly, as newer Urausy variants appeared. (The reason for the signature detection’s higher peak is due to it being a previous defense layer to DeepGuard. Had those signature detections been missed, it would have been DeepGuard with the high peak.)
DG检测的前瞻性和持久性在上面的图表上展现无遗：这是根据f-secure内部对Urausy勒索软件家族检测的统计结果。DG能够提前并且持续检测样本的变种并阻挡恶意行为，而同时对应的特征库检测率先大幅上升又在新变种出现后大幅下降。（每次特征库检测率飙升的原因是因为它是防御体系中相比DG更靠前的一层，每当这些特征失效后，DG的检测率就会上升。）

DeepGuard’s updateable detection logic is especially useful in countering attacks that exploit vulnerabilities in installed programs in order to run malware on a machine. In such cases, the dropped malware itself can be spotted and blocked by signature or behavior-based scanning. To halt the attack at an even earlier stage however - that is, at the point of exploitation - Response Labs analysts examine the exploit mechanism for tell-tale actions or behavior patterns, and then incorporate the research results into DeepGuard’s scanning engine. It is then able to pinpoint and block suspicious actions that bear the hallmarks of a vulnerability exploit attempt, preventing malware from being dropped on the machine at all.
DG可更新的检测机制在应对漏洞类攻击时特别有效。在这类情况下，被释放的恶意软件会被特征库杀掉，或者被行为分析阻挡。但是要想在阻拦这类攻击时更进一步——比如在漏洞第一次出现的时候的话，响应分析师需要分析漏洞出现的形式，特征，再将研究所得结合到DG的扫描引擎中。这样DG能够挑出并阻挡那些符合漏洞标准的行为，同时阻挡衍生物被释放到机器上。

By taking into account characteristic exploitation mechanisms as well as the features and behavior of malware being dropped on the system, DeepGuard can effectively identify and block threats on the fly, even when faced with totally new malware targeting zeroday vulnerabilities.
通过考量有固定特征的漏洞攻击的机制以及恶意软件释放的方式，DG能够实时识别并阻挡威胁，即便是面对完全新鲜的针对零日攻击的威胁。

4. How DeepGuard works DG的工作方式

DeepGuard’s behavioral analysis is activated by two events. When a program is launched for the first time, DeepGuard analyses it to determine if it is safe to run. Subsequently, DeepGuard continues to monitor the program while running.
DG的行为分析通过两种方式触发。当一个程序被首次启动，DG开始分析以决定是否安全。同时DG会在程序运行过程中持续监控程序。

4.1 Pre-launch analysis 启动前分析
When a program is first executed, regardless of how it is launched (the user clicks the file icon, an e-mail attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing in order to perform the following checks:
当程序首次运行时，无论它是通过什么方式被运行（直接运行，通过邮件附件，或者被其他程序调用），DG都将暂缓其运行并进行如下检查：

File reputation check 文件信誉检查
If an Internet connection is available, DeepGuard sends a query to the Security Cloud (see page 4) to check for the latest information on the program’s reputation in the clean file database, which contains the latest security evaluations for a vast catalog of commonly used applications. This database is maintained and constantly updated by Response Labs analysts. Programs that have been rated as clean in the database are allowed to bypass additional checks and launch immediately, whereas known malicious files are blocked at once.
如果网络连接可用，DG会发送请求至Security Cloud，查看程序在白名单数据库中的信誉信息。数据库中则包含针对一个巨大的常见软件库的最新安全评估信息。数据库本身也是由分析师一直维护的。被分类为干净的程序被允许立即跳过其它检查，直接启动，但已知的危险文件则会被阻挡。

For the user, the clean file cloud lookup functionality offers a number of advantages. Being able to use the security verdict for a known file from the clean file database not only removes the burden of identifying unknown or unfamiliar programs as legitimate or malicious from the user, it also means unnecessary security checks on clean files can be avoided. At the same time, by reducing to a manageable level the volume of software that needs to be individually evaluated, the ability to still white- or black-list selected programs becomes more meaningful. And finally, even when the product’s signature databases are outdated or rarely updated, DeepGuard can still use the most up-to-date file reputation information to fine-tune its analysis.
对用户来说，白文件查询有很多好处。通过和已知白文件的数据库进行比对，用户不仅不再需要自己去识别未知或者是不熟悉的程序，对白文件所不需要的安全检查也被省掉了。同时，由于将需要单独分辨的软件数量降低到一个合理的范围，把程序拉白或者拉黑的行为也有了更多的意义。而且最终，即便特征库并不是最新或者很少更新，DG仍然能够通过最新的文件信誉库来调整对程序的分析。

Behavioral analysis 行为分析
If the program is flagged as suspicious during the file reputation check, or if Internet access is unavailable, DeepGuard executes it in a virtual environment and observes its behavior for malicious actions, such as attempting to self-replicate, edit or delete critical system files, and so on.  
如果程序在文件信誉中被判定为可疑，或者网络不可用时，DG将在虚拟环境中运行此程序，并观察其是否有恶意行为，比如尝试自我复制，编辑或者删除关键系统文件等。
Response Labs analysts continually research and update DeepGuard’s scanning logic with detections for the most effective behavior patterns needed to spot malware. These detections may identify specific malware families (which typically share similar features or behavior) or they may more generally identify suspect actions, such as attempting to hide from process enumeration programs, which are indicative of malicious intent. The analyst’s ability to tweak DeepGuard’s engine in this manner permits an element of human discretion and flexibility, to provide a more fine-grained and ultimately more accurate analysis.
响应实验室的分析师不停在研究和更新DG的扫描逻辑，确保DG包含针对恶意软件的最有效率的检测。这些检测可以识别特定的病毒家族（它们通常具有相似的特征或是行为），或者是识别更广谱的恶意行为，比如躲避进程列举软件，这也是一个恶意行为的常见标志。分析师不停优化DG的引擎，确保达到如同真人分析一样的细致性和可变性，提供更加完善而精准的分析效果。

Prevalence rate check 共用率检测
DeepGuard includes a module that focuses on a file’s prevalence rate. Clean files typically have thousands or millions of users, making them highly prevalent. In contrast, malware samples are comparatively rare. According to statistics generated from F-Secure’s internal systems monitoring known threats, in a random sample of malicious programs found in the first four months of 2013, 99.7% of the threats were rarely seen in our user base. Rare or new files are automatically considered more suspect and subjected to greater scrutiny during the subsequent process monitoring stage.
DG还包含一个检测文件共用率的模块。白文件往往拥有大量用户，这使得它们的共用率非常高。而恶意样本则相反，会显得很稀有。根据F-secure监测已知威胁的统计数据，在2013年前四个月的随机恶意样本中，有99.7%的威胁在我们的用户中都很少看到。稀有或者是新的文件会被自动看作更加可疑，在接下来的进程监控中会受到更大的关注。

Judgement on execution 运行时的决策
Based on the file’s reputation and behavior during emulation, DeepGuard makes one of four possible judgements:
根据文件信誉，以及模拟运行的结果，DG会做出以下四种判断：

a) The file is malicious and blocked -程序有害，拦截
b) The user is given the option to allow or deny the launch -用户会收到提示，并选择允许或阻止运行
c) The file is clean and allowed to execute -文件安全，允许运行
d) The file’s status as clean or malicious is still unknown -文件的状态仍然未知

If the file is blocked from launching, a notification message is displayed (see Image 1, previous page) providing additional details and an option to whitelist the program, if so desired.
如果程序被阻止运行，会显示一个通知。通知给出了阻挡操作的细节，以及将此程序加入白名单的选项。

If the status of the file is still unknown, DeepGuard allows the file to execute but continues to monitor it during the subsequent process monitoring stage.
如果文件的状态仍然未知，DG将允许文件运行，但会在接下来的运行过程中继续监控进程。

4.2 During application execution 程序运行中

Even after a program has successfully passed pre-launch analysis and is executed, DeepGuard continues to monitor its behavior as a precaution against delayed malicious routines, a common tactic used by malware to circumvent runtime checks. This form of quiet vigilance also allows DeepGuard to provide constant protection for the user without visibly intruding on their experience by displaying excessive prompts.
即便是程序突破了启动前分析，开始运行，DG将继续检测其行为，这是为了预防一些被恶意软件常常用到的延后策略。这种安静但警戒的方式还允许DG在不通过超多弹窗来打扰用户体验的同时确保持续的防护。

Process monitoring Applications are monitored for a number of suspicious actions, including (but not limited to):
程序进程监测会监控包含但不限于以下的可疑行为：
•        Modifying the Windows registry -修改注册表
•        Editing files in certain critical system directories -在关键系统目录编辑文件
•        Injecting code in another process’s space -在另一个进程的内存空间插入代码
•        Attempting to hide processes or replicate themselves -尝试隐藏自身，或复制自身

As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing.
由于安全程序也会多次执行这类操作，DG并非根据单次行为就直接对程序报警。只要可疑活动超过了一个关键阙值，DG就会阻拦程序继续进行。

If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked.
如果可能的话，文件信誉和共用率检测的结果都会纳入对这个关键阙值的确定过程。比如，对共用率较低的文件，DG就会在阻拦之前将阙值调低。

欧阳宣

5. Exploit interception
针对漏洞的防护
Starting in 2013, DeepGuard also employs two exploit interception methods that extend the dynamic protection of on-host behavioral analysis by focusing specifically on monitoring the processes of programs that are commonly targeted for exploitation and on document file types commonly used to deliver exploits.   
从2013年开始，DG加入了两种漏洞的侦测方式来拓展动态行为分析的范围：针对特定的，容易被针对的程序进程进行监控或者是针对容易被用来探测漏洞的文件类型。

5.1 Monitoring exploit-prone programs
监控容易发现漏洞的程序
The first method focuses on frequently exploited programs such as Java Runtime Environment (JRE), Adobe Reader, Microsoft Office and so on. These programs are kept under especially close watch and are blocked more aggressively if malicious behavior is detected.
第一个方法是重点关注经常被发现漏洞的程序，比如java运行环境，Adobe Reader, Microsoft Office等等。这些程序会受到格外的密切监控，如果检测到恶意行为，阻拦的标准也更加靠前。
Of course, which programs become favored targets is unlikely to stay fixed. For example, it was only in the last two years that JRE superseded Adobe Reader as the most exploited software; in the future, another program may assume that unenviable distinction. The specific programs chosen by DeepGuard for closer attention can be updated by Response Labs analysts when necessary, a responsive approach that allows DeepGuard to adapt to changes in the threat landscape.  
当然，这类程序的列表也不是固定的。比如java运行环境超越Adobe Reader成为最常被攻破的软件也就是这一两年的事。在将来，可能会有其他程序遭此厄运。被DG特殊关照的特定程序会在需要的时候由响应实验室的分析师进行更新，这是响应实验室根据网络威胁趋势做出应对的一种方式。
5.2 Monitoring for document exploits
监控文档漏洞
Some document types, such as Microsoft Word or Adobe PDF, are commonly used to deliver exploits. Thus, any software used to open these types of documents is also subject to greater attention by the second exploit interception method, which scrutinizes these programs closely for suspicious behavior caused by malicious document files.
This form of exploit interception addresses the most common form of targeted attacks, which involve sending carefully crafted, exploit-loaded documents to the intended victim or organization, such as occurred during the 2011 RSA breach and the early 2013 attacks reported as ‘Red October’ [4]. In these cases, booby-trapped Excel and Word files were used to exploit well-known vulnerabilities in these programs.
By focusing on detecting malicious actions originating from document files, this single method in DeepGuard is able to provide significant breadth of coverage against document-based exploits, regardless of the file’s physical features or the specific vulnerability being targeted.
某些文件类型，比如word文档和PDF，经常被用来发送漏洞攻击。因此任何一个想要打开这类文件的软件就会受到第二种漏洞侦测的监控，会被严密监视恶意文件的任何可疑行为。
这种漏洞侦测方式主要针对的是最为常见的目标性攻击，在这类攻击中样本呈现出精巧伪装，满载漏洞的姿态被发送到特定的受害人或者组织中。比如2011年RSA密钥丑闻以及2013年“红色十月”攻击。DG仅凭这一种方法就能对基于文档的漏洞攻击提供显著的防护，不管文档的特征为何，所利用的又是哪个漏洞。

6. False positives prevention
对误报的预防
A separate beta detections module that was added to DeepGuard in 2011 facilitated an understated but important improvement to the accuracy of the scanning engine’s performance.
Beta detections contain the full detection logic needed to identify and block exploit attempts, but are instead configured by response analysts to simply notify the Security Cloud each time the detection would have been triggered by a file being analyzed.
This beta-testing process provides response analysts with crucial information on the effectiveness of these detections, allowing them to fine-tune the logic to prevent potential false positives before actually releasing them for real-world use.
DG在2011年加入了一个独立的测试版模块，旨在为扫描引擎的精准度提供稳步的改进。
beta版检测过程包含检测和阻挡漏洞攻击的完整的流程，但是会在文件分析每一次需要阻挡一个文件时向Security Cloud发送告知。
这个测试版检测模块为响应分析师评估检测的效率提供了重要的信息，允许他们在正式发布某个检测定义之前进行优化。

7. Conclusion
总结
F-Secure’s security products use a multi-tiered approach comprised of multiple components that address challenges presented by threats seen in the real world. The behavioral analysis and process monitoring functions performed by DeepGuard are critical in identifying and blocking the most sophisticated malware prevalent today.
f-secure的安全产品采用多层防护的复合来应对真实世界中的复杂威胁。DG负责行为分析和进程监视，对识别和防御最最隐蔽的威胁至关重要。
DeepGuard provides immediate, proactive on-host protection against new and emerging threats by focusing on malicious application behavior, rather than through static identification of specific known threats. This shift in focus allows DeepGuard to identify and block even previously unseen malware based on their behavior alone, neatly providing protection until security researchers are able to analyze and issue a detection for that specific threat.
DG采用实时，主动的主机防御来应对恶意软件的行为本身，在分析师能够分析而且注意到这个威胁之前就提供充足的防护。
Through cloud lookups to F-Secure’s Security Cloud, DeepGuard is also able to use the latest file reputation information available for any previously encountered object to fine-tune its security evaluations, reducing the risk of false positives or redundant analyses that can interfere with the user’s experience.
通过调用Security Cloud分析，DG同样能够利用以往文件最新的文件信誉信息来调整安全评估，不仅降低了误报的风险，更免去了可能干扰用户使用体验的无谓检测。
DeepGuard’s on-host behavioral analysis also extends to intercepting attacks attempting to exploit vulnerabilities in popular programs in order to install malware onto the machine. DeepGuard is able to identify and block routines characteristic of an exploit attempt, preventing exploitation and in turn, infection. Exploit interception safeguards users from harm even when vulnerable programs are present on their machine.
DG基于主机的行为分析同样能拦截针对常见软件的漏洞攻击，防止恶意软件被释放到机器上。DG还能识别并阻拦嗅探未知漏洞的行为特征，从而拦截对应的感染。对漏洞的预防使得用户在已经存在漏洞的机器上依然能得到防护。
DeepGuard combines sophisticated scanning engine technology with the technical expertise of F-Secure Response Labs analysts to perform accurate, fine-grained on-host behavior- and reputationbased analysis that ultimately significantly improves the user’s security.
DG将精密复杂的扫描机制与f-secure响应分析师的优化结合起来，提供精准，最优的行为与信誉分析，为用户的安全提供终极的加持。



THE ROAD TO DEEPGUARD
DeepGuard的演化进程

2006
Heuristic analysis technology introduced -引入启发分析
DeepGuard 1.0 introduces behavioral analysis to complement existing signature-based detection technology. When a program is launched, DeepGuard performs two tests - a static check for features commonly found in malware and emulation of the program in a virtual sandbox to evaluate its behavior. Programs that show no features or behavior matching known malware are allowed to execute as normal; those with tell-tale characteristics or malicious routines are blocked from execution
DG 1.0引入了启发分析，用行为分析对特征库检测进行弥补。当一个程序开始运行时，DG会进行两个检测：一是针对恶意软件常见特征的静态检测，二是在虚拟沙箱中对行为的评估。正常和包含已知恶意特征的程序会按照通常的方式处理；而具有恶意行为或者是标志性特征的程序会被阻止运行。


2008
First AV product to incorporate cloud lookups -业界首先加入云鉴定的反病毒产品
In addition to signature scanning and emulation,  DeepGuard 2.0 queries the Security Cloud for an almost instantaneous check of a suspect file’s reputation. Response Labs analysts constantly monitor and update file reputation information, providing crucial human intelligence to the automated process.
除了特征检测和虚拟技术，DG2.0会对未知文件的信誉立刻询问Security Cloud。响应分析师持续监控和更新文件信誉信息，为自动化的过程添加了重要的人工调校。

2010
File metadata used in DeepGuard detection logic -文件元数据加入DG检测过程
In addition to signature detection and behavioral analysis layers, DeepGuard 3.0 includes a component that uses a file’s metadata - e.g., the file’s rarity, when it was first seen, related objects, and more - to gauge its threat potential. This feature allows malware to be identified using reputation-based factors such as whether the file was downloaded from a known malicious site, without needing further examination of its features or behavior
除了特征检测和行为分析层，DG3.0加入了利用文件元数据——比如文件的共用率，第一次出现的日期，相关组件等等来分析威胁性。这个功能允许通过信誉因素来确定一个病毒，比如它是否来自于恶意软件的下载，跳过了后续的更多检测。

2011 Prevalence logic increases effectiveness against rare files -针对稀有文件的补救机制
DeepGuard 4.0 revises the scanning engine to use updateable detections and beta detections for false alarms reduction. It also improves the prevalence logic used to identify files that are both rare and malicious, a feature that proves decisive in winning both AV-Comparative’s 2011 Product of the Year award and AV-Test’s 2012 Best Protection Award  [3]  
DG4.0采用了可更新的扫描引擎和beta版定义来减少误报。我们还加入了检测少见和恶意文件的通用逻辑，这个功能对我们拿下2011年AV-C年度产品奖和2012年AV-T最佳防护奖至关重要。

2013 Enhanced protection against exploit-based attacks 针对漏洞攻击的增强防护
Malware infections facilitated by exploits targeting  vulnerabilities in common applications have become a favored attack vector. DeepGuard 5.0 introduces enhanced behavior-based detection logic, including a module that monitors the runtime behavior of commonly targeted programs and potential attack files. This broad behavioral analysis approach allows DeepGuard to identify and intercept exploit-based attacks, regardless of the specific vulnerability targeted
针对常见程序中漏洞的攻击日趋增多。DG5.0引入了针对性的行为检测机制，包含专门检测容易受到攻击的程序和重点可疑文件类型的模块。这个广谱的检测方式让DG可以拦截并阻挡漏洞攻击，无论所针对的漏洞是什么。

水晶蓝

搶沙發啊！！！！！！
主要F安全在國內賣的太貴了！！
很多國外殺軟想要進入國內都需要面對的問題，就是價格太離譜。感覺100塊以內1年，偶爾有些優惠活動是最好的。
期待F安全更加本土化！

T.Yoshiyuki

支持！DG技术跟IDP差不多，表现在实际操作中都非常简洁（弹个框框），很有必要让大家了解其中技术！

nick20010117

看过文件，挺不错的，dg唯一缺点就是自保

呼啸风影

FS在任务管理器被终结了，就是后台服务不知还在不在了

ericdj

翻译辛苦了，必须要赞！

青春虎

强力顶上，这个白皮书好像是旧版的