一些杀软主防的简介

pkuyzy

这些都是由相关杀软的白皮书上摘录下来的


DG
4. How DeepGuard works
DeepGuard's behavioral analysis is activated by two events. When a program is launched for the first time, DeepGuard analyses it to determine if it is safe to run. Subsequently, DeepGuard continues to monitor the program while running.

4.1 Pre-launch analysis
When a program is first executed, regardless of how it is launched
(the user clicks the file icon, an e-mail attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing in order to perform the following checks:

File reputation check

If an Internet connection is available, DeepGuard sends a query to the Security Cloud to check for the latest information on the program's reputation in the clean file database, which contains the latest security evaluations for a vast catalog of commonly used applications. This database is maintained and constantly updated by Response Labs analysts. Programs that have been rated as clean in the database are allowed to bypass additional checks and launch immediately, whereas known malicious files are blocked at once.

For the user, the clean file cloud lookup functionality offers a number of advantages. Being able to use the security verdict for a known file from the clean file database not only removes the burden of identifying unknown or unfamiliar programs as legitimate or malicious from the user, it also means unnecessary security checks on clean files can be avoided. At the same time, by reducing to a manageable level the volume of software that needs to be individually evaluated, the ability to still white- or black-list selected programs becomes more meaningful. And finally, even when the product's signature databases are outdated or rarely updated, DeepGuard can still use the most up-to-date file reputation information to fine-tune its analysis.

Behavioral analysis

If the program is flagged as suspicious during the file reputation check, or if Internet access is unavailable, DeepGuard executes it in a virtual environment and observes its behavior for malicious actions, such as attempting to self-replicate, edit or delete critical system files, and so on.

Response Labs analysts continually research and update DeepGuard's scanning logic with detections for the most effective behavior patterns needed to spot malware. These detections may identify specific malware families (which typically share similar features or behavior) or they may more generally identify suspect actions, such as attempting to hide from process enumeration programs, which are indicative of malicious intent. The analyst's ability to tweak DeepGuard's engine in this manner permits an element of human discretion and flexibility, to provide a more fine-grained and ultimately more accurate analysis.

Prevalence rate check

DeepGuard includes a module that focuses on a file's prevalence rate. Clean files typically have thousands or millions of users, making them highly prevalent. In contrast, malware samples are comparatively rare. According to statistics generated from F-Secure's internal systems monitoring known threats, in a random sample of malicious programs found in the first four months of 2013, 99.7% of the threats were rarely seen in our user base. Rare or new files are automatically considered more suspect and subjected to greater scrutiny during the subsequent process monitoring stage.

Judgement on execution

Based on the file's reputation and behavior during emulation, DeepGuard makes one of four possible judgements:

a) The file is malicious and blocked
b) The user is given the option to allow or deny the launch
c) The file is clean and allowed to execute
d) The file's status as clean or malicious is still unknown

If the file is blocked from launching, a notification message is displayed providing additional details and an option to whitelist the program, if so desired.

If the status of the file is still unknown, DeepGuard allows the file to execute but continues to monitor it during the subsequent process monitoring stage.

4.2 During application execution
Even after a program has successfully passed pre-launch analysis and is executed, DeepGuard continues to monitor its behavior as a precaution against delayed malicious routines, a common tactic used by malware to circumvent runtime checks. This form of quiet vigilance also allows DeepGuard to provide constant protection for the user without visibly intruding on their experience by displaying excessive prompts.

Process monitoring

Applications are monitored for a number of suspicious actions, including (but not limited to):

.
Modifying the Windows registry
.
Editing files in certain critical system directories
.
Injecting code in another process's space
.
Attempting to hide processes or replicate themselves

As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing.

If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked.


DeepGuard行为分析是由两个事件激活。当一个程序启动首次，DeepGuard对其进行分析以确定它是否是安全运行。随后，DeepGuard继续运行时监视程序。
4.1执行前的分析
当第一次执行的程序，不管它是如何启动
（用户点击文件图标，电子邮件附件或程序启动它，等等），DeepGuard暂时以进行下列检查执行延迟吧：
文件信誉检查
如果Internet连接可用，DeepGuard发送一个查询到的云安全检查该程序在一个干净的文件信誉数据库，其中包含最新的安全评估的常用应用广阔的目录中的最新信息。该数据库维护和响应Labs分析不断更新。已被评为数据库中的清洁程序允许绕过额外的检查，并立即启动，而已知的恶意文件被阻止一次。
对于用户来说，该干净的文件云查找功能提供了许多优点。能够使用的安全判决为已知的文件从清洁文件数据库不仅消除识别未知的或不熟悉的方案，作为合法或恶意来自用户的负担，这也意味着能够避免在清洁文件不必要的安全检查。同时，通过降低到可管理的水平，需要的软件的体积也可以单独评估，仍白色或黑列表中选择的能力的程序变得更有意义。最后，即使当产品的签名数据库过时或很少更新，DeepGuard仍然可以使用最先进的最新文件信誉信息，以微调的分析。
行为分析
如果程序被标记为文件信誉检查中可疑，或者上网不可用，DeepGuard在虚拟环境中执行它，并观察其行为的恶意行为，如试图自我复制，编辑或删除关键的系统文件，等等。
响应Labs分析研究不断和更新DeepGuard与检测的现货恶意软件所需要的最有效的行为模式扫描逻辑。这些检测可以识别特定的恶意软件家族（其通常具有相似的特征或行为），或者它们可以更一般地识别可疑行动，例如试图从过程枚举方案，其中指示恶意的隐藏。分析师对调整DeepGuard发动机以这种方式力所能及的人力谨慎和灵活的元素，提供更精细的，最终更准确的分析。
患病率检查
DeepGuard包括侧重于文件的患病率的模块。干净的文件通常具有数千或数百万的用户，使他们非常普遍。相反，恶意软件样本是比较罕见的。据F-Secure公司的内部监控系统的已知威胁产生，在第四个月2013年发现的恶意程序的随机抽样统计，在威胁中99.7％很少见到我们的用户群。罕见或新的文件将被自动认为是更嫌疑人，在随后的过程监控阶段受到更严格的审查。
判决执行上
根据仿真过程中该文件的信誉和行为，DeepGuard使得四个可能的判断之一：
一）该文件是恶意的和阻止
二）用户被给予允许或拒绝所推出的选项
三）该文件是干净，允许执行
四）本文件的干净的或恶意的状态仍是未知数
如果该文件是从启动阻塞，则通知消息提供更多的细节和白名单程序，如果需要的选项。
如果文件的状态仍是未知数，DeepGuard允许执行该文件，但会继续在后续过程监控阶段进行监控。
4.2在应用程序执行
即使程序已经成功通过发射前的分析和执行，DeepGuard将继续监控其作为对延迟恶意程序预防措施，使用的恶意软件绕过运行时检查常用的战术行为。安静的警惕这种形式也允许DeepGuard来为用户提供持续的保护，而不通过显示过度提示他们的经验明显侵入。
过程监控
应用程序为一些可疑操作，包括（但不限于）的监测：
。
修改Windows注册表
。
在某些关键的系统目录中编辑文件
。
在另一个进程的空间注入代码
。
试图隐藏进程或自我复制
作为合法程序会时不时还执行这样的操作，DeepGuard不警告单个动作的基础上，而是监视多个可疑的操作。一旦达到嫌疑操作的临界阈值，DeepGuard将阻止继续该过程。
如果可用，从安全的云文件信誉和患病率的评价信息，是考虑到，以确定此临界阈值。例如，DeepGuard通过降低嫌疑操作的临界阈值，可以提高低流行病毒的查杀率。
@root1605 ，大神有什么问题，麻烦指点一下，谢了

pkuyzy

APC
The Avira Protection Cloud process begins when a single APC-protected PC, located anywhere in the world, accesses an unrecognized file. When this occurs, the user receives an alert and the Avira Protection Cloud process automatically swings into action.

In mere split seconds after the unknown (not suspicious, simply unrecognized) file is accessed, a “fingerprint” of this unidentified file is instantly uploaded to the Avira Protection Cloud. Once received, the file’s fingerprint is compared to the millions and millions of safe and unsafe file definitions already stored in the Avira Protection Cloud. If the file corresponds to a previously recognized file that is known to be safe, the process is approved, the user accesses the file and life goes on as normal.

However, if the file cannot be identified, the APC will request the user to upload the complete file for a full analysis. After scanning, if this full file is found to include malware, the APC will instantly quarantine it and define it as “malicious”. The APC completes this process in a matter of seconds (of course, if the file is infected, the user will also receive an alert).

On the other hand, if the new file is determined to be malware free, the APC will label this file as “safe” and make that information available to all requesting APC users- preventing them from having to complete the same process.

使用APC开始时单一的由APC保护的PC，坐落在世界任何地方，访问一个无法识别的文件。发生这种情况时，用户会收到警报然后APC自动采取行动。
在未知的（不可疑，只是无法识别的）文件被访问后仅仅几秒，此安全性不确定的文件的“指纹”即时上传给APC。一旦收到文件的指纹进行比较已经存储在APC的数以百万计的安全和不安全的文件定义。如果该文件对应于被称为是安全之前确认的文件，进程被批准，用户即可正常的访问该文件。
然而，如果文件不能被识别，则APC将请求用户上传的完整文件进行全面的分析。扫描结束后，如果该文件全被发现包含恶意软件，APC将立即隔离，并把它定义为“恶意”。 APC的完成这个过程在几秒钟的事（当然，如果文件被感染，用户也将收到警报）。
另一方面，如果新的文件被确定为恶意软件的免费时，APC将标记该文件作为“安全”和提供给所有请求的APC的信息用户 - 防止它们具有以完成同样的过程。


事实上红伞的APC也是在它的云端进行了行为分析的，所以红伞常被称为云主防。
至于说在云端是如何分析的…@诸葛亮，大神求解释。。。。

pkuyzy

IDP
The third and final layer is unique to AVG 9 and keeps your data safe against new and unknown threats. It does this through co-operation between our Resident Shield, firewall, and identity protection modules, using cutting-edge technologies like behavioral analysis, in-the-cloud testing, and application whitelisting. This co-operation enables the modules to share malware information with each other, increasing our ability to detect and remove threats for which signatures have not yet been issued.
Now all the holes are overlapped and nothing can get past your PC protection.
“If it looks like a duck, quacks like a duck and waddles like a duck, then it probably is a duck”. While this saying may seem completely irrelevant to the subject of malware detection it is, in fact, anything but. In much the same way that a person can identify a duck by its waddle and quack, a security product can identify malware by its behavioral characteristics. The process is known as heuristic detection or heuristic analysis.

To be able to steal user data, malware must perform certain actions that would not normally be performed by a legitimate program. For example, a legitimate program would not normally attempt to conceal its presence on a computer, inject code into another program, log user keystrokes or access areas of the computer in which passwords are stored. By looking for such behaviors, heuristic security products are able to identify potentially malicious programs and block them before they can cause any harm.
The main advantage of this approach is that the window of opportunity – that is, the time between a new piece of malware being released and a signature for it being released – is completely eliminated. Accordingly, unlike signature-based products, heuristic products are able to protect against both known and unknown threats.

This is the approach taken by AVG Identity Protection. AVG’s behavioral analysis technology detects and deactivates any suspicious activity on your PC before it can cause damage. In addition, it all happens in the background, in real time, and with minimal impact on system performance.

Benefits of Identity Protection’s behavioral analysis include:

. Identity theft prevention through detection and blocking of new and unknown threats such as rootkits, Trojans, and keyloggers
. An instant layer of continuous proactive protection without the need for signatures or scanning
. A false positive rate that’s 10 times lower than other behavior-based products
In AVG 9, Identity Protection is further enhanced by the ability to track malware installs through hi-jacked processes, which significantly improves removal results, together with new behavior to detect malware that copies itself all over the machine.

Like LinkScanner, AVG Identity Protection does not require other AVG products to be installed and running. However, when run with other AVG products, the combination delivers a highly effective layered security approach.

. 2009 AVG Technologies CZ, s.r.o. All Rights Reserved. AVG is a registered trademark of AVG Technologies CZ, s.r.o. All other trademarks are the property of their respective owners.

第三个也是最后一层是AVG9独有的，并保持您的数据免受新的和未知的威胁安全。它通过我们的常驻防护，防火墙和身份保护模块之间的合作，采用尖端技术，如行为分析，在云端测试和应用程序白名单。这种合作使得模块相互共享恶意软件信息，增加我们来检测和删除签名尚未针对其发出威胁的能力。
现在所有的漏洞被填上，没有什么可以穿透你的PC防护。
“如果它看起来像鸭子，叫起来像鸭子，并摇摆行走像鸭子，那么它可能是一只鸭子。”虽然这句话看似完全不相干的恶意软件检测它，事实上，任何东西，但主题。在大致相同的方式，一个人可以通过叫声和动作识别鸭，一个安全产物可以通过其行为特征识别恶意软件。该过程被称为启发式检测或启发式分析。

为了能够窃取用户数据，恶意软件必须执行通常不会由一个合法的程序来执行某些动作。例如，合法程序通常不会试图隐藏在计算机上的存在，代码注入到另一个程序，登录用户的击键或其中密码存储在计算机的访问区域。通过寻找这样的行为，启发式安全产品能够识别潜在的恶意程序并阻止他们，他们可以造成任何伤害了。
这种方法的主要优点是，机会之窗 - 也就是说，被释放一个新的恶意软件的时间和它被释放的签名 - 完全消除。因此，与基于签名的制品，启发式的产品能够防止已知和未知的威胁。

这是AVG身份保护所采取的做法。 AVG的行为分析技术检测并停用您的PC上的任何可疑活动它可能会导致损害。此外，它的所有发生在后台，实时，并与对系统性能的影响最小。

身份保护的行为分析的优势包括：

。身份盗窃预防通过检测新的和未知的威胁，例如rootkit的，木马，键盘记录和拦截
。连续主动保护瞬间层，无需签名或扫描
。假阳性率比其他基于行为的产品低10倍
在AVG 9，身份保护是进一步跟踪恶意软件的能力增强，通过安装HI-抬高流程，这显著提高去除的效果，再加上新的行为来检测恶意软件，并将自身复制所有过的机器。

像LinkScanner的，AVG身份保护并不需要其他的AVG产品进行安装和运行。然而，当与其他AVG产品上运行的结合，提供了一个非常有效的分层安全方法。

。 2009 AVG技术CZ，s.r.o.版权所有。 AVG为AVG Technologies公司CZ，s.r.o.的注册商标。所有其他商标均为其各自所有者的财产。
@aboringman，AVG我是最不了解的。。。翻译里有很多错误，麻烦大神指点一下

pkuyzy

ATC
Bitdefender Active Threat Control:
Heuristic detection advances to the next level


Starting with 100 heuristics in 2010, Active Threat Control has been developed to have more than 300 to date. They are constantly fine-tuned, updated, and improved by a dedicated team of security researchers and engineers form Bitdefender Labs. In order to provide maximum security, all Bitdefender products using Active Threat Control follow a four step scanning sequence:

Step 1: Each time a file is accessed, copied or downloaded via Web, Email or Instant Messenger, the file is intercepted by either the

Bitdefender File System driver or the appropriate proxy and sent for scanning;

Step 2: The file is checked against the Bitdefender Signature Database (a database of malware “fingerprints”) that is updated in an hourly basis. If the file’s content matches one of the signatures, the product automatically tries to disinfect the threat. If this action fails, the file is moved into quarantine. If no signature is matched, the file is sent to B-HAVE1 to be checked.

Step 3: B-Have checks the file by running it in a virtual environment inside the Bitdefender Engine, designed to emulate the behavior or an actual computer. If the file exhibits suspicious, malware-like activity, B-Have reports the file as malicious. If not, the file is declared clean and the process is allowed to run;

Step 4: Active Threat Control monitors actions of specific processes as they are running in the OS. It looks for behavior specific to malware and assigns a score for each process based on its actions and the context in which those were done. When the overall score for a process reaches a given threshold, the process is reported as harmful. Depending on the user profile, it is either terminated to isolate and remediate the threat or the user is prompted to specify the action that is to be taken (depending on the settings profile of the Bitdefender product).
User profiles are product specific. Usage of user profiles may vary in products.

Active Threat Control continuously monitors all running applications and processes. To extend the flexibility and performance there are some exceptions:
. White-listed processes that are specifically excluded from monitoring by the user
. Validated system processes that have been tagged by Bitdefender Application Reputation to be clean.
. Active applications and processes are continuously monitored suspicious behaviors, like:
. Copying or moving files in System or Windows folders or limited access disk location
. Executing or injecting code in another processes’ space in order to run with higher privileges
. Running files that have been created with information stored in the binary file
. Self-replication
. Creating an auto-start entry in the registry, accessing or executing illegal operations on registry locations that require elevated privileges
. Dropping and registering drivers
As legitimate applications will sometimes perform one or more of these actions (such as creating an autostart entry), Active Threat
Control does not determine a process to be malicious based on any single action; instead, it keeps a running score and only categorizes an application as malicious when a certain threshold is reached. This minimizes incidences of misidentification (false-positives) avoiding unnecessary intervention by the user.

BitDefender的主动威胁控制：
启发式检测前进到下一级


与2010年的100起启发，主动威胁控制已经发展到拥有300多个日期。他们不断地微调，更新和改进被安全研究人员组成的专业团队和工程师组成BitDefender实验室。为了提供最大的安全性，使用Active威胁控制所有BitDefender产品遵循四步扫描顺序：
步骤1：每一个文件被访问，复制或通过网络，电子邮件或即时信使下载时间，该文件是由任一所截取的BitDefender的文件系统驱动程序或适当的代{过}{滤}理和扫描发送;

第2步：该文件针对的是每小时更新BitDefender的签名数据库（恶意软件“指纹”数据库）检查。如果该文件的内容相匹配的签名之一，该产品会自动尝试消毒的威胁。如果操作失败，该文件被移到隔离区。如果没有签名匹配时，文件被发送到B-HAVE1启发引擎进行检查。

第3步：B-HAVE1启发引擎在BitDefender的引擎内的虚拟环境中，设计为模拟的行为或实际的计算机上运行它检查该文件。如果该文件显示可疑，恶意软件样活性，B-HAVE1报告文件为恶意。如果不是这样，该文件被认为无毒允许运行;

步骤4：如它们在操作系统上运行的特定过程的主动威胁控制监视器的操作。它寻找特定恶意软件的行为，并分配根据它的行动，并且其中这些被完成的上下文中的每个进程的得分。当一个过程的总得分达到给定阈值，则处理被报告为有害的。根据不同的用户配置文件，它要么终止隔离和修复的威胁或提示用户指定要采取的（取决于BitDefender的产品的设置信息）的动作。

主动威胁控制持续监控所有正在运行的应用程序和进程。为了扩展的灵活性和性能也有一些例外：
。白名单是专门从监控用户排除进程
。已经标记被BitDefender应用程序信誉验证系统进程是干净的。
。活动的应用程序和流程持续监控可疑行为，如：
。复制或移动系统文件或Windows文件夹或有限访问磁盘位置
。执行或以更高的权限运行注入在另一个进程“空间代码
。中运行的文件已经被存储在二进制文件信息创建
。自我复制
。在注册表中创建一个自动启动项，访问或执行上需要提升权限的注册表位置违规操作
。删除和注册驱动程序
作为合法的应用程序有时会执行这些操作（如创建一个自动启动软件等），主动威胁的一个或多个控制并不能决定一个过程基于任何单一的行动是恶意的;相反，它使一个正在运行的得分和仅在达到一定的阈值时归类一个应用为恶意。这最大限度地减少用户避免不必要的干预误认（假阳性）发生率。


有一小段翻译不知道为什么上传不了。。。论坛提示“有不良内容”
@ccboxes，大神有错误麻烦指点一下，谢了

pkuyzy

这是sonar的白皮书
http://www.symantec.com/content/ ... re%20Protection.pdf

lovelive10010

卡巴的住房叫什么SW？

cfhdrty

不看广告看疗效

pkuyzy

lovelive10010 发表于 2016-4-6 17:44
卡巴的住房叫什么SW？

，好吧。。。。竟然忽视了卡巴。。。。暂时不找了。。。看看有没空吧。。。
@pal家族，大神以前有过相关的介绍吗

pkuyzy

cfhdrty 发表于 2016-4-6 17:45
不看广告看疗效

也一直在找相关的干货文件，但好像很难找，在哪里可以看到吗。。。
查这些毕竟可以有些基本的了解。。。白皮书也不完全是广告。。

cfhdrty

pkuyzy 发表于 2016-4-6 17:48
也一直在找相关的干货文件，但好像很难找，在哪里可以看到吗。。。
查这些毕竟可以有些基本的了解。。 ...

其实我只是模仿赵大叔的台词，当然不是说这是广告。。只不过我比较看重实际成绩，会用杀软的人多，懂杀软的人又有多少呢。。