本帖最后由 pal家族 于 2016-5-5 23:07 编辑
简直羞死了,。。。。。。。。卡巴的SW和诺都的sonar,趋势的宙斯都是基于规则的。。。。。
What is the System Watcher component in Kaspersky PURE 2.0?
http://support.kaspersky.com/7587
The System Watcher component in Kaspersky PURE 2.0 collects data about the actions performed by applications on your computer and gives this information to other components for improved protection.
On the basis of the information collected, the System Watcher component allows you to roll back actions performed by malicious applications. In Kaspersky PURE 2.0, information about suspicious actions in the system is collected not only for the current session, but also for previous sessions. This makes it possible to roll back all actions performed by the application if the application is subsequently recognized as malicious.
Rolling back actions after malicious activity is detected in the system can be initiated either by the System Watcher component on the basis of patterns of dangerous behavior, or by Proactive Defense, or by running a virus scan task, or during the operations of File Anti-Virus.
Kaspersky PURE 2.0 includes support for updatable heuristics. Updatable heuristics are a regularly updated set of patterns of dangerous application behavior.
The application of this technology means that upon detection of a new virus or of a new modification to already known malware, it does not update the whole System Watcher module, but instead adds a new pattern to the heuristics database, updating it together with Kaspersky Lab's antivirus databases. This technology allows you to block other malicious software with similar behavior.
The operation mode of Kaspersky PURE 2.0 determines the way that this component reacts when an application's actions coincide with the patterns of dangerous behavior, and also determines whether to roll back a malicious application's actions. After detecting suspicious events in the system, the protection components of Kaspersky PURE 2.0 can request additional information from the System Watcher component.
In the interactive mode of Kaspersky PURE 2.0 you can view incident data collected by the System Watcher component in the form of a report on dangerous activity history, allowing you to make a decision about which action to take in the notification window. When the component detects a potentially dangerous application, a link to the System Watcher report is displayed in the upper part of the notification window with a request to take action.
Kaspersky PURE 2.0 includes the Applications Activity module, with which you can view information about installed applications and currently launched applications (such as information about an application's status and the level of trust attributed to it by Kaspersky PURE 2.0). You can find more detailed information about this in KB7936.
楼主讲的,多用于扫描组件:
Heuristic analysis in Kaspersky Internet Security 2013
http://support.kaspersky.com/8936
Heuristic analyzer (or simply, a heuristic) is a technology of virus detection, which cannot be detected by Anti-virus databases. It allows detecting objects, which are suspected being infected by unknown or new modification of known viruses. Files which are found by heuristics analyzer are considered to be probably infected.
An analyzer usually begins by scanning the code for suspicious attributes (commands) characteristic of malicious programs. This method is called static analysis. For example, many malicious programs search for executable programs, open the files found and modify them. A heuristic examines an application’s code and increases its “suspiciousness counter” for that application if it encounters a suspicious command. If the value of the counter after examining the entire code of the application exceeds a predefined threshold, the object is considered to be probably infected.
The advantages of this method include ease of implementation and high performance. However, the detection rate for new malicious code is low, while the false positive rate is high.
Thus, in today’s antivirus programs, static analysis is used in combination with dynamic analysis. The idea behind this combined approach is to emulate the execution of an application in a secure virtual environment before it actually runs on a user’s computer. In their marketing materials, vendors also use another term - “virtual PC emulation”.
A dynamic heuristic analyzer copies part of an application’s code into the emulation buffer of the antivirus program and uses special “tricks” to emulate its execution. If any suspicious actions are detected during this “quasi-execution”, the object is considered malicious and its execution on the computer is blocked.
The dynamic method requires significantly more system resources than the static method, because analysis based on this method involves using a protected virtual environment, with execution of applications on the computer delayed according to the amount of time required to complete the analysis. At the same time, the dynamic method offers much higher malware detection rates than the static method, with much lower false positive rates. |
发表于 2016-5-5 21:23:22
