我还以为你说的是红伞32位系统下的active control
APC准确上来说不算主防。。。。
主防是直接对其行为进行判断,APC是将文件上传到云端进行分析,如果文件曾经被判断有过问题,就直接kill,否则进行完整分析,也就是云端跑行为。
这与我们通常定义的主防,比如ATC、SW、sonar、dg、idp等并不一样
下面摘自红伞的白皮书
APC
The Avira Protection Cloud process begins when a single APC-protected PC, located anywhere in the world, accesses an unrecognized file. When this occurs, the user receives an alert and the Avira Protection Cloud process automatically swings into action.
In mere split seconds after the unknown (not suspicious, simply unrecognized) file is accessed, a “fingerprint” of this unidentified file is instantly uploaded to the Avira Protection Cloud. Once received, the file’s fingerprint is compared to the millions and millions of safe and unsafe file definitions already stored in the Avira Protection Cloud. If the file corresponds to a previously recognized file that is known to be safe, the process is approved, the user accesses the file and life goes on as normal.
However, if the file cannot be identified, the APC will request the user to upload the complete file for a full analysis. After scanning, if this full file is found to include malware, the APC will instantly quarantine it and define it as “malicious”. The APC completes this process in a matter of seconds (of course, if the file is infected, the user will also receive an alert).
On the other hand, if the new file is determined to be malware free, the APC will label this file as “safe” and make that information available to all requesting APC users- preventing them from having to complete the same process.
使用APC开始时单一的由APC保护的PC,坐落在世界任何地方,访问一个无法识别的文件。发生这种情况时,用户会收到警报然后APC自动采取行动。
在未知的(不可疑,只是无法识别的)文件被访问后仅仅几秒,此安全性不确定的文件的“指纹”即时上传给APC。一旦收到文件的指纹进行比较已经存储在APC的数以百万计的安全和不安全的文件定义。如果该文件对应于被称为是安全之前确认的文件,进程被批准,用户即可正常的访问该文件。
然而,如果文件不能被识别,则APC将请求用户上传的完整文件进行全面的分析。扫描结束后,如果该文件全被发现包含恶意软件,APC将立即隔离,并把它定义为“恶意”。 APC的完成这个过程在几秒钟的事(当然,如果文件被感染,用户也将收到警报)。
另一方面,如果新的文件被确定为恶意软件的免费时,APC将标记该文件作为“安全”和提供给所有请求的APC的信息用户 - 防止它们具有以完成同样的过程。 |
楼主: jamesdan
[复制链接]
发表于 2016-7-21 15:59:52
