关于为什么部分KSN拉黑的样本扫描不出来的终审判决。

pal家族

省流：为了减少服务器开销与性能影响巴拉巴拉，内部不可说的机制会判断哪些文件在扫描时会触发KSN查询并返回检测结果verdict。
所以拉黑的文件扫描不报毒是正常的。
HIPS目前也同理。（这一点我本人认为不合理）
但是主防是100%必询问。
综上所述，该现象是特意设计如此的，不是bug导致忘记在扫描时查KSN了。





该问题不可能有官方解释，虽然该解释出资官方口中。
所以，以下是来自官方人员的非官方聊天。

we think it's normal situation that detection for "unpopular" threats can be missed in local bases, until some one report them (or it will be reported automatically)
so there is no bug in traditional way, we don't have file (or heuristics) for 'new' files, so don't detect them.
ksn bases and local are not connected in some direct way to sent data immedeatly

the main thing is we DON'T ask KSN EVERY time you scan an object. Million users have Billions files, so it will be ddos attack on our KSN to ask for every exe or another one. (especially during full scans). So you got this scenarios when file is marked by KSN but it cannot be scanned by local bases.
But EVERY time you launch any file we ask reputation. So it's detected by launch moment.

is it answer to your question, or i'm again missing point?

DON'T ask KSN EVERY time ----- we have special conditions to decide ask or not during scan, but I cannot give you any info about it. So some times you can see KSN request, and sometimes - not.

as we check reputation before file launch, we count this situation as "user is protected and have no risks" (but as you can understand it's minimal required protection, without wasting server resources)

HIPs has same mechanics.

第二段话，翻译就是，
目前有不可说的机制来判断是否一个文件在扫描时要查询KSN，每个都查询的话服务器就炸了。尤其是全盘扫描的时候。
目前是确保文件在运行的时候一定是会查询的。
在运行样本之前的时候，我们是为了降本增效并且不降低用户保护，认为没有运行就是安全的。
第一段话在说为啥有的拉黑样本迟迟不入库。




然后我请帮我问问题的迪米特老哥转达一个我的建议，那就是：

I can fully understand now. Just one request: Can you help me deliver a suggestion that when I run the file HIPS should always ask KSN and block untrusted file from running before PDM terminate process and rollback?

in my test, there are some times malicious file already do harm my system before PDM react. And PDM cannot always sucess rollback all changes by malware. Some malicious actions happens too fast. It is better if HIPS could block the malware firstly.

thanks a lot

HIPS应该是运行时必查询的，希望可以改一下。

然后迪米特老哥说了，会帮我转达下，万一有消息了会告诉你。

i just forwarded this info to colleagues.

I'll try to provide feedback as it will be. If i don't, feel free to remind me again

驭龙

居然是为了省流，减缓压力，看来卡巴的KSN抗压能力一般般啊

看来这问题是不能解决了，不过影响也不大，毕竟主防还是可以拦截的

pal家族

驭龙 发表于 2025-1-22 01:09
居然是为了省流，减缓压力，看来卡巴的KSN抗压能力一般般啊

看来这问题是不能解决了，不过影响也不大， ...

自由贸易的时候还不这样咧
与其说是减压，不如说是赚不到钱了。想办法一点点降本增效。

驭龙

pal家族 发表于 2025-1-22 01:11
自由贸易的时候还不这样咧
与其说是减压，不如说是赚不到钱了。想办法一点点降本增效。

哈哈，有道理，而且欧美那边的收入也没有了

Jirehlov1234

牢卡坚实的后盾：Bazon.a

pal家族

Jirehlov1234 发表于 2025-1-22 07:46
牢卡坚实的后盾：Bazon.a

一直不知道这个名字有啥含义。。。。

啊松

然鹅黑dll运行还是不会拦截，除非入本地库

kaba777

pal家族 发表于 2025-1-22 08:06
一直不知道这个名字有啥含义。。。。

Вазон就是花瓶，可能是兜底的意思，卡巴斯基省钱的做法可以理解

kaba777

啊松 发表于 2025-1-22 09:28
然鹅黑dll运行还是不会拦截，除非入本地库

扫描不拉黑，运行才拉黑，所以如果运行检查漏了就不会拦截了，没问题吧

hancool

当杀软价格再次抬高的时候 服务器的消耗就不是大问题了