查杀种类
􀂃 Adware
􀂃 RATs (remote access tools)
􀂃 Spyware
􀂃 Trojan horses
􀂃 Worms
􀂃 Rootkits
􀂃 Keyloggers
􀂃 Potentially dangerous applications
NOD32查杀病毒技术
􀂃 Traditional signatures
􀂃 Generic signatures
􀂃 Passive heuristics
􀂃 Active heuristics
Traditional Signatures
A specific threat has a specific set of bytes that uniquely identifies it.
Searching for that exact pattern of
bytes, an anti-threat tool can find and
identify that specific threat.
Though well suited to exploit
detection, signature scanning is
reactive and based on the
identification of a single object.
Because of this, it has limitations
against today’s advanced threats.
Limitations for Signature-based Threat Scanning
􀂃 New threats are not detected until signatures are generated. PCs may be vulnerable
for hours, days, or weeks.
􀂃 Malware writers use achiving and packing techniques to circumvent signaturebased
detection. Compressing files hides the malware from signature-based tools.
􀂃 Only some parts or forms of a complex virus may be detected initially. With a
polymorphic (dynamically changing) virus, some infected files might remain
undetected.
Pattern recognition techniques like signatures work effectively and efficiently for known
threats, but are ineffective for protecting against new threats. Heuristic scanning is the
solution to this problem...
Heuristics Explained
Heuristics is a method that uses rules to solve problems. For anti-threat software,
heuristics are a set of rules used to detect malicious behavior without needing to
uniquely identify the specific threat, as a classic signature-based “virus scanner” does.
Heuristics used by an anti-threat program might have rules to look for things like this:
􀂃 Something that tries to copy itself into other programs
􀂃 A program that decrypts itself when run
􀂃 Code that binds to a TCP/IP port and listens for instructions over a network
connection
􀂃 A process attempting to manipulate (copy, delete, modify, rename, etc.) files
required by the operating system or applications
The advantage of heuristics is it can detect not just variants, or modified forms, of
existing malicious programs, but also new, previously unknown malicious programs.
Generic Signatures
One way to use heuristics to improve signature-based detection is to use generic
signatures. A generic signature is a scan pattern that matches more than one specific
piece of malware, possibly an entire family or set of variants.
Generic signatures help an anti-threat
system measure how similar something
is to known malware. Does it look like
anything we already know?
By looking for similarities, the antithreat
tool can spot malware it hasn’t
seen before, without requiring a
definitive signature for that specific
threat.
However, Generic signatures may be
too restrictive, only finding threats that
have only minor differences.
Passive Heuristics
Passive Heuristics analyze a program as it is scanned, tracing through the instructions in
a program before passing the code to the processor for execution.
The idea is to analyze the suspicious
code to see what it appears to be
designed to do.
Passive heuristics rules look for
patterns, routines, or program calls that
indicate malicious behavior. This
approach is sometimes called
“code analysis.”
Passive heuristics, though a useful tool,
is very difficult to do well. There is no
single action that a malicious program
can perform that is not also allowed in
a “good” program.
Active Heuristics
With active heuristics, the anti-threat system can execute the code to see what it actually
does. Execution occurs in a controlled, protected environment to avoid real damage.
The engine lets the code run in a
virtual environment and examines the
behavior performed in and changes
made to that virtual environment.
Active heuristics are useful in defeating
encryption, compression, and
polymorphic threats. It causes the
malware to “show” what it is designed
to do. This provides immediate
protection, not relying on signatures of
known threats for identification.
Since the code actually runs, it can’t
hide its malicious content.
ThreatSense® - Leveraging all detection
The best anti-threat solution is one that makes intelligent use of all viable detection
methods. That’s the idea behind NOD32’s ThreatSense® technology.
Viruses, worms, and spyware are constantly evolving as malware writers try to
circumvent security software. ThreatSense keeps NOD32 a few steps ahead.
The ThreatSense engine is a sophisticated, well-balanced system of advanced heuristics
and malware signatures, providing the best detection without compromising speed or
detection.
For most existing threats, ThreatSense includes a traditional form of malware signatures.
It also uses next-generation generic signatures to quickly detect known malware families
and their future variants.
In addition to traditional and generic signatures, ThreatSense’s advanced heuristics
proactively decode and analyze executable code in a protected environment to identify
increasingly sophisticated malicious behavior, characteristic of today’s evolving threats.
What makes ThreatSense technology so accurate is its ability to perform all these types
of detections in parallel, not only improving its detection but also the speed with which
it operates. ThreatSense’s blended approach to detection leverages the benefits of each
technology and makes NOD32 the fastest, most accurate, and lowest impact solution in
the industry. |
发表于 2007-2-24 00:31:45
发表于 2007-2-24 09:35:36
麻烦翻译一下再发上来