Analysis on the latest virus protection technology of ESET NOD32

We often hear about promotions such as "XX anti-virus software brand is superior to other brands" and "XX brand has won the highest rating from authoritative testing institutions". But what are the differences between anti-virus software brands, but not everyone can say it. In fact, what kind of overwhelming technology is used by excellent anti-virus software to make it stand out in various tests? What is the revolutionary significance of these technologies to fully protect our computer security? In this article, we will further analyze ThreatSense that ESET NOD32 has obtained a patent.®Engine and brand new ThreatSense. Net System.

Related guidance: ESET NOD32 won the AV-Comparatives highest award

Introduction to the High-Performance Comprehensive Protection Architecture of ESET NOD32

Many users who have used ESET NOD32 will be surprised that it is light and fast. One of the successes is that ESET NOD32 adopts Integrated Protection architecture ). ESET NOD32 adopts ThreatSense®The engine processes viruses, worms, advertising software, Trojans, spyware, phishing, and other malicious programs, greatly simplifying the process and improving the execution efficiency.

Figure 1 Comprehensive Protection Architecture of ESET NOD32

Some anti-virus software uses multiple sets of independent software to process different malicious programs. The whole set of software is as large as several hundred MB, which not only increases the burden on the system, but also causes management difficulties in the complex architecture, it even causes security vulnerabilities in overlapping protection mechanisms. In contrast, Virus Bulletin tests show that the anti-Virus speed of the ESET NOD32 comprehensive protection architecture is usually two to five times faster than that of other anti-Virus software, and the performance is very outstanding.

ThreatSense used by ESET NOD32®Engine Introduction

(1) gene code detection technology

Until now, almost all anti-virus software primarily compares the virus feature data in the virus database with the scanned files to distinguish the truly qualified viruses. Because of the emergence of new viruses or variants almost every day, antivirus software vendors only need to constantly Update features and expand their own virus databases, the latest virus feature data can be included as soon as possible.

This method seems simple and effective, but more than 70 thousand types of viruses have been detected in the online world, and even more than thousands of active virus types have been detected. If the virus database needs to be fully recorded, the database size must be very large, that is, data comparison is performed one by one during system scanning, and the process is extremely time-consuming. Therefore, advanced anti-virus software such as ESET NOD32 has gradually changed the Signature-based Detection method, and then adopted a new generation of genetic code (Generic Signature) Detection technology. After gene code technology is used, the virus features and the size of the virus database are simplified. Simplifying virus features

The so-called genetic code refers to different variants in the same virus family, most of which contain the same virus characteristics. Many viruses first appeared in a single breed, and then modified or evolved by other virus authors, finally becoming more than dozens of virus variants. If the traditional feature detection method is used, the virus database creates an independent feature data for each Virus Variant. However, the new genetic code detection technology, the common characteristics of the same type of virus are identified from the variants, including some discontinuous program code.

Users tend to be rational! Anti-Virus Software Regression Technology Standard

Reducing the volume of a virus Database

In this way, because a large number of virus types can be detected by using a small amount of feature data during system scanning, feature comparison can greatly shorten the time. At the same time, new variants changed from the same source may be identified even if the virus database is not updated as long as they match the universal feature conditions of the population. Therefore, it takes a very short time for the ESET NOD32 to update the virus database. Each update may not download 20 KB to 50 kb, which will never burden the network and hard disk.

(2) Virtual Machine Technology

For complex viruses such as deformation viruses and unknown viruses, a small number of anti-virus software uses virtual machine technology to achieve good detection and removal of unknown viruses. It is actually a controllable virtual running environment of programs simulated by software. Virtual programs are executed in this environment. Although the virus avoids antivirus software in various ways, when it runs on a virtual machine, it does not know that all its behaviors are monitored by the virtual machine, therefore, when it is infected in the virtual machine, it will be discovered by the virtual machine, so that the use of virtual machine technology can find most of the deformation virus and a large number of unknown viruses.

(3) Code Analysis Technology

In order to deal with changing viruses and Research on unknown viruses, code analysis scanning methods have emerged. Code Analysis scanning determines whether a file is infected with an unknown virus by analyzing the sequence of occurrence of commands or the standard features of common viruses such as specific combinations. Because the virus is intended to infect and damage, the common behavior will have certain characteristics, such as reading and writing sensitive files, self-deletion, self-replication, and obtaining the underlying permissions of the operating system. Therefore, you can determine whether a program is a virus based on scanning specific behaviors or combinations of multiple behaviors.

ESET NOD32 has a brand new ThreatSense. Net Warning System

 

Figure 2 new ThreatSense. Net Warning System

To enhance ThreatSense®The accuracy and efficiency of the engine. In the latest version, ESET NOD32 adds a brand new ThreatSense. Net warning system. This system can be called ThreatSense®Excellent virus analysis capabilities, expanded from personal computers to global processing; whenever the client's ESET NOD32 encounters a file suspected of virus, the file can be automatically or manually compressed and encrypted, and sent to the sample@eset.com via e-mail, quickly to the ESET headquarters expert for Analysis Research; once identified as a virus, the ESET can be processed quickly.

Summary

The popularity of the Internet allows new viruses to spread quickly to every corner of the world in a very short period of time. When malicious program writers write new viruses, worms, and dish software, they are also committed to bypassing the anti-virus software's eye, including using various shelling and flower-adding technologies to disguise themselves so that their "masterpiece" can intrude into the system and cause great damage. Many anti-virus software vendors emphasize the speed of updating their virus databases to respond to the crisis more quickly. However, no matter how fast the virus is, the first occurrence of the virus and the user's successful database update, there is still a time difference, which may range from several minutes to several days. The ESET NOD32 adopts industry-leading heuristic technologies such as genetic code (Generic Signature) detection, virtual machines, and code analysis, even if the virus is a new virus from known virus variants, no relevant feature data exists in the virus database. The ESET NOD32 can still identify and clear the new virus, so that these new viruses do not have a hiding place.

For example, Win32/Bagle. DC and Win32/Bagle. the DD worm is characterized by an email that spreads out at a rate of 2000 emails per hour. It is designed to avoid a feature-based detection system, the vast majority of anti-virus software that relies on feature updates cannot respond in real time. ThreatSense of ESET NOD32®The engine quickly detects the invasion of the virus, showing the importance of active and real-time protection. In fact, in an internationally authoritative proactive protection test, ThreatSense®The engine successfully blocks Zero-day worm and virus attacks that exceed, delivering outstanding performance!