Anti-Virus Software Technology: heuristic active defense

Currently, computer viruses are dominated by shells of Trojan horses and worms. The authors of viruses are not just as profitable as they used to show off how high their computers are, stealing users' private information and opening up system backdoors lead to direct economic losses.

With the frequent occurrence of software vulnerabilities, especially Microsoft's Windows and Office vulnerabilities, and even zero-day vulnerabilities, coupled with insufficient user security awareness, coupled with the speed at which the virus was born, this has caused the spread of viruses today. The anti-virus software cannot find or kill viruses, and users complain. The virus appears too fast and the writing technology is too high. In order to kill a virus, it takes a long time for the anti-virus vendor to add it to the virus feature library. After the upgrade, the virus cannot be cleared, it can only be returned to a DOS solution that even Microsoft does not know whether to discard.

Anti-Virus is naturally seen by everyone as the most critical link. How can this problem be achieved?

The concept of heuristic has been proposed and implemented several years ago. By now, heuristic has developed to a very powerful level, minimizing false positives and discovering unknown viruses as much as possible. Every anti-virus software vendor implements different methods, but basically it is a concept that virus execution in a virtual environment depends on virus behavior. Of course, this virtual method lasts very short. Heuristic is basically a mature technology abroad, especially NOD32, McAfee, and Dr. the web is particularly powerful. Their heuristic engine can accurately detect a new virus and immediately stop it. The probability of false positives is much lower than that of others. In fact, Kaspersky also has its own heuristic engine, which can also report unknown viruses in some cases. The probability is naturally much lower than previously mentioned, but in terms of viruses written in some specific languages, kaspersky can accurately report unknown viruses

(Kaspersky Lab's virus pattern extraction technology is second to none in the industry. It is often found that a previous virus pattern is still applicable to subsequent viruses ). The situation in China is not optimistic. Although the heuristic method cannot be blank in China, it does not know what words should be used to describe the current situation. Taking China's three major Jiangmin, rising, and Kingsoft as examples, the Jiangmin KV series has continued the "broad-spectrum detection and removal" technology, which is very effective for variant viruses, especially for macro viruses, occasionally, you may be able to see that a suspicious KV file is Win32.Type, which is the harvest of the KV "broad spectrum detection and removal" technology (the broad spectrum technology is different from the heuristic one mentioned earlier ); rising's behavior analysis technology seems to be more effective for Windows platforms. It uses virus behavior judgment to analyze the possibility of viruses. In actual situations, rising performance is more effective than KV, however, this is only a relative comparison. It seems that it does not play a major role and seldom reports unknown viruses. As for Kingsoft drug overlord, Dr was used a few years ago. the web engine has a heuristic existence. now, because I have completely used my own engine technology, at least I have not found Kingsoft drug overlord has a heuristic shadow.

Active Defense seems to have appeared recently. Anti-Virus Software in China seems to be the first KV system to use registry monitoring technology, therefore, some people think that active defense is the Registry monitoring, which is too one-sided.

What are the current behaviors of viruses? Create programs, create your own startup items, insert yourself into other processes, and use Rootkit programming to hide yourself ......

When it comes to active defense, I have to talk about the Software System Safety Monitor (SSM), which belongs to Host-based Intrusion Prevention System (HIPS) and is not anti-virus software, it is not a firewall software, but it can protect the system from the danger of bad programs from every process to the underlying disk, software features naturally include the most common Registry protection, file protection, disk system protection, and process injection prevention. SSM features are too powerful. Kaspersky introduced Proactive Defense from V6. Its active Defense does not enable registry monitoring by default, because this interaction is troublesome and may cause a lot of trouble for common users, users do not understand what these Registry monitors are prompting. Therefore, Kaspersky Lab does not enable this function by default for users' consideration. As for its behavior monitoring module, it is commendable that it uses built-in rules,

When a program tries to execute it, the behavior monitoring will compare the rule to determine whether it is a malicious program. This accuracy is quite amazing. The latest version can basically detect Rootkit in 100%, basically, Trojans, backdoors, and worms can be intercepted. Although the reported names are consistent, Trojan Generic, the process injection, hidden data transmission, and startup of IE with parameters cannot escape its monitoring (his Proacive Defense makes up for the weak heuristic method ), you have the opportunity to use it. At present, rising has only one registry monitoring in China, so it can be excluded from active defense because it is too superficial, but recently added a function to prevent programs from being executed directly through a browser, this feature is commendable, and too many people read it through IE; drug overlord does not have this feature; Jiangmin's KV series, with registry monitoring in previous versions, later, it was developed into a Trojan, a Trojan.

In the initial process, a sweep of light contained functions such as registry monitoring, process injection, and keyboard record. It initially implemented some simple active defense modules, probably because of poor interaction, it brings security and troubles to users. users do not know what the KVS are prompting. Now, in KV2007, Trojan scanning is downgraded to pure registry monitoring, other functions are handed over to "System Monitoring" for network access control (mainly HTTP and EMAIL) process Injection Protection, unauthorized program running, Direct Memory Access, file access control, file integrity protection, and so on. Although it is not particularly comprehensive, it has covered the vast majority, this is a blessing for experienced users, and it is a little troublesome for novice users. It is best to directly judge what the program may be or what it is to be improved later.

Of course, active defense has a disadvantage, that is, it is effective only when the program appears to be executed, and static Virus Detection does not take effect.

Heuristic and active defense. The development and application of domestic software KV are slightly dominant in this respect. We can only expect it to be better, and no Chinese people can support their own things.