How Immunet Detects Threats, In a Nutshell
Sunday, March 7, 2010 at 8:46PM | Alfred Huger I often get asked what makes Immunet’s approach to detecting threats different than the mainstream Anti-Virus companies. In a nutshell, our goal is to find threats which are in small parts of our community, analyze them and then protect the whole community from them as fast as possible, often in near real time.
We do not focus on obscure threats, or threats which circulate outside of our community. We are not big fans of the 'boil the ocean' approach to doing Anti-Virus. It works well for reviewers (who test with everything under the sun) but it rarely really helps your community. There is a reason people are still getting viruses and it's time we rethink our (the industry) approach to tackling this problem.
As to 'how' we convict files. All of our current approaches entail communication back and forth with the cloud so that rarely is a decision made in 'decision support isolation’. This allows you to work with the most current, up to the minute, information that we have. Here are some of the approaches we use:
- Generic detection of threats through broad hashing. We look for things that look 'like' threats we know of and try to further analyze them for conviction so we can protect the community. This can also be called a 'heuristic' engine if you like. Our generic engine is ETHOS; we have another planned for May, which is called SPERO.
- Context conviction, this is where we make decisions based off the data we receive about a file in field. From community collected data we can make assumptions about whether a file is a virus or not. For example, did our AV stop working after it was installed? Did the system start to see other viruses after it was installed? Questions like this will often lead to answers, which make us highly suspicious of a file.
- One-to-One conviction, this is where there is a known threat we've collected from the community, through collection trading or gathered from web crawling. For each of these collected (and verified malicious files) we generate a signature. When users do file look-ups this signature is sent to us, if it matches a known threat we convict the file as a virus.
There are a few other ways as well and each of those approaches above could be a daylong chat on their own but that's the mile high view today (March 7, 2010).
View Printer Friendly Version
Email Article to Friend
Reader Comments (2)
I really like this blog post, it has some great info. Thank you and keep up good work.
trading for a living
How will you convince me, that you will not collaborate with corporations in future ?
I'll take for example with gaming industry. People having original games, but using cracked versions to play the game w/o problems. If a game industry sends a cracked exe from multiple hosts, telling you that it contains a virus, will all the users in cloud get the fail-positive definitions and have their exe deleted ?
How is your software going to work, if a computer isn't connected to the web for some time ?
It still bases on the virus definition method, not on a completely fresh detection system.
Panda has already cloud antivirus. Would you dare to compare your solution with this ?
Don't take me wrong, I'm just curious.