Immunet Blog

I often get asked what makes Immunet’s approach to detecting threats different than the mainstream Anti-Virus companies.  In a nutshell, our goal is to find threats which are in small parts of our community, analyze them and then protect the whole community from them as fast as possible, often in near real time.

We do not focus on obscure threats, or threats which circulate outside of our community. We are not big fans of the 'boil the ocean' approach to doing Anti-Virus. It works well for reviewers (who test with everything under the sun) but it rarely really helps your community. There is a reason people are still getting viruses and it's time we rethink our (the industry) approach to tackling this problem.

As to 'how' we convict files. All of our current approaches entail communication back and forth with the cloud so that rarely is a decision made in 'decision support isolation’. This allows you to work with the most current, up to the minute, information that we have. Here are some of the approaches we use:

1. Generic detection of threats through broad hashing. We look for things that look 'like' threats we know of and try to further analyze them for conviction so we can protect the community. This can also be called a 'heuristic' engine if you like.  Our generic engine is ETHOS; we have another planned for May, which is called SPERO.
2. Context conviction, this is where we make decisions based off the data we receive about a file in field. From community collected data we can make assumptions about whether a file is a virus or not. For example, did our AV stop working after it was installed? Did the system start to see other viruses after it was installed? Questions like this will often lead to answers, which make us highly suspicious of a file.  
3. One-to-One conviction, this is where there is a known threat we've collected from the community, through collection trading or gathered from web crawling. For each of these collected (and verified malicious files) we generate a signature. When users do file look-ups this signature is sent to us, if it matches a known threat we convict the file as a virus.

There are a few other ways as well and each of those approaches above could be a daylong chat on their own but that's the mile high view today (March 7, 2010).

Clif Sipe over at Techie Buzz just gave Immunet Protect 1.0.25 a very thorough review that is worth a read. You can find the review here. The upshot is that we recieved a 4/5 rating from Clif who has been watching the product for a few months now.

Immunet Protect Beta 1.0.24 was recently put through its paces by the folks over at Malware Research Group (MRG). MRG is doing a well thought out monthly review of 30 anti-malware products to see how well they detect fresh, real world, active Rogue Anti-Virus programs.  The report titled “Rogue Software Infection Prevention Test, January” showed Immunet Protect Beta performed quite handily. In fact, we beat out both Microsoft Security Essentials and Avira  at detecting these in-field threats. It’s great vindication for our community (and the development team of course..), particularly given we are in beta with some ways to go before all of our detection engines are deployed!

All,

The updater files for migration to 1.0.25 are now posted. The updaters will install the new product, uninstall old product if you have it and then load your new drivers. Migration can be done from any Immunet build from 1.0.14 up to current (1.0.24). You will be prompted for a reboot as we are replacing drivers with this install. Windows XP SP2 is not supported, only XP SP3 and up. Vista SP1 + and Windows 7 are also supported.

The primary changes in 1.0.25 are:

• Fixed an installer issue where some driver failures were occurring on non-native English OS installs.
• Fixed an 'Offline Mode' issue related to DNS under certain platforms.
• Increased efficacy of the ETHOS engine and reduced it's memory footprint.
• Fixed an issue with the local system cache which causes some look-ups to fail.

The Immunet Protect Beta 1.0.25 32 bit Updater is:Here
The Immunet Protect Beta 1.0.25 64 bit Updater is:Here

Our intention is for this to be our last update for the product until our April release.

All,

The updater files for migration to 1.0.24 are now posted. The updaters will install the new product, uninstall old product if you have it and then load your new drivers. Migration can be done from any Immunet build from 1.0.14 up to current (1.0.24). You will be prompted for a reboot as we are replacing drivers with this install. Windows XP SP2 is not supported, only XP SP3 and up. Vista SP1 + and Windows 7 are also supported.

The Immunet Protect Beta 1.0.24 32 bit Updater is: Here
The Immunet Protect Beta 1.0.24 64 bit Updater is: Here

Next week or the week after we will be shipping 1.0.25 which is purely a bug fix release. We will also ship updaters for this coming build.

Well, that’s a good question and not one that we have been clear enough about. This post will hopefully remedy that! Currently the Immunet Protect Beta has the ability to auto-update itself when it’s flagged from our cloud. We have not flagged an auto-update for the last 4 releases. If you are running Immunet Protect 1.0.18 or up there is no reason to manually upgrade at this point unless your trying to fix an issue and our Support group has asked you to upgrade. Our next release is 1.0.23, we’ll post and let you know our thoughts on that one as we get closer to it (it’s going into QA today). 

It’s important to remember that much of the functionality we build in (like our recent rollout of white listing) is driven from our cloud, not our desktop product. So often when we build new functionality you do not need to upgrade to take advantage of it. The same is true of many (but not all) of our virus detection technologies as well.

The reason we are not forcing people to upgrade (through our auto-update) feature is that we are trying to keep people in their builds as long as possible as long as they have no stability issues. This allows us to ‘persistence test’ over the beta period to watch how our software behaves in-field.

When we hit a point with our release schedule where we feel there is really protective (or stability related) benefit to people upgrading, we will perform an auto-update. This will certainly happen by April, quite possibly before. Once we pass out of beta (Immunet Protect 2.0) we will have fully scheduled update features, automated update etc. exposed in the product.

Cheers,

Al