About Qihoo's QVM AI Engine

Status
Not open for further replies.

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Researchers at AV-Test Institute, AV-Comparatives, and Virus Bulletin confirmed independently that the version of Qihoo's antivirus submitted for testing differed significantly from that provided to consumers. In particular, the version for testing relied solely on an engine licensed from Bitdefender, while the consumer-facing version used only Qihoo's own internal QVM engine. Analysis revealed that the QVM-only version "would provide a considerably lower level of protection and a higher likelihood of false positives," according to the report.

Antivirus Company Qihoo Censured for Cheating in Lab Tests

Now can someone please prove that things have positively changed after this old incident ? :)
 
D

Deleted member 2913

If I remember correctly, cruelsister too had shown in a video how Qihoo detecting something due to just packing & not any analysis/malicious or something like this.

It was something like, cruelsister showed a clean file not detected by any AV at VT And cruelsister then converted the file to SFX & uploaded to VT & only Qihoo detected the file (FP) just coz of packing.

I dont remember correctly but it was something like mentioned above.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Researchers at AV-Test Institute, AV-Comparatives, and Virus Bulletin confirmed independently that the version of Qihoo's antivirus submitted for testing differed significantly from that provided to consumers. In particular, the version for testing relied solely on an engine licensed from Bitdefender, while the consumer-facing version used only Qihoo's own internal QVM engine. Analysis revealed that the QVM-only version "would provide a considerably lower level of protection and a higher likelihood of false positives," according to the report.

Yes, but can't both the Bitdefender and Avira engines be easily update in the program for no charge?
 
  • Like
Reactions: Sunshine-boy

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Khan- You have a very good memory! The previous Q engine did indeed have a bunch of FP's, mostly by picking up various packers that are used frequently and legitimately by some developers; then there was stuff like the SFX modification. They cleared up this issue with the new engine (this I privately tested by doing a number of Mods to a legit application). Further they no longer consider all custom scripts as malicious, but instead evaluate each on what it will do.

And a strong point of Q over a number of free and paid traditional AV's that I haven't seen brought up in this thread it that it is quite good at detecting and preventing the dropping of malicious dll's. It amazes me how many other respected AV solutions are lacking in this area.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
BUT QVM II AI ENGINE. DON'T YOU GET IT?

^ Marketing in full effect. This thread is full of evidence that it works.

I honestly had no idea that anyone wanted to get rid of Qihoo. That's really what this sounds like, that the company should be banned from offering their security program anywhere. Not that it's wrong by any means, but I really didn't know.

For me, it was an uphill challenge for Qihoo from the beginning. The odds of this Chinese company ever being taken seriously as a security provider were slim and none. I wasn't using the program until I saw a video where one of the executives explained their partnership with Amazon to deliver the updates for the program. I guess that was sometime around 2012. At that point I tried the program, and I decided I like the program better than avast and so stayed with it. They haven't done anything that has scared me off of the product.

On income, please read this:

Qihoo 360 - Wikipedia

Maybe the article validates your point for some of you. I don't find anything in the article that sways me from using the program. There isn't any proof of anything other than that they enabled an engine that can be enabled in 5 seconds in their consumer product for a test. The rest is just allegations, and those can come just as easily from the jealous as from the righteous.

I know I am not going to change my mind over the contents of this thread. It's a fair discussion, but on this one, I feel like I have said as much as I can about the company and the product. I am just going to slip out of the conversation here.
 
Last edited:

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
And a strong point of Q over a number of free and paid traditional AV's that I haven't seen brought up in this thread it that it is quite good at detecting and preventing the dropping of malicious dll's. It amazes me how many other respected AV solutions are lacking in this area.

This is something I am very interested in. Could you elaborate further on this topic?
 

bayasdev

Level 19
Thread author
Verified
Top Poster
Well-known
Sep 10, 2015
901
This right here is a perfect example regarding FP detection's. Hmm, yes because your projects surely contain malicious sequence of bytes, right?...

No, I coded it handmade

This does seem to me like a good place to hide malware, honestly. Each project contains executables, and it seems like an easy place to drop something. By default it all goes in the user Documents folder, and a phoney project could easily be dropped there without proper monitoring. I think the best posture on this software is the same posture applied to every other security software. Find what works for you. That's my angle on the whole thing.

Unless someone wants to come out and say that they have a problem other than FPs with Qihoo 360TS, I feel the above is the best approach to this issue. If it is something else, well, that would change the debate a great deal.

Surely not because I keep my machine running MBAM every weekend and the projects are coded by myself, also I uploaded the compiled executables to VT and Qihoo is the only vendor that detects it as malware.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Fleischmann- It's actually rather easy- the original malware does not actually do anything malicious itself, but will drop the payload dll somewhere on the system (it can be anywhere)- this would be the payload. It will then command Windows own rundll32 to run it, thus starting the malicious process. Many types of malware work this way including RAT's and Ransomware. If you are interested I published a RAT video on may 28 (Those Nasty RATS Part 1) that does a basic demonstration of this, and will be publishing a video on Dec 3 with a ransomware variant using the same technique.

Geminis- You bring up an excellent point! The issue of Scriptors of various types is a real concern in the Security space, especially in the Corporate area. As I'm sure you are aware scripts of various sorts are used commonly to automate various things, and as Corporate security solutions are also aware of this they tend to be permissive in allowing these scripts to proceed. The reason for this is that they, in the absence of a specific definition, can't differentiate between a legit script and a malicious one- this has led to major breaches like the Target and Home Depot affairs. Also the scriptor issue was the main reason why Microsoft initiated AMSI in Windows 10.

Qihoo has taken a different approach to prevent scriptors (normally worms). They tend to assume all are bad, the philosophy being that as Qihoo is a Home use product the vast majority of users aren't going to code their own scripts (unlike you and me), so an unknown script that can be even potentially malicious will be flagged. The upside of this is that stuff like worms will be stopped as well as the currently popular JScript and vbs ransomware vectors will be flagged. The obvious downside is that custom stuff written by you may also be stopped, but the (valid) assumption is that as you obviously know what you are doing this shouldn't be an issue. Just as a sidenote, Qihoo has gotten better recently as they formerly would flag even a batch file to restart the computer.

So yeah, Q is no doubt flagging your custom stuff. But for the majority of users this is a very good thing.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Do you mean that the program uses too many resources? I haven't noticed this. Presently, I have it installed on 4 PCs, even on an old Pentium 4 1.5 GHz computer with 1.125 GB of RAM. This is also with the Bitdefender and Avira engines enabled btw. I replace avast on two of the PCs, and it uses noticibly less processor-wise resources. Haven't noticed anything unusual about memory usage to speak of to date.

Well I'm not referring much on stability of Qihoo, its more on very slight issues on protection which mentioned everywhere.

But Qihoo is fine to use for daily basis.



A question for those that do trust Qihoo:
If I develop a security suite that has >50% false positive, it blocks the majority of bad files, but also the majority of good. Have I made a good security suite?

This is the biggest thing that peeves me about Qihoo's "detection rate". Sure it's great, but it's not hard to replicate if you add the majority of files to a blacklist (and the malware files of those that pay you off to a whitelist :eek::eek::eek:).

Yes but it hurts under of usability, since stability holds the possible of erroneous detection.

With the help of cloud and other whitelisting, the configuration must save and marked as trusted to skip for on-access and realtime.


My experience with 360TS was excellent but it detected my Visual Basic 2015 projects as Trojans I need to change to another antivirus.

Simply because, the source code we implemented are known to execute low-level behavior (critical access) which equivalent to malicious ones, thus without any valid reference to make it trusted so the AV mark malicious instead by generic detection.

I don't know how qihoo make money & so I can't trust them.

Qihoo is not only an Antivirus company but same like Google where advertising is t the number one source of income.

Selling of information through different areas like gaming.
 

Sia-Dst

Level 1
Verified
Aug 31, 2016
18
Thank you for answer - Anyway I don't use Antivirus for last 5 year and don't have any problem that qihoo can solve.
 
  • Like
Reactions: tonibalas
D

Deleted member 2913

Khan- You have a very good memory! The previous Q engine did indeed have a bunch of FP's, mostly by picking up various packers that are used frequently and legitimately by some developers; then there was stuff like the SFX modification. They cleared up this issue with the new engine (this I privately tested by doing a number of Mods to a legit application). Further they no longer consider all custom scripts as malicious, but instead evaluate each on what it will do.

And a strong point of Q over a number of free and paid traditional AV's that I haven't seen brought up in this thread it that it is quite good at detecting and preventing the dropping of malicious dll's. It amazes me how many other respected AV solutions are lacking in this area.
I do have kinda Elephant Memory;) Thank You

Its good to know Qihoo cleared up the issue with the new engine.

Malicious dll's is detected/prevented by Qihoo AV or HIPS?
 
D

Deleted member 2913

Off topic I know, but aside from the system cleanup and speedup components are there any real differences as regards protection between Q360TS and Q360TSE?
I think core protection should be the same.
It does seem to me that TS gets priority over TSE. New features, options, etc... are implemented first in TS & later in TSE.
I guess PUA protection option was first implemented in TS & later in TSE.
Some iOS virus or something protection option was first added in TS & later in TSE.

I think you can check the changelog/date on official site & compare.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
I think core protection should be the same.
It does seem to me that TS gets priority over TSE. New features, options, etc... are implemented first in TS & later in TSE.
I guess PUA protection option was first implemented in TS & later in TSE.
Some iOS virus or something protection option was first added in TS & later in TSE.

I think you can check the changelog/date on official site & compare.
Thank you Yash Khan, that makes sense. I do find the system cleaner in the TS version extremely thorough when I've used it, it reminds me of Advanced Systemcare.

Back on topic: Now CS has explained the reasons for the FP's in Q360 it does make a lot of sense. I think the key here is education on how specific security software actually operates.

Edit to add: It does make me wonder however if the regular everyday users are ready for such protection. I think we've reached a point, well We're passed the point where users, even just regular users need a good solid understanding of security software, how it works and why, ultimately the user is THE protection.

Perhaps some of us could all chip in and start a series on basic computer security knowledge including the many different areas that fall under that umbrella such as different security software, different kinds of infections, safe online and offline usage etc and then have that series pinned on the forums. I think a good start would be learning users how to secure their Windows OS using build in tools such as SRP, Standard user accounts, OS and software updates so the user has a foundation knowledge of the actual OS security before they start adding X amount of security software and therefore increasing their attack surface before they even know how to lock down their systems using the tools in the OS.

I think it would be an excellent series and we could vote on the areas to be covered in said series then choose the best people for each specific part of the series.

So, let's say part 1 of the series covers how to setup up and use the OS security It's self without adding any 3tf party software and then once people have a solid understanding we/they can build from a rock solid foundation.
 
Last edited:
W

Wave

Malicious dll's is detected/prevented by Qihoo AV or HIPS?
If the malicious DLL is detected by the static detection then of course it will be flagged. As for malicious DLLs being detected by HIPS, the Dyamic Link Library has to be loaded by a process to execute it's code; therefore when the process loads this DLL, as long as the process is being monitored by Qihoo, the code will be intercepted by Qihoo to trigger the BB/HIPS as long as it does something to trigger it.

For example, let's say I have a program called launcher.exe which drops a DLL called test.dll into Documents. Launcher.exe then spawns a new process called hello.exe which then calls LoadLibraryA on test.dll. This DLL (test.dll) then becomes loaded into hello.exe and therefore the DllMain function is called (the entry point to the Win32 DLL). However, hello.exe is being monitored by Qihoo, therefore anything the DLL does is being monitored by Qihoo, since the code is executing from within hello.exe (when you load a DLL it becomes loaded into the address space of the process executing, it'll get a new thread for it's execution).

As long as Qihoo doesn't white-list the DLL which is being loaded or miss the new process spawn to monitor it as well (e.g. way of spawning a process without Qihoo being aware - maybe possible depending on the method it uses to detect process creation/via vulnerability in Windows) then it should be fine and should be monitored by the HIPS.

Regarding the Qihoo AV detection, the real-time protection should be notified of the DLL once it becomes dropped by the launcher.exe (from the example). The chances are, Qihoo will use a file system mini-filter device driver, and register callbacks to monitor things like file write operations (e.g. FltRegisterFilter).

There is no way for Qihoo to know if a DLL is malicious or not before code execution if it isn't picked up by the signatures/heuristics, but a good additional scanning sign could be monitoring when a DLL is being dropped to a sensitive location like the Windows folder. I am not sure if Qihoo does things like this.
 
W

Wave

I couldn't resist doing some internal checking but the only information I will provide very little information: they do utilise kernel-mode callbacks, it seems they perform their injection from kernel-mode and I think they put more effort into their products than vendors like AVG has (just based on the quick internal research).

Personally I do not trust Qihoo as much as other vendors like ESET, Kaspersky, Emsisoft, Avast,... However there is no denying that they do have a decent product out there for free, regardless of their practises being ethical or not, the point is that the product is actually fairly decent at the least and they do some pretty decent things.

Kernel-mode callbacks which are used at some point or another:
- PsSetCreateProcessNotifyRoutine
- FltRegisterFilter
- PsSetCreateThreadNotifyRoutine
- PsSetLoadImageNotifyRoutine
- (more but I didn’t check everything)

It seems they also auto-ignore system processes based on file path such as: lsass.exe; svchost.exe; services.exe; csrss.exe; smss.exe; winlogon.exe; explorer.exe; wininit.exe; lsm.exe.

I don't want to detail anything else because it's not my place since it's not my project. Although I've barely shared much, the project is very big... And there is no need for a full analysis.

The analysis was too quick due to lack of time, but I will end this post with that they do indeed have a pretty decent product (whether I like their marketing/trust them or not) and as long as you use their product wisely with alerts and watch what you are doing like with any other product, it can probably protect you well.

As an ending resort to this post, I would like to say that if you do not like Qihoo then just don't use it, and if you do like them/trust them then go for it. After some more testing than last time and proper internal checks I actually like Qihoo much more than before and rate it higher than other vendors like AVG and even Avira. And let's all agree to disagree if anything so we don't end up fighting.

Thanks for reading. :)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top