About Qihoo's QVM AI Engine

[tim one]

Researchers at AV-Test Institute, AV-Comparatives, and Virus Bulletin confirmed independently that the version of Qihoo's antivirus submitted for testing differed significantly from that provided to consumers. In particular, the version for testing relied solely on an engine licensed from Bitdefender, while the consumer-facing version used only Qihoo's own internal QVM engine. Analysis revealed that the QVM-only version "would provide a considerably lower level of protection and a higher likelihood of false positives," according to the report.

Antivirus Company Qihoo Censured for Cheating in Lab Tests

Now can someone please prove that things have positively changed after this old incident ?

 

[Sia-Dst]

Good Point "tim one"

 

[Deleted member 2913]

If I remember correctly, cruelsister too had shown in a video how Qihoo detecting something due to just packing & not any analysis/malicious or something like this.

It was something like, cruelsister showed a clean file not detected by any AV at VT And cruelsister then converted the file to SFX & uploaded to VT & only Qihoo detected the file (FP) just coz of packing.

I dont remember correctly but it was something like mentioned above.

 

[XIII]

Text that I didn't bother reading.

BUT QVM II AI ENGINE. DON'T YOU GET IT?

^ Marketing in full effect. This thread is full of evidence that it works.

 

[AtlBo]

Researchers at AV-Test Institute, AV-Comparatives, and Virus Bulletin confirmed independently that the version of Qihoo's antivirus submitted for testing differed significantly from that provided to consumers. In particular, the version for testing relied solely on an engine licensed from Bitdefender, while the consumer-facing version used only Qihoo's own internal QVM engine. Analysis revealed that the QVM-only version "would provide a considerably lower level of protection and a higher likelihood of false positives," according to the report.

Yes, but can't both the Bitdefender and Avira engines be easily update in the program for no charge?

 

[cruelsister]

Khan- You have a very good memory! The previous Q engine did indeed have a bunch of FP's, mostly by picking up various packers that are used frequently and legitimately by some developers; then there was stuff like the SFX modification. They cleared up this issue with the new engine (this I privately tested by doing a number of Mods to a legit application). Further they no longer consider all custom scripts as malicious, but instead evaluate each on what it will do.

And a strong point of Q over a number of free and paid traditional AV's that I haven't seen brought up in this thread it that it is quite good at detecting and preventing the dropping of malicious dll's. It amazes me how many other respected AV solutions are lacking in this area.

 

[AtlBo]

BUT QVM II AI ENGINE. DON'T YOU GET IT?

^ Marketing in full effect. This thread is full of evidence that it works.

I honestly had no idea that anyone wanted to get rid of Qihoo. That's really what this sounds like, that the company should be banned from offering their security program anywhere. Not that it's wrong by any means, but I really didn't know.

For me, it was an uphill challenge for Qihoo from the beginning. The odds of this Chinese company ever being taken seriously as a security provider were slim and none. I wasn't using the program until I saw a video where one of the executives explained their partnership with Amazon to deliver the updates for the program. I guess that was sometime around 2012. At that point I tried the program, and I decided I like the program better than avast and so stayed with it. They haven't done anything that has scared me off of the product.

On income, please read this:

Qihoo 360 - Wikipedia

Maybe the article validates your point for some of you. I don't find anything in the article that sways me from using the program. There isn't any proof of anything other than that they enabled an engine that can be enabled in 5 seconds in their consumer product for a test. The rest is just allegations, and those can come just as easily from the jealous as from the righteous.

I know I am not going to change my mind over the contents of this thread. It's a fair discussion, but on this one, I feel like I have said as much as I can about the company and the product. I am just going to slip out of the conversation here.

 

[FleischmannTV]

And a strong point of Q over a number of free and paid traditional AV's that I haven't seen brought up in this thread it that it is quite good at detecting and preventing the dropping of malicious dll's. It amazes me how many other respected AV solutions are lacking in this area.

This is something I am very interested in. Could you elaborate further on this topic?

 

[Azure]

I don't know how qihoo make money & so I can't trust them.

Why is Qihoo 360 Security free?
You can read the comments there. Hopefully that answers your question.

 

[mamamia]

I don't know how qihoo make money & so I can't trust them.

If you want to pay for Qihoo, here is the solution:

360 PREMIUM MEMBERSHIP | 360 TOTAL SECURITY :
_____
(...)
Best security at an affordable price=
Only €9.99 per year with 30-day money back guarantee.

 

[bayasdev]

This right here is a perfect example regarding FP detection's. Hmm, yes because your projects surely contain malicious sequence of bytes, right?...

No, I coded it handmade

This does seem to me like a good place to hide malware, honestly. Each project contains executables, and it seems like an easy place to drop something. By default it all goes in the user Documents folder, and a phoney project could easily be dropped there without proper monitoring. I think the best posture on this software is the same posture applied to every other security software. Find what works for you. That's my angle on the whole thing.

Unless someone wants to come out and say that they have a problem other than FPs with Qihoo 360TS, I feel the above is the best approach to this issue. If it is something else, well, that would change the debate a great deal.

Surely not because I keep my machine running MBAM every weekend and the projects are coded by myself, also I uploaded the compiled executables to VT and Qihoo is the only vendor that detects it as malware.

 

[cruelsister]

Fleischmann- It's actually rather easy- the original malware does not actually do anything malicious itself, but will drop the payload dll somewhere on the system (it can be anywhere)- this would be the payload. It will then command Windows own rundll32 to run it, thus starting the malicious process. Many types of malware work this way including RAT's and Ransomware. If you are interested I published a RAT video on may 28 (Those Nasty RATS Part 1) that does a basic demonstration of this, and will be publishing a video on Dec 3 with a ransomware variant using the same technique.

Geminis- You bring up an excellent point! The issue of Scriptors of various types is a real concern in the Security space, especially in the Corporate area. As I'm sure you are aware scripts of various sorts are used commonly to automate various things, and as Corporate security solutions are also aware of this they tend to be permissive in allowing these scripts to proceed. The reason for this is that they, in the absence of a specific definition, can't differentiate between a legit script and a malicious one- this has led to major breaches like the Target and Home Depot affairs. Also the scriptor issue was the main reason why Microsoft initiated AMSI in Windows 10.

Qihoo has taken a different approach to prevent scriptors (normally worms). They tend to assume all are bad, the philosophy being that as Qihoo is a Home use product the vast majority of users aren't going to code their own scripts (unlike you and me), so an unknown script that can be even potentially malicious will be flagged. The upside of this is that stuff like worms will be stopped as well as the currently popular JScript and vbs ransomware vectors will be flagged. The obvious downside is that custom stuff written by you may also be stopped, but the (valid) assumption is that as you obviously know what you are doing this shouldn't be an issue. Just as a sidenote, Qihoo has gotten better recently as they formerly would flag even a batch file to restart the computer.

So yeah, Q is no doubt flagging your custom stuff. But for the majority of users this is a very good thing.

 

[jamescv7]

Do you mean that the program uses too many resources? I haven't noticed this. Presently, I have it installed on 4 PCs, even on an old Pentium 4 1.5 GHz computer with 1.125 GB of RAM. This is also with the Bitdefender and Avira engines enabled btw. I replace avast on two of the PCs, and it uses noticibly less processor-wise resources. Haven't noticed anything unusual about memory usage to speak of to date.

Well I'm not referring much on stability of Qihoo, its more on very slight issues on protection which mentioned everywhere.

But Qihoo is fine to use for daily basis.

A question for those that do trust Qihoo:
If I develop a security suite that has >50% false positive, it blocks the majority of bad files, but also the majority of good. Have I made a good security suite?

This is the biggest thing that peeves me about Qihoo's "detection rate". Sure it's great, but it's not hard to replicate if you add the majority of files to a blacklist (and the malware files of those that pay you off to a whitelist ).

Yes but it hurts under of usability, since stability holds the possible of erroneous detection.

With the help of cloud and other whitelisting, the configuration must save and marked as trusted to skip for on-access and realtime.

My experience with 360TS was excellent but it detected my Visual Basic 2015 projects as Trojans I need to change to another antivirus.

Simply because, the source code we implemented are known to execute low-level behavior (critical access) which equivalent to malicious ones, thus without any valid reference to make it trusted so the AV mark malicious instead by generic detection.

I don't know how qihoo make money & so I can't trust them.

Qihoo is not only an Antivirus company but same like Google where advertising is t the number one source of income.

Selling of information through different areas like gaming.

 

[Sia-Dst]

Thank you for answer - Anyway I don't use Antivirus for last 5 year and don't have any problem that qihoo can solve.

 

[Deleted member 2913]

Khan- You have a very good memory! The previous Q engine did indeed have a bunch of FP's, mostly by picking up various packers that are used frequently and legitimately by some developers; then there was stuff like the SFX modification. They cleared up this issue with the new engine (this I privately tested by doing a number of Mods to a legit application). Further they no longer consider all custom scripts as malicious, but instead evaluate each on what it will do.

And a strong point of Q over a number of free and paid traditional AV's that I haven't seen brought up in this thread it that it is quite good at detecting and preventing the dropping of malicious dll's. It amazes me how many other respected AV solutions are lacking in this area.

I do have kinda Elephant Memory Thank You

Its good to know Qihoo cleared up the issue with the new engine.

Malicious dll's is detected/prevented by Qihoo AV or HIPS?

 

[ZeroDay]

Off topic I know, but aside from the system cleanup and speedup components are there any real differences as regards protection between Q360TS and Q360TSE?

 

[Deleted member 2913]

Off topic I know, but aside from the system cleanup and speedup components are there any real differences as regards protection between Q360TS and Q360TSE?

I think core protection should be the same.
It does seem to me that TS gets priority over TSE. New features, options, etc... are implemented first in TS & later in TSE.
I guess PUA protection option was first implemented in TS & later in TSE.
Some iOS virus or something protection option was first added in TS & later in TSE.

I think you can check the changelog/date on official site & compare.

 

[ZeroDay]

I think core protection should be the same.
It does seem to me that TS gets priority over TSE. New features, options, etc... are implemented first in TS & later in TSE.
I guess PUA protection option was first implemented in TS & later in TSE.
Some iOS virus or something protection option was first added in TS & later in TSE.

I think you can check the changelog/date on official site & compare.

Thank you Yash Khan, that makes sense. I do find the system cleaner in the TS version extremely thorough when I've used it, it reminds me of Advanced Systemcare.

Back on topic: Now CS has explained the reasons for the FP's in Q360 it does make a lot of sense. I think the key here is education on how specific security software actually operates.

Edit to add: It does make me wonder however if the regular everyday users are ready for such protection. I think we've reached a point, well We're passed the point where users, even just regular users need a good solid understanding of security software, how it works and why, ultimately the user is THE protection.

Perhaps some of us could all chip in and start a series on basic computer security knowledge including the many different areas that fall under that umbrella such as different security software, different kinds of infections, safe online and offline usage etc and then have that series pinned on the forums. I think a good start would be learning users how to secure their Windows OS using build in tools such as SRP, Standard user accounts, OS and software updates so the user has a foundation knowledge of the actual OS security before they start adding X amount of security software and therefore increasing their attack surface before they even know how to lock down their systems using the tools in the OS.

I think it would be an excellent series and we could vote on the areas to be covered in said series then choose the best people for each specific part of the series.

So, let's say part 1 of the series covers how to setup up and use the OS security It's self without adding any 3tf party software and then once people have a solid understanding we/they can build from a rock solid foundation.

 

[Wave]

Malicious dll's is detected/prevented by Qihoo AV or HIPS?

If the malicious DLL is detected by the static detection then of course it will be flagged. As for malicious DLLs being detected by HIPS, the Dyamic Link Library has to be loaded by a process to execute it's code; therefore when the process loads this DLL, as long as the process is being monitored by Qihoo, the code will be intercepted by Qihoo to trigger the BB/HIPS as long as it does something to trigger it.

For example, let's say I have a program called launcher.exe which drops a DLL called test.dll into Documents. Launcher.exe then spawns a new process called hello.exe which then calls LoadLibraryA on test.dll. This DLL (test.dll) then becomes loaded into hello.exe and therefore the DllMain function is called (the entry point to the Win32 DLL). However, hello.exe is being monitored by Qihoo, therefore anything the DLL does is being monitored by Qihoo, since the code is executing from within hello.exe (when you load a DLL it becomes loaded into the address space of the process executing, it'll get a new thread for it's execution).

As long as Qihoo doesn't white-list the DLL which is being loaded or miss the new process spawn to monitor it as well (e.g. way of spawning a process without Qihoo being aware - maybe possible depending on the method it uses to detect process creation/via vulnerability in Windows) then it should be fine and should be monitored by the HIPS.

Regarding the Qihoo AV detection, the real-time protection should be notified of the DLL once it becomes dropped by the launcher.exe (from the example). The chances are, Qihoo will use a file system mini-filter device driver, and register callbacks to monitor things like file write operations (e.g. FltRegisterFilter).

There is no way for Qihoo to know if a DLL is malicious or not before code execution if it isn't picked up by the signatures/heuristics, but a good additional scanning sign could be monitoring when a DLL is being dropped to a sensitive location like the Windows folder. I am not sure if Qihoo does things like this.

 

[Wave]

I couldn't resist doing some internal checking but the only information I will provide very little information: they do utilise kernel-mode callbacks, it seems they perform their injection from kernel-mode and I think they put more effort into their products than vendors like AVG has (just based on the quick internal research).

Personally I do not trust Qihoo as much as other vendors like ESET, Kaspersky, Emsisoft, Avast,... However there is no denying that they do have a decent product out there for free, regardless of their practises being ethical or not, the point is that the product is actually fairly decent at the least and they do some pretty decent things.

Kernel-mode callbacks which are used at some point or another:
- PsSetCreateProcessNotifyRoutine
- FltRegisterFilter
- PsSetCreateThreadNotifyRoutine
- PsSetLoadImageNotifyRoutine
- (more but I didn’t check everything)

It seems they also auto-ignore system processes based on file path such as: lsass.exe; svchost.exe; services.exe; csrss.exe; smss.exe; winlogon.exe; explorer.exe; wininit.exe; lsm.exe.

I don't want to detail anything else because it's not my place since it's not my project. Although I've barely shared much, the project is very big... And there is no need for a full analysis.

The analysis was too quick due to lack of time, but I will end this post with that they do indeed have a pretty decent product (whether I like their marketing/trust them or not) and as long as you use their product wisely with alerts and watch what you are doing like with any other product, it can probably protect you well.

As an ending resort to this post, I would like to say that if you do not like Qihoo then just don't use it, and if you do like them/trust them then go for it. After some more testing than last time and proper internal checks I actually like Qihoo much more than before and rate it higher than other vendors like AVG and even Avira. And let's all agree to disagree if anything so we don't end up fighting.

Thanks for reading.