- May 11, 2013
- 1,687
CBAD Cloud Antimalware 2014
- Thread starter Nico@FMA
- Start date
- Status
- Sep 22, 2014
- 1,767
- May 11, 2013
- 1,687
We are working on it as we speak, it will be ready when its ready.
Look the BETA was a early release, to please our MT fans and members and also to have a public test platform.
The next version needs to do better then that, now i expect it to be ready soon very soon, but if i need to invest a week in it then i will and you all just have to wait.
The standard is going to be only forward and not a step back.
And with that in mind our R&D team is working really hard as its weekend and yet they are all sitting here with me.
Thats says something.
But thanks for asking man.
I will let you guys know.
PS: Can someone get a sample pack and just run the AV scan and see if the detection matches it removal.
I need to know if the program is consistent in detection vs actual removal.
Cheers
- Sep 22, 2014
- 1,767
- May 11, 2013
- 1,687
Well it certainly does boost my confidence lol.
But thats not what i am asking, i mean the program detects the malware as you pointed out.
BUT does it also clean/delete them when you hit the clean button and follow the steps.
Because detection is different then removal.
Cheers
- May 11, 2013
- 1,687
In this test i click Clean and it clean/delete all
Alright thats great.
Could you do that with a big sample pack and post me the log? and scores?
From our end we see some weird things and we are trying to replicate some things which does not work in our test environment.
So could you try?
- May 11, 2013
- 1,687
- Sep 9, 2013
- 1,054
- May 11, 2013
- 1,687
The concept is is totally different and i ask you to read the engine details as described in the intro as it says it all.
We use a emulation technique that is close to virtualization yet is more advanced then sandbox or pure virtualization.
Hips is not a factor here as hips is outdated and we do not use it.
So again thanks for the question but read the main topic more detailed. And it will become clear how it works.
Cheers
- May 11, 2013
- 1,687
FMA Website not work
Try again we are working on the site. Its up.
- May 11, 2013
- 1,687
Major update: BETA-2
After the storm yesterday where so many of you tested our product with success, we have taken note of the little things that did not go as we planned and as such we are releasing a massive update that will streamline the engine, our cloud and the way how the engine responds.
As you all could see the scanning is not the fastest in the world, yet as i said performance and a slick looking UI is not our priority.
Detection & Removal vs Stability is and we have noticed that our BETA went like a charm on the surface yet inside the server we did see some spikes in the data stream and how data was being processed.
And it might not look much given the very short amount of time our cloud is online it did however perform very very well.
As i said we did have some spikes and little lag events mainly because the "user" either has a crappy internet connection or did have a overactive firewall or either has so much temp files and crap on the system that the host computer could not allocate enough resources to provide a steady upload and download speed towards our server.
Hence we did cap the detection capability to 10% to avoid these spikes and lags to become uncontrollable.
If you take into account the very way how we detect files (see intro main topic) then there are lots of variables and things that go wrong on both sides of the wire.
The servers have enough power to service thousands of people, yet the engine is in BETA and just needs to be tuned so it works smooth from both side (client vs server vs client). That said the amount of data generated gave us enough to pin point direct problems and to come up with a solution.
Today if everything works out we will release a update which will include some new features (Well not new we just enabled them and added them) and a more powerful engine which will run at the full 100% and will over far superior capability in detection & removal & stability compared to the version that we released yesterday.
We fixed a bunch of bugs and to be honest i did not keep count but we are talking triple digits here as we did have a pretty damn long list.
The engine will now use its advanced options which where disabled in the first BETA and so much more.
Now that does not mean everything will go smooth as there is just to much that i could list here that has changed, but yesterday you guys where playing around with a bare bone engine, the update now will change that.
I do realize that its early and i do realize that it is far from perfect because we will do more updates as time passes.
Putting the program together is one, making it run as promised is another matter, and while we have tested the engine for many many hours you have to keep in mind that a test system is just a test system. Nothing beats real life data, only then bugs and errors become visible.
That being said we have high hopes specially if we take yesterday as a benchmark to beat. And we will beat the bar set yesterday left right and center no doubt....
Its just that there is so much more to developing and getting it to run that we take things slow.
Slow is good, slow is nice... just the way we like it...
Anyway ill will announce it the moment the new version comes online.
Also i wanna thank everyone for the nice comments, and the time and effort to even run our program and see what is does.
You guys rock..
Cheers
After the storm yesterday where so many of you tested our product with success, we have taken note of the little things that did not go as we planned and as such we are releasing a massive update that will streamline the engine, our cloud and the way how the engine responds.
As you all could see the scanning is not the fastest in the world, yet as i said performance and a slick looking UI is not our priority.
Detection & Removal vs Stability is and we have noticed that our BETA went like a charm on the surface yet inside the server we did see some spikes in the data stream and how data was being processed.
And it might not look much given the very short amount of time our cloud is online it did however perform very very well.
As i said we did have some spikes and little lag events mainly because the "user" either has a crappy internet connection or did have a overactive firewall or either has so much temp files and crap on the system that the host computer could not allocate enough resources to provide a steady upload and download speed towards our server.
Hence we did cap the detection capability to 10% to avoid these spikes and lags to become uncontrollable.
If you take into account the very way how we detect files (see intro main topic) then there are lots of variables and things that go wrong on both sides of the wire.
The servers have enough power to service thousands of people, yet the engine is in BETA and just needs to be tuned so it works smooth from both side (client vs server vs client). That said the amount of data generated gave us enough to pin point direct problems and to come up with a solution.
Today if everything works out we will release a update which will include some new features (Well not new we just enabled them and added them) and a more powerful engine which will run at the full 100% and will over far superior capability in detection & removal & stability compared to the version that we released yesterday.
We fixed a bunch of bugs and to be honest i did not keep count but we are talking triple digits here as we did have a pretty damn long list.
The engine will now use its advanced options which where disabled in the first BETA and so much more.
Now that does not mean everything will go smooth as there is just to much that i could list here that has changed, but yesterday you guys where playing around with a bare bone engine, the update now will change that.
I do realize that its early and i do realize that it is far from perfect because we will do more updates as time passes.
Putting the program together is one, making it run as promised is another matter, and while we have tested the engine for many many hours you have to keep in mind that a test system is just a test system. Nothing beats real life data, only then bugs and errors become visible.
That being said we have high hopes specially if we take yesterday as a benchmark to beat. And we will beat the bar set yesterday left right and center no doubt....
Its just that there is so much more to developing and getting it to run that we take things slow.
Slow is good, slow is nice... just the way we like it...
Anyway ill will announce it the moment the new version comes online.
Also i wanna thank everyone for the nice comments, and the time and effort to even run our program and see what is does.
You guys rock..
Cheers
- Sep 22, 2014
- 1,767
Here is the test with 416 malicious files in folder (malware is from this month).
Version: 1.0.0.1
Scanninig finished in 24min.
Score is: 373/416 = 89.66%
LOG: Pastebin
Is this OK for you Nico?
Version: 1.0.0.1
Scanninig finished in 24min.
Score is: 373/416 = 89.66%
LOG: Pastebin
Is this OK for you Nico?
- May 11, 2013
- 1,687
@Av Gurus
No its not ok, and yes it is.
No because the current engine did have some unexpected problems as outlined in the previous post, yes because the detection of a simple sample pack with only 10% of its capability is 89%+ is fantastic.
The new engine is a whole different world in virtually everything, also our advancement in terms of cloud development is critical to the success of the engine itself and as such the capability will increase dramatically in both detection and removal.
Now with detection i mean false positive wise, as the detection rate might even drop a tiny bit in favor of more accurate real detections.
After All our engine is see details in spoiler:
As i said our engine is detecting files in very different way, using Dynamic analysis, Dynamic emulation, Behavior & Anomaly analysis as you can read above. And thats a big deal as the BETA did prove that this can be a game changer.
But that also shows that if a code is emulated in a wrong way then you get one massive FP wave trough all our clients.
Because one scanner detecting a malicious code will tell the cloud and the cloud will tell all other scanner clients to look for this code.
And as such it will be added to the clouds response. So next time the same code is being detected the engine does not have to go trough the process of emulating a file that previously have already been flagged as malicious and the file is flagged by default.
Its kinda the same as a static signature database but then on steroids in a dynamic real time way.
One could even say that it would be sort of a community effort as every single scanner that is uploading to the cloud is also feeding the cloud part of the engine with data. So ones a detection is made and its proven that this was not a FP then next time any of our scanners does see the same file then its bye bye file.
Obviously there is much more to it as this is just the easy part.
The reason i am writing this so long winded is to explain why its different and why we take it slow.
When the system works and works in a way as we programmed it to do then this is really something as everyone could see that the engine in bare bone mode does have something to offer, because as a first BETA it did pretty much blew away my own expectations.
Now while the new engine will run at 100% the full scan will still not be available and some other options will still be deactivated and not visible and this is just because we want to be 100% sure that every single file detected is correctly handled by the cloud.
As the whole cloud system is based upon the feedback from all its child scanners so to speak.
So yes its ok that you did this test man as it helps us understand the actual routine of the engine from a user POV rather then from a drawing board prediction, and no your tests also shown some weakness which i want to iron out.
So i cannot wait till we release the new version.
Cheers...
Damn what a long post... i should write a novel next time...
lol
No its not ok, and yes it is.
No because the current engine did have some unexpected problems as outlined in the previous post, yes because the detection of a simple sample pack with only 10% of its capability is 89%+ is fantastic.
The new engine is a whole different world in virtually everything, also our advancement in terms of cloud development is critical to the success of the engine itself and as such the capability will increase dramatically in both detection and removal.
Now with detection i mean false positive wise, as the detection rate might even drop a tiny bit in favor of more accurate real detections.
After All our engine is see details in spoiler:
CBAD Dynamic analysis
A data file and its internal code is being analyzed and automatically evaluated based upon the visible
and hidden features within the code and the commands it tries to execute. When a suspicious action
is being found the file will be monitored by the CBAD Dynamic emulation.
CBAD Dynamic analysis will also validate software and processes in order detect and remove fake,
rogue and PUP applications.
CBAD Dynamic emulation
A data file is encapsulated within a highly tuned and optimized environment that is designed to
emulate a operating system. The behavior and contents of the file and its internal code is being
monitored as it attempts to execute within the cloud-based virtual environment to discover known
and unknown threats.
CBAD Behavior & Anomaly analysis
During the behavior & anomaly analysis a data file is being monitored whenever sensitive or critical
data is about to be compromised by a malicious code.
All commands and codes that are being executed by a malicious file and its internal code while being
analyzed and monitored are being blocked and removed.
When the CBAD engine has blocked all active data streams, it will attempt to either clean or
completely remove the detected file and all of its malicious code. When a file is being cleaned or deleted the CBAD engine will try to maintain the OS integrity and stability.
This will require a reboot as the CBAD engine will only remove files from a inactive Windows in order to deny a malicious code to jump to other files and infect a new chain.
A data file and its internal code is being analyzed and automatically evaluated based upon the visible
and hidden features within the code and the commands it tries to execute. When a suspicious action
is being found the file will be monitored by the CBAD Dynamic emulation.
CBAD Dynamic analysis will also validate software and processes in order detect and remove fake,
rogue and PUP applications.
CBAD Dynamic emulation
A data file is encapsulated within a highly tuned and optimized environment that is designed to
emulate a operating system. The behavior and contents of the file and its internal code is being
monitored as it attempts to execute within the cloud-based virtual environment to discover known
and unknown threats.
CBAD Behavior & Anomaly analysis
During the behavior & anomaly analysis a data file is being monitored whenever sensitive or critical
data is about to be compromised by a malicious code.
All commands and codes that are being executed by a malicious file and its internal code while being
analyzed and monitored are being blocked and removed.
When the CBAD engine has blocked all active data streams, it will attempt to either clean or
completely remove the detected file and all of its malicious code. When a file is being cleaned or deleted the CBAD engine will try to maintain the OS integrity and stability.
This will require a reboot as the CBAD engine will only remove files from a inactive Windows in order to deny a malicious code to jump to other files and infect a new chain.
As i said our engine is detecting files in very different way, using Dynamic analysis, Dynamic emulation, Behavior & Anomaly analysis as you can read above. And thats a big deal as the BETA did prove that this can be a game changer.
But that also shows that if a code is emulated in a wrong way then you get one massive FP wave trough all our clients.
Because one scanner detecting a malicious code will tell the cloud and the cloud will tell all other scanner clients to look for this code.
And as such it will be added to the clouds response. So next time the same code is being detected the engine does not have to go trough the process of emulating a file that previously have already been flagged as malicious and the file is flagged by default.
Its kinda the same as a static signature database but then on steroids in a dynamic real time way.
One could even say that it would be sort of a community effort as every single scanner that is uploading to the cloud is also feeding the cloud part of the engine with data. So ones a detection is made and its proven that this was not a FP then next time any of our scanners does see the same file then its bye bye file.
Obviously there is much more to it as this is just the easy part.
The reason i am writing this so long winded is to explain why its different and why we take it slow.
When the system works and works in a way as we programmed it to do then this is really something as everyone could see that the engine in bare bone mode does have something to offer, because as a first BETA it did pretty much blew away my own expectations.
Now while the new engine will run at 100% the full scan will still not be available and some other options will still be deactivated and not visible and this is just because we want to be 100% sure that every single file detected is correctly handled by the cloud.
As the whole cloud system is based upon the feedback from all its child scanners so to speak.
So yes its ok that you did this test man as it helps us understand the actual routine of the engine from a user POV rather then from a drawing board prediction, and no your tests also shown some weakness which i want to iron out.
So i cannot wait till we release the new version.
Cheers...
Damn what a long post... i should write a novel next time...
lol
- Sep 22, 2014
- 1,767
I was think to do a test with legit apps, maybe this evening or tomorrow
Last edited:
- Apr 13, 2013
- 3,224
Nico- I think that there may be a bit of an issue regarding the software and Internet access (Note that as I'm away from home now I was forced to do this on a laptop running Win 7 32 bit in a VM).
1). Software was installed and on multiple reboots worked properly at all times.
2). After booting into Safe Mode (or Safe Mode with Command Prompt) and attempting to run the program it was seen that the main executable renamed itself to Old.exe and would not run.
3). I set up a new VM, installed the application, then disabled Network access this was in normal mode). Attempted to run the application with the same results as above (old.exe).
Would appreciate verification by any other member reading this.
(this issue is obviously semi-trivial as of course a Cloud application will always need network access in order to operate).
1). Software was installed and on multiple reboots worked properly at all times.
2). After booting into Safe Mode (or Safe Mode with Command Prompt) and attempting to run the program it was seen that the main executable renamed itself to Old.exe and would not run.
3). I set up a new VM, installed the application, then disabled Network access this was in normal mode). Attempted to run the application with the same results as above (old.exe).
Would appreciate verification by any other member reading this.
(this issue is obviously semi-trivial as of course a Cloud application will always need network access in order to operate).
Last edited:
- May 11, 2013
- 1,687
Within 20 minutes the new version is online. The reason the software did show old.exe is simple.
We remotely deactivated the scanner as our update function detected that the cloud has moved to a new version.
Which automatically disables the old version. This is not as we want it, but this is purely done because the cloud has not yet the ability to support multiple versions.
- Status
Similar threads
-
- Poll
