Probably the most useful video. I might come back with comments...after 15-20 min
Back. Useful video indeed. I would like to see more videos like this. Here is my attept to explain different kind of anti-malware technologies:
A signature can best be discribed as the fingerprint of a malicious file. Usually it needs to be created by a person analizyng the executable in a debugger and identifying intructions that are speciffic to it. In the case of an actual virus that attaches itself to files the signature also contains instructions on how to dosinfect that file. Therefore a good database of signatures is hard to obtain. The main advantage of signatures: they are the only thing that can remove infections. The main disadvantage: it takes time to obtain a signature and new malware (0-day) is created every day - antivirus authors can't keep up.
Heuristics: Malware authors can, for example, pack their executables or insert instructions that don't do anything to avoid being detected using a signature. The heuristics engine is able to say with a given certainty that a file resambles a specific piece of malware. Advantage: can detect new versions of older malware. Disadvantage: produces false-positives and most 0-day malware geets through.
HIPS: a more classic HIPS product monitors every activity a certain executable does on the system. When the executable performs certain actions the HIPS product alerts the user. Advantages: doesn't need signatures, it doesn't matter if the malware is old or new, it will trigger an alert. Disadvantage: Many alerts sometimes generated by good software, the user needs to know how to interpret them.
Behavior blocker: a classic HIPS will alert every action a software does, the user needs to approve or reject every one, the executable is allowed to continue running (if able). A behavior blocker will alert the user only once after the executable peformed several actions that are considered to be potentially malicious. The user decides if the executable will be stopped (completely) or if it will be allowed to run (the behavior blocker will no longer monitor it). Advantages: fewer pop-ups, can detect 0-day. Disadvantages: the user needs to know how to interpret the pop-up, since the executable is allowed te perform several actions untill a alert is displayed some minor changes to the system can ocur.
Modern HIPS products use multiple technologies to reduce the number of pop-ups and in most cases they present you with the opportunity to stop/allow an executable after it triggered some alerts (they can behave like a behavior blocker). Therefore they can be used by a wider range of users. Advanced users still have the option to edit a list of actions an executable can't perform while allowing it to run. For example you can prohibit a program to acess the internet but allow it to do exerything else, something you are not able to do with behavior blockers.
You was not wrong there, very informative indeed! I do agree with it would be nice to see more videos Bogdan but in my opinion there is only so much you can explain without repeating yourself too much. Thanks also for the additional writing material, even know I know the basics of what everything is about and how they work it's nice to have it to read in another format.
+1 to both fo you (oh and to the person who actually made the video of course) heh heh.