Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Demonstration: Different Kinds of Anti-Malware Solutions and How They Work...
Message
<blockquote data-quote="bogdan" data-source="post: 1985" data-attributes="member: 2"><p>Probably the most useful video. I might come back with comments...after 15-20 min <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p>Back. Useful video indeed. I would like to see more videos like this. Here is my attept to explain different kind of anti-malware technologies:</p><p></p><p><strong>A signature</strong> can best be discribed as the fingerprint of a malicious file. Usually it needs to be created by a person analizyng the executable in a debugger and identifying intructions that are speciffic to it. In the case of an actual virus that attaches itself to files the signature also contains instructions on how to dosinfect that file. Therefore a good database of signatures is hard to obtain. The main <strong>advantage</strong> of signatures: they are the only thing that can remove infections. The main <strong>disadvantage</strong>: it takes time to obtain a signature and new malware (0-day) is created every day - antivirus authors can't keep up.</p><p></p><p><strong>Heuristics</strong>: Malware authors can, for example, pack their executables or insert instructions that don't do anything to avoid being detected using a signature. The heuristics engine is able to say with a given certainty that a file resambles a specific piece of malware. <strong>Advantage</strong>: can detect new versions of older malware. <strong>Disadvantage</strong>: produces false-positives and most 0-day malware geets through.</p><p></p><p><strong>HIPS</strong>: a more <em>classic</em> HIPS product monitors every activity a certain executable does on the system. When the executable performs certain actions the HIPS product alerts the user. <strong>Advantages</strong>: doesn't need signatures, it doesn't matter if the malware is old or new, it will trigger an alert. <strong>Disadvantage</strong>: Many alerts sometimes generated by good software, the user needs to know how to interpret them. </p><p></p><p><strong>Behavior blocker</strong>: a classic HIPS will alert every action a software does, the user needs to approve or reject every one, the executable is allowed to continue running (if able). A behavior blocker will alert the user only once after the executable peformed several actions that are considered to be potentially malicious. The user decides if the executable will be stopped (completely) or if it will be allowed to run (the behavior blocker will no longer monitor it). <strong>Advantages</strong>: fewer pop-ups, can detect 0-day. <strong>Disadvantages</strong>: the user needs to know how to interpret the pop-up, since the executable is allowed te perform several actions untill a alert is displayed some minor changes to the system can ocur.</p><p></p><p>Modern HIPS products use multiple technologies to reduce the number of pop-ups and in most cases they present you with the opportunity to stop/allow an executable after it triggered some alerts (they can behave like a behavior blocker). Therefore they can be used by a wider range of users. Advanced users still have the option to edit a list of actions an executable can't perform while allowing it to run. For example you can prohibit a program to acess the internet but allow it to do exerything else, something you are not able to do with behavior blockers.</p></blockquote><p></p>
[QUOTE="bogdan, post: 1985, member: 2"] Probably the most useful video. I might come back with comments...after 15-20 min :) Back. Useful video indeed. I would like to see more videos like this. Here is my attept to explain different kind of anti-malware technologies: [b]A signature[/b] can best be discribed as the fingerprint of a malicious file. Usually it needs to be created by a person analizyng the executable in a debugger and identifying intructions that are speciffic to it. In the case of an actual virus that attaches itself to files the signature also contains instructions on how to dosinfect that file. Therefore a good database of signatures is hard to obtain. The main [b]advantage[/b] of signatures: they are the only thing that can remove infections. The main [b]disadvantage[/b]: it takes time to obtain a signature and new malware (0-day) is created every day - antivirus authors can't keep up. [b]Heuristics[/b]: Malware authors can, for example, pack their executables or insert instructions that don't do anything to avoid being detected using a signature. The heuristics engine is able to say with a given certainty that a file resambles a specific piece of malware. [b]Advantage[/b]: can detect new versions of older malware. [b]Disadvantage[/b]: produces false-positives and most 0-day malware geets through. [b]HIPS[/b]: a more [i]classic[/i] HIPS product monitors every activity a certain executable does on the system. When the executable performs certain actions the HIPS product alerts the user. [b]Advantages[/b]: doesn't need signatures, it doesn't matter if the malware is old or new, it will trigger an alert. [b]Disadvantage[/b]: Many alerts sometimes generated by good software, the user needs to know how to interpret them. [b]Behavior blocker[/b]: a classic HIPS will alert every action a software does, the user needs to approve or reject every one, the executable is allowed to continue running (if able). A behavior blocker will alert the user only once after the executable peformed several actions that are considered to be potentially malicious. The user decides if the executable will be stopped (completely) or if it will be allowed to run (the behavior blocker will no longer monitor it). [b]Advantages[/b]: fewer pop-ups, can detect 0-day. [b]Disadvantages[/b]: the user needs to know how to interpret the pop-up, since the executable is allowed te perform several actions untill a alert is displayed some minor changes to the system can ocur. Modern HIPS products use multiple technologies to reduce the number of pop-ups and in most cases they present you with the opportunity to stop/allow an executable after it triggered some alerts (they can behave like a behavior blocker). Therefore they can be used by a wider range of users. Advanced users still have the option to edit a list of actions an executable can't perform while allowing it to run. For example you can prohibit a program to acess the internet but allow it to do exerything else, something you are not able to do with behavior blockers. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
