Advice Request Is this normal - definitions are old

Please provide comments and solutions that are helpful to the author of this topic.
N

ncage

Level 3
Thread author
Verified
Forum Veteran
May 20, 2017
115
361
167
IL
1588353383050.png


So i just started using kaspersky. I just noticed this morning that kaspersky definitions were quite old. You can see in the screenshot how old the definitions are and what time it is (sorry i cut off the date its 5/1). Kaspersky seems fine with how old they are:
1588353540439.png


Here is my update settings (default):
1588353585067.png


Sure i could click the "update" button but i should never have to do that.
 
  • Like
Reactions: oldschool, Protomartyr and harlan4096
This is how my Kaspersky behaves. The report log clearly shows it checks about once an hour but the actual sig database only gets updated maybe twice a day, a 11AM and a 5PM ish timestamp.

I suspect for zero day protection they are strongly relying on KSN / cloud signatures.


EDIT: Mine are 4/30/2020 9:29PM, still, even after a manual update. It fetched just 50KB or so and nothing changed. Meanwhile, I clicked around 5 of these zero days: CAPEv2 Sandbox and get detections for all of them via web scanning, so I'm pretty convinced that it's working.
 
  • Like
Reactions: oldschool, Protomartyr, harlan4096 and 1 other person
MacDefender said:
This is how my Kaspersky behaves. The report log clearly shows it checks about once an hour but the actual sig database only gets updated maybe twice a day, a 11AM and a 5PM ish timestamp.

I suspect for zero day protection they are strongly relying on KSN / cloud signatures.
Click to expand...

Thanks was just making sure something was messed up with my install....
 
  • Like
Reactions: oldschool, Protomartyr and stefanos
ncage said:
Thanks was just making sure something was messed up with my install....
Click to expand...
I'm pretty new to Kaspersky too so hopefully someone more experienced will chime in and confirm.

If it does work this way, it's honestly a little refreshing. I'm too used to BD engines where they update every hour or so and over the course of a day result in hundreds of megabytes of updates.
 
  • Like
Reactions: oldschool, Protomartyr and harlan4096
You can check also here:

1588354394862.png

I'm in Spain and my last signatures in this KTS2020 (just installed in a laptop with W10 Pro x64), from today 01/05/2020 06:29am, so from this early morning, currently 07:35pm, but as You probably are in a different time region, I think it's ok (We all have the same signatures), sometimes Kaspersky does not update for some hours main signatures (but may get other updates) but later will get probably a more or less big update :)
 
Last edited:
  • Like
  • +Reputation
Reactions: oldschool, fabiobr, Protomartyr and 4 others
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
 
  • Like
  • +Reputation
Reactions: Behold Eck, oldschool, fabiobr and 3 others
harlan4096 said:
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
Click to expand...

I think if they believe most of the zero-days that have happened since the last snapshot are covered by just sending hashes up to KSN, then this is reasonable to not update the database.

The doomsday would be something polymorphic/randomly generated (that can't be caught by hashes) but also can be caught by a good signature engine update, I suppose that would trigger a more frequent signature update.

Overall I haven't seen a lot of cases where Kaspersky with cloud signatures falls behind what a hourly updating engine accomplishes, so their approach seems to be working.
 
  • Like
Reactions: oldschool, fabiobr, Protomartyr and 1 other person
@harlan4096 @MacDefender

That is not the case, Kaspersky has been releasing hourly database definitions since 2004 without a break (it took years to this become a norm in the industry), the problem is while the definitions are being updated, the timestamp is not.

IMO this is just a lazy move from Kaspersky, but I think that the developers think that this kind of info is irrelevant in the world where signatures and relevant protection are delivered in less than a minute using the cloud.

Traditional antivirus solutions – are they effective against today’s threats? (2004 article)

In the past Kaspersky used to have a watch for database releases, but nowadays they simple dont care about this anymore, the close we get now is this:

cybermap.kaspersky.com

STATISTICS | Kaspersky Cyberthreat live map

Find out if you’re under cyber-attack here #CyberSecurityMap #CyberSecurity
cybermap.kaspersky.com cybermap.kaspersky.com

Ps: You can check the logs (and local files) and see that important files in the signature databases are updated while the timestamp itself doesnt change.
 
  • Like
  • +Reputation
Reactions: oldschool, Protomartyr, MacDefender and 2 others
The truth is that yeah Kaspersky almost every hour gets signatures, sometimes very small ones, and usually those ones are not related to main engine signature database, they can be for WebAV, for the Updater and/or other modules... only engine malware singnature change the time/date stamp...
 
  • Like
Reactions: oldschool, mlnevese, fabiobr and 6 others
Nightwalker said:
That is not the case, Kaspersky has been releasing hourly database definitions since 2004 without a break (it took years to this become a norm in the industry), the problem is while the definitions are being updated, the timestamp is not.
Click to expand...
That's good to know!

1588438051423.png


Indeed it downloads around 50-100kB multiple times a day but not all of these result in the version/timestamp that it shows advancing. It's not a big deal either way.
 
  • Like
Reactions: oldschool, fabiobr, Protomartyr and 1 other person
Another thing I have noticed is that Kaspersky sometimes don't create any local signature for some samples and those are always detected by their cloud UDS signature no matter how old they are. Maybe they do this for less important and rarely seen samples which probably are also covered by their behavior blocker. It's possible that they do this to reduce the size of signatures on your PC.
 
  • Like
Reactions: Behold Eck, oldschool, mlnevese and 5 others
harlan4096 said:
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
Click to expand...
As far as I know, signatures depends a lot on human resources to analyze each UDS detection and verify if it is correct to update to database.

This depends on human (coronavirus) and malware activity.

As you said above, Kaspersky product always check for updates and the version of databases only changes if got big changes. I think they only add to the same database if there is no new malware or something.

You can check that software always download something every 2 hour, KB or MB, but databases doesn't change.

And I noticed the same thing as you: there is days with a lot of databases changes, and days with 2/3 new versions.
 
  • Like
Reactions: oldschool, Protomartyr and harlan4096
I've also noticed this when I used KSC. On this regard, Avast stream updates are a huge step forward.
At least with Windows Defender you can set a task to check for signature updates at wish (I set mine to check 3 minutes after login and then every hour)
 
  • Like
Reactions: oldschool and Protomartyr
imuade said:
I've also noticed this when I used KSC. On this regard, Avast stream updates are a huge step forward.
At least with Windows Defender you can set a task to check for signature updates at wish (I set mine to check 3 minutes after login and then every hour)
Click to expand...

Why does it really matter though? Offline signatures/scanning is something most people do not have to care about. Windows Defender, in particular, has extremely poor performance offline.

I have never seen a case where Kaspersky fails to detect something simply because the signatures need updating -- they just use KSN detections to cover emerging threats.

Even in a detection engine with good offline scanning, you still lose out on cloud based reputation lookups. I've not seen a single AV solution that has an offline cache of that.
 
  • Like
Reactions: fabiobr, SeriousHoax, oldschool and 2 others
MacDefender said:
Why does it really matter though? Offline signatures/scanning is something most people do not have to care about.
Click to expand...
Because the first thing, the malware does, is blocking AV from updating/connecting home, to prevent just that, an online detection.
New threats use years old malware, they just create new ways to bypass the detection, so they could easily download the main load.
AV companies do not like updating signatures, because it increases the load on the servers. Most have limited ones for free versions.
 
  • Like
  • +Reputation
Reactions: mlnevese, SeriousHoax, oldschool and 3 others

You may also like...