ncage

Level 2
1588353383050.png


So i just started using kaspersky. I just noticed this morning that kaspersky definitions were quite old. You can see in the screenshot how old the definitions are and what time it is (sorry i cut off the date its 5/1). Kaspersky seems fine with how old they are:
1588353540439.png


Here is my update settings (default):
1588353585067.png


Sure i could click the "update" button but i should never have to do that.
 

MacDefender

Level 11
Verified
This is how my Kaspersky behaves. The report log clearly shows it checks about once an hour but the actual sig database only gets updated maybe twice a day, a 11AM and a 5PM ish timestamp.

I suspect for zero day protection they are strongly relying on KSN / cloud signatures.


EDIT: Mine are 4/30/2020 9:29PM, still, even after a manual update. It fetched just 50KB or so and nothing changed. Meanwhile, I clicked around 5 of these zero days: CAPEv2 Sandbox and get detections for all of them via web scanning, so I'm pretty convinced that it's working.
 

MacDefender

Level 11
Verified
Thanks was just making sure something was messed up with my install....
I'm pretty new to Kaspersky too so hopefully someone more experienced will chime in and confirm.

If it does work this way, it's honestly a little refreshing. I'm too used to BD engines where they update every hour or so and over the course of a day result in hundreds of megabytes of updates.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
You can check also here:

1588354394862.png

I'm in Spain and my last signatures in this KTS2020 (just installed in a laptop with W10 Pro x64), from today 01/05/2020 06:29am, so from this early morning, currently 07:35pm, but as You probably are in a different time region, I think it's ok (We all have the same signatures), sometimes Kaspersky does not update for some hours main signatures (but may get other updates) but later will get probably a more or less big update :)
 
Last edited:

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
 

MacDefender

Level 11
Verified
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
I think if they believe most of the zero-days that have happened since the last snapshot are covered by just sending hashes up to KSN, then this is reasonable to not update the database.

The doomsday would be something polymorphic/randomly generated (that can't be caught by hashes) but also can be caught by a good signature engine update, I suppose that would trigger a more frequent signature update.

Overall I haven't seen a lot of cases where Kaspersky with cloud signatures falls behind what a hourly updating engine accomplishes, so their approach seems to be working.
 

Nightwalker

Level 20
Verified
Trusted
Content Creator
@harlan4096 @MacDefender

That is not the case, Kaspersky has been releasing hourly database definitions since 2004 without a break (it took years to this become a norm in the industry), the problem is while the definitions are being updated, the timestamp is not.

IMO this is just a lazy move from Kaspersky, but I think that the developers think that this kind of info is irrelevant in the world where signatures and relevant protection are delivered in less than a minute using the cloud.

Traditional antivirus solutions – are they effective against today’s threats? (2004 article)

In the past Kaspersky used to have a watch for database releases, but nowadays they simple dont care about this anymore, the close we get now is this:


Ps: You can check the logs (and local files) and see that important files in the signature databases are updated while the timestamp itself doesnt change.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
The truth is that yeah Kaspersky almost every hour gets signatures, sometimes very small ones, and usually those ones are not related to main engine signature database, they can be for WebAV, for the Updater and/or other modules... only engine malware singnature change the time/date stamp...
 

MacDefender

Level 11
Verified
That is not the case, Kaspersky has been releasing hourly database definitions since 2004 without a break (it took years to this become a norm in the industry), the problem is while the definitions are being updated, the timestamp is not.
That's good to know!

1588438051423.png


Indeed it downloads around 50-100kB multiple times a day but not all of these result in the version/timestamp that it shows advancing. It's not a big deal either way.
 

SeriousHoax

Level 29
Verified
Malware Tester
Another thing I have noticed is that Kaspersky sometimes don't create any local signature for some samples and those are always detected by their cloud UDS signature no matter how old they are. Maybe they do this for less important and rarely seen samples which probably are also covered by their behavior blocker. It's possible that they do this to reduce the size of signatures on your PC.
 

fabiobr

Level 9
Verified
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
As far as I know, signatures depends a lot on human resources to analyze each UDS detection and verify if it is correct to update to database.

This depends on human (coronavirus) and malware activity.

As you said above, Kaspersky product always check for updates and the version of databases only changes if got big changes. I think they only add to the same database if there is no new malware or something.

You can check that software always download something every 2 hour, KB or MB, but databases doesn't change.

And I noticed the same thing as you: there is days with a lot of databases changes, and days with 2/3 new versions.
 

imuade

Level 11
Verified
I've also noticed this when I used KSC. On this regard, Avast stream updates are a huge step forward.
At least with Windows Defender you can set a task to check for signature updates at wish (I set mine to check 3 minutes after login and then every hour)
 

MacDefender

Level 11
Verified
I've also noticed this when I used KSC. On this regard, Avast stream updates are a huge step forward.
At least with Windows Defender you can set a task to check for signature updates at wish (I set mine to check 3 minutes after login and then every hour)
Why does it really matter though? Offline signatures/scanning is something most people do not have to care about. Windows Defender, in particular, has extremely poor performance offline.

I have never seen a case where Kaspersky fails to detect something simply because the signatures need updating -- they just use KSN detections to cover emerging threats.

Even in a detection engine with good offline scanning, you still lose out on cloud based reputation lookups. I've not seen a single AV solution that has an offline cache of that.
 

TairikuOkami

Level 27
Verified
Content Creator
Why does it really matter though? Offline signatures/scanning is something most people do not have to care about.
Because the first thing, the malware does, is blocking AV from updating/connecting home, to prevent just that, an online detection.
New threats use years old malware, they just create new ways to bypass the detection, so they could easily download the main load.
AV companies do not like updating signatures, because it increases the load on the servers. Most have limited ones for free versions.
 
Top