Advice Request Is this normal - definitions are old

Please provide comments and solutions that are helpful to the author of this topic.

ncage

Level 3
Thread author
Verified
May 20, 2017
103
1588353383050.png


So i just started using kaspersky. I just noticed this morning that kaspersky definitions were quite old. You can see in the screenshot how old the definitions are and what time it is (sorry i cut off the date its 5/1). Kaspersky seems fine with how old they are:
1588353540439.png


Here is my update settings (default):
1588353585067.png


Sure i could click the "update" button but i should never have to do that.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
This is how my Kaspersky behaves. The report log clearly shows it checks about once an hour but the actual sig database only gets updated maybe twice a day, a 11AM and a 5PM ish timestamp.

I suspect for zero day protection they are strongly relying on KSN / cloud signatures.


EDIT: Mine are 4/30/2020 9:29PM, still, even after a manual update. It fetched just 50KB or so and nothing changed. Meanwhile, I clicked around 5 of these zero days: CAPEv2 Sandbox and get detections for all of them via web scanning, so I'm pretty convinced that it's working.
 

ncage

Level 3
Thread author
Verified
May 20, 2017
103
This is how my Kaspersky behaves. The report log clearly shows it checks about once an hour but the actual sig database only gets updated maybe twice a day, a 11AM and a 5PM ish timestamp.

I suspect for zero day protection they are strongly relying on KSN / cloud signatures.

Thanks was just making sure something was messed up with my install....
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Thanks was just making sure something was messed up with my install....
I'm pretty new to Kaspersky too so hopefully someone more experienced will chime in and confirm.

If it does work this way, it's honestly a little refreshing. I'm too used to BD engines where they update every hour or so and over the course of a day result in hundreds of megabytes of updates.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
You can check also here:

1588354394862.png

I'm in Spain and my last signatures in this KTS2020 (just installed in a laptop with W10 Pro x64), from today 01/05/2020 06:29am, so from this early morning, currently 07:35pm, but as You probably are in a different time region, I think it's ok (We all have the same signatures), sometimes Kaspersky does not update for some hours main signatures (but may get other updates) but later will get probably a more or less big update :)
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...

I think if they believe most of the zero-days that have happened since the last snapshot are covered by just sending hashes up to KSN, then this is reasonable to not update the database.

The doomsday would be something polymorphic/randomly generated (that can't be caught by hashes) but also can be caught by a good signature engine update, I suppose that would trigger a more frequent signature update.

Overall I haven't seen a lot of cases where Kaspersky with cloud signatures falls behind what a hourly updating engine accomplishes, so their approach seems to be working.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
@harlan4096 @MacDefender

That is not the case, Kaspersky has been releasing hourly database definitions since 2004 without a break (it took years to this become a norm in the industry), the problem is while the definitions are being updated, the timestamp is not.

IMO this is just a lazy move from Kaspersky, but I think that the developers think that this kind of info is irrelevant in the world where signatures and relevant protection are delivered in less than a minute using the cloud.

Traditional antivirus solutions – are they effective against today’s threats? (2004 article)

In the past Kaspersky used to have a watch for database releases, but nowadays they simple dont care about this anymore, the close we get now is this:


Ps: You can check the logs (and local files) and see that important files in the signature databases are updated while the timestamp itself doesnt change.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
The truth is that yeah Kaspersky almost every hour gets signatures, sometimes very small ones, and usually those ones are not related to main engine signature database, they can be for WebAV, for the Updater and/or other modules... only engine malware singnature change the time/date stamp...
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
That is not the case, Kaspersky has been releasing hourly database definitions since 2004 without a break (it took years to this become a norm in the industry), the problem is while the definitions are being updated, the timestamp is not.
That's good to know!

1588438051423.png


Indeed it downloads around 50-100kB multiple times a day but not all of these result in the version/timestamp that it shows advancing. It's not a big deal either way.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Another thing I have noticed is that Kaspersky sometimes don't create any local signature for some samples and those are always detected by their cloud UDS signature no matter how old they are. Maybe they do this for less important and rarely seen samples which probably are also covered by their behavior blocker. It's possible that they do this to reduce the size of signatures on your PC.
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
561
Yeah, it depends of the malicious activity daily, sometimes You get new signatures almost every hour or every 2 hours (default schedule), and days as yesterday that thrre is no new signatures for hours... or maybe They were just running maintenance...
As far as I know, signatures depends a lot on human resources to analyze each UDS detection and verify if it is correct to update to database.

This depends on human (coronavirus) and malware activity.

As you said above, Kaspersky product always check for updates and the version of databases only changes if got big changes. I think they only add to the same database if there is no new malware or something.

You can check that software always download something every 2 hour, KB or MB, but databases doesn't change.

And I noticed the same thing as you: there is days with a lot of databases changes, and days with 2/3 new versions.
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
I've also noticed this when I used KSC. On this regard, Avast stream updates are a huge step forward.
At least with Windows Defender you can set a task to check for signature updates at wish (I set mine to check 3 minutes after login and then every hour)
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I've also noticed this when I used KSC. On this regard, Avast stream updates are a huge step forward.
At least with Windows Defender you can set a task to check for signature updates at wish (I set mine to check 3 minutes after login and then every hour)

Why does it really matter though? Offline signatures/scanning is something most people do not have to care about. Windows Defender, in particular, has extremely poor performance offline.

I have never seen a case where Kaspersky fails to detect something simply because the signatures need updating -- they just use KSN detections to cover emerging threats.

Even in a detection engine with good offline scanning, you still lose out on cloud based reputation lookups. I've not seen a single AV solution that has an offline cache of that.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Why does it really matter though? Offline signatures/scanning is something most people do not have to care about.
Because the first thing, the malware does, is blocking AV from updating/connecting home, to prevent just that, an online detection.
New threats use years old malware, they just create new ways to bypass the detection, so they could easily download the main load.
AV companies do not like updating signatures, because it increases the load on the servers. Most have limited ones for free versions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top