Advice Request Panda Adaptive Defense?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
W

Wave

I'm surprised at Panda for using these marketing techniques... That being said, ignore anyone who claims they have a product which is "Next-Gen"... It's just a trick to make you think it's the "best" when in actual fact there is no "best" security product.

In fact these same companies who claim they have "Next-Generation" security products are using methods which have been well-known around maybe for more than 12+ years even, or longer - for example, API hooking has been around for so long and was also popular back in the Windows 2000/XP days. Another example would be virtualisation (e.g. via utilising the hardware technology such as Intel VT-x/AMD-V (SVM), and things like MMU virtualisation have been with us since before even 2006).

They are essentially just using well-known methods (or things that have already been implemented into existing security software such as virtualisation (e.g. Kaspersky, Avast and Comodo utilise real virtualisation techniques if the hardware supports it and thus this is why you need to enable virtualisation via the BIOS to use some features)) and applying new policies for "auto-decisions" and other similar things.

They are just new products using recycled rootkit methods (like traditional HIPS/Dynamic Heuristics) (e.g. injection and then performing API hooking) but monitoring the behaviour into logs and auto-blocking with policies... for example. Haha.

There are some companies out there who claim to have these "Next-Gen" products who believe that their software is more-or-less bulletproof and it's honestly become a joke which is laughable. The whole "Next-Gen" marketing will make unknowledgeable people who own businesses think to themselves, "Hmm we need this security so we are bullet-proof to all hackers".

Don't be fooled by the marketing - don't let them social engineer you with their fancy websites and bold headlines, you are stronger than that. :)
 
Last edited by a moderator:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Next-gen AV, for me, is:

Malware detection/prevention (including zero-days) = 99.99%
False positives = 0.01%

If any AV product (e.g. Panda) is able to accomplish this without relying on HIPS alerts (because HIPS alerts can lead a user to allow malware), I will believe that it is next-gen. Until then, it's just plain business marketing.

I think this can only be done by an AI that is as smart as Jarvis. :D
 
Last edited:

Mr.NoName

Level 4
Thread author
Verified
Feb 5, 2016
163
Next-gen AV, for me, is:

Malware detection/prevention (including zero-days) = 99.99%
False positives = 0.01%

If any AV product (e.g. Panda) is able to accomplish this without relying on HIPS alerts (because HIPS alerts can lead a user to allow malware), I will believe that it is next-gen. Until then, it's just plain business marketing.

I think this can only be done by an AI that is as smart as Jarvis. :D
Yes but we all know that JARVIS is not real :D for now !
 
W

Wave

Next-gen AV, for me, is:

Malware detection/prevention (including zero-days) = 99.99%
False positives = 0.01%

If any AV product (e.g. Panda) is able to accomplish this without relying on HIPS alerts (because HIPS alerts can lead a user to allow malware), I will believe that it is next-gen. Until then, it's just plain business marketing.

I think this can only be done by an AI that is as smart as Jarvis. :D
For me I have a problem with anyone who markets software with key-words like "Next-Gen" (yes this means I have a problem with Panda, CylancePROTECT and any other companies that claim they have "Next-Gen" products). I will explain why though.

Firstly, there is only so much that security software can do to actually MONITOR the behaviour of a program being executed. To monitor programs in such a way that it can dynamically intercept when specific actions are about to occur (and then include the functionality to block the action), it will HAVE to intercept the API calls... Therefore this takes me back round in a repetitive discussion of API hooking (if you see the username Wave on a post you know what it will be about... haha). However, due to the x64 limitations compared to x86 systems, this leaves the security product with having to work with user-mode (ring 3) API hooks (e.g. inject and then hot-patch target function prologues/IAT/EAT hooking). Therefore yes, it can easily intercept and monitor the behaviour of a running program... But the big question is: how hard is it for a malware author to evade these hooks? The truth is, if a malware author is experienced with concepts like API hooking and injection and just how the Windows internals work with API calls, they will be able to evade these hooks... There are many different methods of doing so (e.g. unhook the API if possible, system calls, mapping ntdll.dll into memory and using the functions from this version as opposed to the original copy on disk which have the hooked functions (e.g. for NTAPI hook evasion), ... could even exploit the security software to cause it to unhook the APIs if the injected DLL by the security software has a function to disable the hooks). In other words, there is NOTHING security vendors cannot do to fully ensure that the hooks stay active and are not able to be bypassed (especially on x64 systems). NOTHING is full-proof.

Secondly, there is no way for the AI to know indefinitely if the program being monitored is 100% malicious or not... It can only guess based on behaviour... For example, if a program tried to add itself to startup/drops to AppData, made some web requests and then tries to load a device driver then the program is showing high chances of being malicious... Whereas, what if the sample works differently, such as just trying to load a device driver (before doing any of the other things) which will then give it the power of kernel-mode (where no security software can protect you after this since from kernel-mode any malware can bypass any protection mechanisms put in place by security software)? I'll tell you what happens... Either the BB/HIPS module comes into play and the user allows the action which would be the bad decision, or the AI is still monitoring and since there is not enough evidence to suggest that the program is actually malicious (maybe the device driver isn't rogue, maybe it's digitally signed and won't do anything bad - but they can't know whether it will or not) it will end up with the action being auto-allowed and the system becoming infected.

Therefore, taking into account the two points I made above (Firstly and Secondly), how would these "Next-Gen" products protect me if my system was infected with malware which bypassed these monitoring methods? The answer is it can't... If the monitoring methods are bypassed then it means the product no longer has track on what actions the program is executing to intercept the behaviour and work with it's AI for auto-decisions... What if the malware is running within a virtualised environment? It won't matter, because the program is running on the system and therefore it has the ability to exploit the virtualisation software. Of course it would be rare for anything like this to happen, however it can definitely be done and the security software will end up stuck, unable to do anything in these situations.

Regarding the 99.9% malware detection (either statically or dynamically) it's impossible for any product to do this and actually classify the samples as malware. Why? There are so many samples being released on a regular basis which may all work differently, therefore this eliminates the ability to detect 99.9% of malware statically (polymorphic/packing)... Regarding the dynamic aspects, there is no way to differentiate between safe and malicious samples dynamically (based on the behaviour) for such a large percentage, literally impossible. There is genuine software out there that will: add itself to start-up, drop files to the disk, inject into processes, make web requests (which may be done "silently" and trigger a Trojan Downloader BB feature), ..... You cannot just auto-block all programs that do these things, the closest you can do is a BB/HIPS system, which then leaves the issue of unknowledgeable users allowing the alerts and becoming infected anyway.

I can literally go round in circles coming up with new "theory methods" of how malware would bypass security software mechanisms, and social engineering can be a huge factor as well (tricking users into allowing alerts even if they were suspicious prior to the alerts) (and only you can fight against social engineering), so there's no point in me carrying on with this post.

In fact, I don't even believe that these "Artificial Intelligence" systems are actually working like these companies claim... I bet there is a large majority of it based on rule-sets which were human-made and implemented the product. Malware is evolving all the time, there is no single AI system which can work without regular updates/maintenance which can just automatically "adapt" to new malware and work with top auto-decisions the same as the old malware.

The sad thing is that there will be businesses out there that are sitting in their chair with their feet up thinking to themselves, "Our systems are fully secured with this next-gen endpoint security"... Truth is they are far from secure compared to if they were using a business solution from Kaspersky (as an example). All it takes is for an attacker to social engineer one of their employees via e-mail or phone to get them to click a link/navigate to a URL/download something, then it's game over because nothing is full-proof. They should invest time in training their staff instead of wasting their money on products from vendors who are using misleading marketing tactics who think they have bullet-proof software.

Hmm what vendor rings in my mind with "misleading" marketing tactics? *cough* Cylance *cough* (and the Panda "Next-Gen" crap talked about previously in this thread).

The FUNNIEST part about most of these "Next-Gen" solutions is that some of them won't even work with real virtualisation methods and samples which could have been made back on Windows 2000 still have the potential to bypass them even today on newer OS versions. :D

To give a summary: "Next-Gen" is entirely marketing as the company wants to lure people in by throwing these big-boy key-words at them, to make them feel like they will be receiving something really "special" which has already been done before and is no way near as secure as existing security solutions out there (think about all the products out there which don't claim they are "Next-Gen" which utilise virtualisation/hooking methods... ESET, Kaspersky, Emsisoft (e.g. BB to it), GData, ... And do people still become infected? YES!).
 
W

Wave

For me I have a problem with anyone who markets software with key-words like "Next-Gen" (yes this means I have a problem with Panda, CylancePROTECT and any other companies that claim they have "Next-Gen" products). I will explain why though.

Firstly, there is only so much that security software can do to actually MONITOR the behaviour of a program being executed. To monitor programs in such a way that it can dynamically intercept when specific actions are about to occur (and then include the functionality to block the action), it will HAVE to intercept the API calls... Therefore this takes me back round in a repetitive discussion of API hooking (if you see the username Wave on a post you know what it will be about... haha). However, due to the x64 limitations compared to x86 systems, this leaves the security product with having to work with user-mode (ring 3) API hooks (e.g. inject and then hot-patch target function prologues/IAT/EAT hooking). Therefore yes, it can easily intercept and monitor the behaviour of a running program... But the big question is: how hard is it for a malware author to evade these hooks? The truth is, if a malware author is experienced with concepts like API hooking and injection and just how the Windows internals work with API calls, they will be able to evade these hooks... There are many different methods of doing so (e.g. unhook the API if possible, system calls, mapping ntdll.dll into memory and using the functions from this version as opposed to the original copy on disk which have the hooked functions (e.g. for NTAPI hook evasion), ... could even exploit the security software to cause it to unhook the APIs if the injected DLL by the security software has a function to disable the hooks). In other words, there is NOTHING security vendors cannot do to fully ensure that the hooks stay active and are not able to be bypassed (especially on x64 systems). NOTHING is full-proof.

Secondly, there is no way for the AI to know indefinitely if the program being monitored is 100% malicious or not... It can only guess based on behaviour... For example, if a program tried to add itself to startup/drops to AppData, made some web requests and then tries to load a device driver then the program is showing high chances of being malicious... Whereas, what if the sample works differently, such as just trying to load a device driver (before doing any of the other things) which will then give it the power of kernel-mode (where no security software can protect you after this since from kernel-mode any malware can bypass any protection mechanisms put in place by security software)? I'll tell you what happens... Either the BB/HIPS module comes into play and the user allows the action which would be the bad decision, or the AI is still monitoring and since there is not enough evidence to suggest that the program is actually malicious (maybe the device driver isn't rogue, maybe it's digitally signed and won't do anything bad - but they can't know whether it will or not) it will end up with the action being auto-allowed and the system becoming infected.

Therefore, taking into account the two points I made above (Firstly and Secondly), how would these "Next-Gen" products protect me if my system was infected with malware which bypassed these monitoring methods? The answer is it can't... If the monitoring methods are bypassed then it means the product no longer has track on what actions the program is executing to intercept the behaviour and work with it's AI for auto-decisions... What if the malware is running within a virtualised environment? It won't matter, because the program is running on the system and therefore it has the ability to exploit the virtualisation software. Of course it would be rare for anything like this to happen, however it can definitely be done and the security software will end up stuck, unable to do anything in these situations.

Regarding the 99.9% malware detection (either statically or dynamically) it's impossible for any product to do this and actually classify the samples as malware. Why? There are so many samples being released on a regular basis which may all work differently, therefore this eliminates the ability to detect 99.9% of malware statically (polymorphic/packing)... Regarding the dynamic aspects, there is no way to differentiate between safe and malicious samples dynamically (based on the behaviour) for such a large percentage, literally impossible. There is genuine software out there that will: add itself to start-up, drop files to the disk, inject into processes, make web requests (which may be done "silently" and trigger a Trojan Downloader BB feature), ..... You cannot just auto-block all programs that do these things, the closest you can do is a BB/HIPS system, which then leaves the issue of unknowledgeable users allowing the alerts and becoming infected anyway.

I can literally go round in circles coming up with new "theory methods" of how malware would bypass security software mechanisms, and social engineering can be a huge factor as well (tricking users into allowing alerts even if they were suspicious prior to the alerts) (and only you can fight against social engineering), so there's no point in me carrying on with this post.

In fact, I don't even believe that these "Artificial Intelligence" systems are actually working like these companies claim... I bet there is a large majority of it based on rule-sets which were human-made and implemented the product. Malware is evolving all the time, there is no single AI system which can work without regular updates/maintenance which can just automatically "adapt" to new malware and work with top auto-decisions the same as the old malware.

The sad thing is that there will be businesses out there that are sitting in their chair with their feet up thinking to themselves, "Our systems are fully secured with this next-gen endpoint security"... Truth is they are far from secure compared to if they were using a business solution from Kaspersky (as an example). All it takes is for an attacker to social engineer one of their employees via e-mail or phone to get them to click a link/navigate to a URL/download something, then it's game over because nothing is full-proof. They should invest time in training their staff instead of wasting their money on products from vendors who are using misleading marketing tactics who think they have bullet-proof software.

Hmm what vendor rings in my mind with "misleading" marketing tactics? *cough* Cylance *cough* (and the Panda "Next-Gen" crap talked about previously in this thread).

The FUNNIEST part about most of these "Next-Gen" solutions is that some of them won't even work with real virtualisation methods and samples which could have been made back on Windows 2000 still have the potential to bypass them even today on newer OS versions. :D

To give a summary: "Next-Gen" is entirely marketing as the company wants to lure people in by throwing these big-boy key-words at them, to make them feel like they will be receiving something really "special" which has already been done before and is no way near as secure as existing security solutions out there (think about all the products out there which don't claim they are "Next-Gen" which utilise virtualisation/hooking methods... ESET, Kaspersky, Emsisoft (e.g. BB to it), GData, ... And do people still become infected? YES!).
Basically the security vendors using these marketing methods are trying to SOCIAL ENGINEER you into buying their products, they are just as bad as the hackers trying to social engineer you into downloading and running their malware. Both of them have one big thing in common: MONEY! $$$$$$ Hear the sound of that? $$$$$$$....

If you honestly pay for these "Next-Gen" products thinking you are safer than you would have been while using Avast Free then you as just very insecure and vulnerable altogether... If I told you that by eating some special candy you will become bullet-proof would you do it? OF COURSE NOT!

The best way for you to stay secure is to keep an eye out and apply good basic security practises whilst using your system, and to help you along the way you can work with Default-Deny or have an AV/HIPS system in the background say on case you slip up (which hopefully won't have landed you in the automatic game over page). You DON'T need an over-complicated security configuration with a hundred dozen pieces of software or this "Next-Gen" crap.

I will list below the basic principles for staying secure:
- MOST IMPORTANTLY: BRAIN.EXE - don't be click-happy and only download from trusted sources and only run programs after doing basic checks which only take a few seconds (e.g. scanning at VirusTotal, checking for code signing and validating the publisher, checking for online reviews on software and making sure they aren't faked, not opening up e-mails from strangers or handling attachments from unexpected e-mails, not making payments on non-HTTPS secured sites (and making sure the payments being made is on a trusted and well-known service), etc...).
- A basic real-time AV in the background will do as a backup friend (e.g. Windows Defender is good enough, if not go for Avast Free or something similar) / Default-Deny via Anti-Exe
- Good ad-blocker (e.g. browser extension - uBlock Origin is good)
- Regular system backups (if you slip up and end up becoming infected you can then revert via your backup)

If you are paranoid or know you are not the best with online practises you can sandbox your browser or just stick to a Virtual Machine (and then use the snapshots feature to revert back in the case of infection)... Or even use an Anti-Exploit software like HitmanPro.Alert as an addition.

As for these companies selling these "Next-Gen" products to businesses, how secure do you really think they are? They should spend the money they are wasting on these products to train their staff about cyber-security and teaching them how to handle the systems securely... Sure, they can spend a ridiculous amount of money on some "Next-Gen" crap but if I walk into the work-place after having some advanced make-up done to me by professional artists to make me appear to be a man in his late 40-s, while dressed as an I.T technian, how hard do you think it would be to social engineer the staff behind the help desk to gain access to the systems for a few minutes (very little time is required)? Or even if I call up your phone provider and try to social engineer them into giving me access to your mums account, do you think I'd be successful? Trust me, you'd be surprised with the results...

If you are click-happy or don't pay attention then it doesn't matter what layered security you have in place because you will ALWAYS end up running into a recursive pattern of... Infection!
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
There is nothing new honestly for Panda's Adaptive Defense.

Basically [for sure] a cloud with mixture of AI then behavior blocking.

Wait.... Panda should improve their BB and their Application control module must be more effective at all.
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
I am using Panda Adaptive Defense 360. Went to hybrid-analysis.com and tried lots of malware - exe, js, vbs, jar, doc, xls, and more...you name it. None of it...I mean....really none of it managed to escape from Panda Adaptive Defense. Their security models covered the Traditional AV method (Blacklist) and the Application Whitelisting models (Categorized all WHitelist, Blacklist and Greylist). Even if you never update the Panda agent.. Blacklisting and greylisting security protection will take place. Their forensic tools are also cool. I tested in my own laptop which is a live system which is suicide...but...Panda Adaptive Defense never fail to protect me from any zeroday, filesless attack and known malware...all ransomware virtually stopped by PAD360. Up till now I have a collection of more than 200samples from hybrid-analysis.com I dare some other than PAD360 users to run the samples in their live machine now.
 
  • Like
Reactions: Solarlynx
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top