POLAR ANTIVIRUS FREE (Updates)

[RoxasDev]

The Kaspersky key is valid for one year. You can access the Kaspersky website and verify.
Total Virus has no history; it has a maximum limit of 500 files.
Total Virus in Polar scans a file for the first time, then saves it in a hash database file. If the file is in the database, it does not connect to Total Virus.

Also, after reading the documentation and looking at the architecture, I still have a few questions because some of the marketing statements appear stronger than the technical implementation being described.

For example, phrases such as:

* "Protects you against all malicious software, including ransomware"
* "Threat Prevention"
* "Real-time multi-engine protection"
* "Stop threats before they act"

suggest capabilities similar to a traditional antivirus or EDR product.

At the same time, the notes explain that Polar should be used alongside Kaspersky, ESET, Norton, etc., and that VirusTotal and Kaspersky Threat Intelligence are mainly used as secondary reputation sources.

Could you clarify a few technical points?

1. Does Polar include any kernel-mode components (minifilter drivers, callbacks, etc.), or is the entire protection stack implemented in user mode?

2. I noticed that PolarProtectionService.exe does not appear to run under NT AUTHORITY\SYSTEM. Is there any self-protection or anti-tamper mechanism preventing malware with administrative privileges from terminating the protection processes?

3. When you refer to "multi-engine protection", is Polar actively using the actual scanning engines of those vendors, or simply consuming VirusTotal reputation reports that aggregate their verdicts?

I think these clarifications would help users better understand the actual security model of Polar and set appropriate expectations.

From my perspective, Polar seems like an interesting companion security tool and second-opinion scanner. I just believe it's important to clearly distinguish between reputation-based assistance and the capabilities typically expected from a full antivirus or EDR solution.

 

[tiktoshi]

Hello,

I have a question regarding the VirusTotal caching mechanism.

From what I understand, when a file is scanned for the first time, Polar queries VirusTotal, stores the result locally based on the file hash, and then does not query VirusTotal again for that same hash.

If this is correct, what happens in the following scenario?

* Day 1: a new malware sample appears and VirusTotal reports 0/70 detections. Polar stores this verdict locally.
* Day 2 or Day 7: the same hash is now detected by multiple vendors (for example 25/70 or higher on VirusTotal).

Will Polar automatically re-check VirusTotal after a certain period of time (TTL), or refresh the reputation cache periodically?

If not, wouldn't this create a situation where an initially unknown 0-day sample could remain trusted indefinitely on systems that have already cached the original "clean" verdict, even though VirusTotal later identifies it as malicious?

Now there is a check on the file; if it exceeds 7 days, the file will be automatically reanalyzed.

 

[RoxasDev]

Now there is a check on the file; if it exceeds 7 days, the file will be automatically reanalyzed.

Thank you for clarifying that. A 7-day cache expiration is definitely much better than a permanent reputation cache and addresses the main concern I had regarding stale VirusTotal verdicts.

That said, have you considered using an adaptive TTL based on the initial reputation score?

For example:

• 0/70 detections -> recheck after 24 hours
• 1–5 detections -> recheck after 6 hours
• 5–15 detections -> recheck after 1 hour
• High detection ratios -> immediate alert or revalidation

The reason I'm asking is that many 0-day samples initially appear as 0/70 and their detection rates often increase significantly within the first 24–72 hours as vendors update their signatures.

A fixed 7-day interval could still leave a window where a previously unknown sample remains trusted even though VirusTotal has already started flagging it.

I think your current implementation is already a big improvement over a permanent cache, but an adaptive reputation refresh strategy could make Polar even stronger while keeping API usage under control.

 

[tiktoshi]

Also, after reading the documentation and looking at the architecture, I still have a few questions because some of the marketing statements appear stronger than the technical implementation being described.

For example, phrases such as:

* "Protects you against all malicious software, including ransomware"
* "Threat Prevention"
* "Real-time multi-engine protection"
* "Stop threats before they act"

suggest capabilities similar to a traditional antivirus or EDR product.

At the same time, the notes explain that Polar should be used alongside Kaspersky, ESET, Norton, etc., and that VirusTotal and Kaspersky Threat Intelligence are mainly used as secondary reputation sources.

Could you clarify a few technical points?

1. Does Polar include any kernel-mode components (minifilter drivers, callbacks, etc.), or is the entire protection stack implemented in user mode?

2. I noticed that PolarProtectionService.exe does not appear to run under NT AUTHORITY\SYSTEM. Is there any self-protection or anti-tamper mechanism preventing malware with administrative privileges from terminating the protection processes?

3. When you refer to "multi-engine protection", is Polar actively using the actual scanning engines of those vendors, or simply consuming VirusTotal reputation reports that aggregate their verdicts?

I think these clarifications would help users better understand the actual security model of Polar and set appropriate expectations.

From my perspective, Polar seems like an interesting companion security tool and second-opinion scanner. I just believe it's important to clearly distinguish between reputation-based assistance and the capabilities typically expected from a full antivirus or EDR solution.

The Polar program is just an assistant, and I pointed that out.

It protects you from all malware because it supports multiple engines from VirusTotal, and this is its strength.

The Polar software can be installed alongside the main software.

In the Polar settings, engine options, disable the engine you are using as the primary engine.

There is no mechanism for self-protection.

 

[tiktoshi]

Thank you for clarifying that. A 7-day cache expiration is definitely much better than a permanent reputation cache and addresses the main concern I had regarding stale VirusTotal verdicts.

That said, have you considered using an adaptive TTL based on the initial reputation score?

For example:

• 0/70 detections -> recheck after 24 hours
• 1–5 detections -> recheck after 6 hours
• 5–15 detections -> recheck after 1 hour
• High detection ratios -> immediate alert or revalidation

The reason I'm asking is that many 0-day samples initially appear as 0/70 and their detection rates often increase significantly within the first 24–72 hours as vendors update their signatures.

A fixed 7-day interval could still leave a window where a previously unknown sample remains trusted even though VirusTotal has already started flagging it.

I think your current implementation is already a big improvement over a permanent cache, but an adaptive reputation refresh strategy could make Polar even stronger while keeping API usage under control.

I have thot about it before.

Better as it is now. It will be re-scanned if it exceeds 7 on VirusTotal from its date.

And not from the saved file.

 

[Shadowra]

The main problem with Polar is that it doesn't detect malware that is completely unknown to VT or the Kaspersky cloud.

For example: I built a simple AsyncRAT payload for testing. Polar didn’t react to the execution, and the machine got infected.
It reacted two minutes later via VT... except that in two minutes, several actions can be carried out....

 

[tiktoshi]

The main problem with Polar is that it doesn't detect malware that is completely unknown to VT or the Kaspersky cloud.

For example: I built a simple AsyncRAT payload for testing. Polar didn’t react to the execution, and the machine got infected.
It reacted two minutes later via VT... except that in two minutes, several actions can be carried out....

Better than not discovering it.

 

[Shadowra]

Better than not discovering it.

Sure, but imagine it's a stealer that steals all the information—one that's completely unknown to antivirus software. Whether it gets detected or not, after two minutes, the infostealer has had plenty of time to steal everything :/