- Apr 13, 2013
- 3,224
As most here I'm sure are already aware, Qihoo now comes in different forms. 360 Total Security (TS) has been released now out of Beta, while 360 Internet Security is also available. But please note that 360IS currently comes in two flavors, the standard version 4.9 and a beta (version 5). The major differences are that TS has an additional AV engine (Avira), while 360IS (both flavors) has an on-demand sandbox. Both TS and IS have Proactive Protection. So the points that should be discussed are Sandboxing, AV Detection rates, and Proactive Protection.
1). Sandbox- I will concede that Qihoo's on-demand sandbox may have some value (throwing a browser into it), but for me the virtualization routines used are far from adequate, especially when compared to Sandboxie or the boxes found in Comodo products. While not going into tedious detail, be aware that malware designed to evade sandboxes are coded to be aware of their environments; a sandbox that presents a more realistic system environment to the malware will yield the best defense (Comodo, SB). A more restrictively structured box (Qihoo) will allow the malware to "know" it is being contained and cause triggering of evasion countermeasures. An analogy here would be a person locked in a jail cell versus the same person living in the Matrix. You would attempt to break out of one but proceed in total contentment in the other.
In short, not a fan of Qihoo sandbox.
2). AV Detection- Indeed TS adds Avira to the engines already in place. To be worth having an additional engine must show that it is additive to the detection that is already in place. So far although I have seen a greater number of malware being detected it has not yielded any statistical significance, so is of dubious value in real world use.
3). Proactive Protection- This for me was the most annoying part in testing. It was difficult enough to find a specific malware type that Qihoo didn't already detect, but even when I did find some by the time I ran the samples, did the post boot forensic analysis and reran the routine to ensure reproducibility very often Qihoo Cloud would detect it on the third run. I really wish they were lazy.
But enough whining- On deciding how exactly to conduct a meaningful test of Proactive defenses I looked for not some obscure trojan, but instead samples of a class that in addition to being common, always operate in the same way. It also had to exploit the weaknesses that I've encountered in the TS beta and to a lesser extent in the IS 4.9 build, that being the inability to prevent registry changes that would lead to system infection. Next to code injection (which Q's Proactive is sensitive to) the autorunning of payloads is the most common.
To this end I chose a popular Fake AV line which for the past few months has been ubiquitous. This type operates by the following:
a). The parent malware file is run.
b). It will spawn a daughter (the payload) somewhere on the drive (normally in Roaming)
c). It will create an autorun routine (often including run in Safe Mode)
d). It will create entries to stop things like Windows Firewall, Defender, and Task Manager from being able to be run (hijacks).
The test from here is easy: Qihoo had no definition for it, so the parent could be run (and the Fake AV screen would appear, necessitating a reboot). A Pass would be the malware not running on reboot as well as no registry changes. A Fail is the malware staring on reboot and/or other registry changes.
1). Qihoo IS 4.9- Let the Fake AV load on boot. Suppressed other registry changes- FAIL
2). Qihoo TS- Let all through- FAIL
3). Qihoo IS 5 beta- Prevented malware autostart, prevented hijacks. Did leave an orphaned daughter in Roaming- PASS
Have a good Weekend (time to dance)!
1). Sandbox- I will concede that Qihoo's on-demand sandbox may have some value (throwing a browser into it), but for me the virtualization routines used are far from adequate, especially when compared to Sandboxie or the boxes found in Comodo products. While not going into tedious detail, be aware that malware designed to evade sandboxes are coded to be aware of their environments; a sandbox that presents a more realistic system environment to the malware will yield the best defense (Comodo, SB). A more restrictively structured box (Qihoo) will allow the malware to "know" it is being contained and cause triggering of evasion countermeasures. An analogy here would be a person locked in a jail cell versus the same person living in the Matrix. You would attempt to break out of one but proceed in total contentment in the other.
In short, not a fan of Qihoo sandbox.
2). AV Detection- Indeed TS adds Avira to the engines already in place. To be worth having an additional engine must show that it is additive to the detection that is already in place. So far although I have seen a greater number of malware being detected it has not yielded any statistical significance, so is of dubious value in real world use.
3). Proactive Protection- This for me was the most annoying part in testing. It was difficult enough to find a specific malware type that Qihoo didn't already detect, but even when I did find some by the time I ran the samples, did the post boot forensic analysis and reran the routine to ensure reproducibility very often Qihoo Cloud would detect it on the third run. I really wish they were lazy.
But enough whining- On deciding how exactly to conduct a meaningful test of Proactive defenses I looked for not some obscure trojan, but instead samples of a class that in addition to being common, always operate in the same way. It also had to exploit the weaknesses that I've encountered in the TS beta and to a lesser extent in the IS 4.9 build, that being the inability to prevent registry changes that would lead to system infection. Next to code injection (which Q's Proactive is sensitive to) the autorunning of payloads is the most common.
To this end I chose a popular Fake AV line which for the past few months has been ubiquitous. This type operates by the following:
a). The parent malware file is run.
b). It will spawn a daughter (the payload) somewhere on the drive (normally in Roaming)
c). It will create an autorun routine (often including run in Safe Mode)
d). It will create entries to stop things like Windows Firewall, Defender, and Task Manager from being able to be run (hijacks).
The test from here is easy: Qihoo had no definition for it, so the parent could be run (and the Fake AV screen would appear, necessitating a reboot). A Pass would be the malware not running on reboot as well as no registry changes. A Fail is the malware staring on reboot and/or other registry changes.
1). Qihoo IS 4.9- Let the Fake AV load on boot. Suppressed other registry changes- FAIL
2). Qihoo TS- Let all through- FAIL
3). Qihoo IS 5 beta- Prevented malware autostart, prevented hijacks. Did leave an orphaned daughter in Roaming- PASS
Have a good Weekend (time to dance)!
