1.INTRODUCTION
Most popular anti-virus programs are not very effective against new viruses, even those that use non-signature-based methods that should detect new viruses. The reason for this is that the virus designers test their new viruses on the major anti-virus applications to make sure that they are not detected before releasing them into the wildSome new viruses, particularly ransomware, use polymorphic code to avoid detection by virus scanners
Current malware is invisible, silent and most importantly, financially motivated. Security has moved beyond protecting your computer to protecting your identity. Today it is not only about computer security, it is about identity protection. Cyber-crime is migrating from amateurs to professionals working for organized crime rings. These criminal enterprises are so efficient and confident that they operate like legitimate businesses. The number of malware variants is growing exponentially while the number of computers infected by each sample is decreasing. The gap between created and detected malware keeps increasing.
As a result, security solutions solely based on continuously updated signature files cannot keep up with malware growth. They are no longer sufficient to guarantee users’ security.
2.CURRENT ANTIVIRUS SOFTWARE
Antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware.
A variety of strategies are typically employed. Signature-based detection involves searching for known malicious patterns in executable code. However, it is possible for a user to be infected with new malware for which no signature exists yet. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code (or slight variations of such code) in files. Some antivirus software can also predict what a file will do if opened/run by emulating it in a sandbox and analyzing what it does to see if it performs any malicious actions. If it does, this could mean the file is malicious.
However, no matter how useful antivirus software is, it can sometimes have drawbacks. Antivirus software can degrade computer performance. Inexperienced users may have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection (of any kind), success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack. In addition to the drawbacks mentioned above, the effectiveness of antivirus software has also been researched and debated. One study found that the detection success of major antivirus software dropped over a one-year period.
2.1 WORKING
Signature based detection
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses.
Because new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary.[8]
Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary
2.2 DISADVANTAGES
Unexpected renewal costs
Some commercial antivirus software end-user license agreements include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. For example, McAfee requires users to unsubscribe at least 60 days before the expiration of the present subscription while BitDefender sends notifications to unsubscribe 30 days before the renewal. Norton Antivirus also renews subscriptions automatically by default
Rogue security applications
Some antivirus programs are actually malware masquerading as antivirus software, such as WinFixer and MS Antivirus. A recent surge in such software has deceived more than a million Microsoft Windows internet users and prompted the FTC to initiate court proceedings
Problems caused by false positives
A false positive is identifying a file as a virus when it is not a virus. If an antivirus program is configured to immediately delete or quarantine infected files (or does this by default), false positives in essential files can render the operating system or some applications unusable. In May 2007, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot. Also in May 2007 the executable file required by Pegasus Mail was falsely detected by Norton Antivirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running. Norton anti-virus has falsely identified three releases of Pegasus Mail as malware; Norton anti-virus can delete the Pegasus Mail installer file when this happens. In April 2010 McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running XP SP3 and removed it, causing a reboot loop and loss of all network access
System related issues
Running multiple antivirus programs concurrently can degrade performance and create conflicts. It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Active antivirus protection may partially or completely prevent the installation of a major update.
3.WEB BASED THREATS
We are all familiar with the old infection techniques, as it has been drummed into us by both media and IT departments… DON”T to click on attachments, DON”T open emails from people you don’t know, DON”T reply to spam or virus messages, DON”T email your username/passcodes. Many viruses/worms relied on propagating by these means which required some form of user “cooperation”, but now…
There is a general consensus in the industry, that the number of e-mail-borne viruses is falling and will continue to do so. As we have seen with the evolution of viruses (Starting in the 80’s from boot sector/floppy disc viruses, transitioning to file viruses and then Macro viruses spread via email, Now….. Web-borne attacks carrying malicious code, are becoming more prominent and yet even more sophisticated (Spyware being a very timely example).
New web-based techniques propagate without end-user “cooperation”, many times without end-user awareness… hence, the “silent danger” to your business. These attacks are technologically advanced from former malware, using techniques like Pharming, and custom Trojans. The combination of blended threats (or malware) and targeted attacks (as opposed to widespread propagation), make detection extremely difficult. Viruses have been in existence for over 25 years, and hackers have mastered the web to the point where they can engineer highly complex, multi-staged attacks. Now that hackers have the skills and financial motivation, the real battle begins.
Before we dive into examples, lets discuss the core component of Web-based threats, that being Active Content. So just what is Active Content? Active Content refers to Java Applets, ActiveX controls, JavaScripts, Visual Basic scripts and executable files. While it may sound almost paradoxical, the very technologies that enrich our browsing experience are being used to attack us.
While web-based applications increase productivity and are essential for everyday business activities, the underlying technologies enabling these applications can be exploited for malicious purposes.
The transparency of Active Content execution creates a major security risk…. both to the system on which it is executed and to other systems. A blended threat will most likely be called (or “activated”) by the browser, and may not require user interaction. Then, once it has infected the local system, it may propagate in many ways without any user intervention, such as mass mailing, network sharing, TCP ports and so on.
As mentioned previously, the majority of web-borne attacks are based on Active Content, and unlike their former virus predecessors, do not require user “cooperation” (ie; clicking on links or attachments), these new “drive-by” downloads are activated without ANY user action at all. These stealth attacks are incredibly damaging especially since users are not alerted of the attack (unlike typical virus detection) and are not prompted to block this malware or disinfect their systems.
While not all web-based attacks rely on user-actions, some still utilize forms of social engineering to fool users into downloading and installing malware. A very good example of this are the recent rash of Phishing attacks.
Companies have done a relatively good job of securing against email based threats, but DO NOT have protection in place against web threats. Web gateways are commonly left unprotected, basically an “allow all” policy
Web threats do propagate through Port 80 and 443, which cannot be closed without hampering business productivity. As a matter of fact, companies report that port 80 and 443 traffic is significantly increasing (some accounts report up to a 50% increase)
We’ll now take a look at some recent examples…
Two months ago, a unique kind of malicious code threat was discovered. This new Trojan, operates by searching for 15 common files on a user’s PC, encrypts them and then sends a ransom message. Once the hacker is duly compensated at the tune of $200/computer, the user then receives the decryption code for the files. And to think you only had to worry about your laptop being stolen on the subway or at Starbucks!
This Trojan is based off an Internet Explorer vulnerability published way back in 2003, for which a patch was available 10 month prior to the virus outbreak, yet the virus was released anyway in May 2005.
There is speculation that the damage resulting from this attempt was low, due to the use of symmetric cryptography (which is relatively weak), allowing Anti-Virus companies, the ability to easily decrypt and provide protection. Once more-sophisticated cryptographic malware is used, results will unfortunately be more damaging.
3.1 THE UNIQUE NATURE OF WEB THREATS
As mentioned previously, the majority of web-borne attacks are based on Active Content, and unlike their former virus predecessors, do not require user “cooperation” (ie; clicking on links or attachments), these new “drive-by” downloads are activated without ANY user action at all. These stealth attacks are incredibly damaging especially since users are not alerted of the attack (unlike typical virus detection) and are not prompted to block this malware or disinfect their systems.
While not all web-based attacks rely on user-actions, some still utilize forms of social engineering to fool users into downloading and installing malware. A very good example of this are the recent rash of Phishing attacks.
Companies have done a relatively good job of securing against email based threats, but DO NOT have protection in place against web threats. Web gateways are commonly left unprotected, basically an “allow all” policy
Web threats do propagate through Port 80 and 443, which cannot be closed without hampering business productivity. As a matter of fact, companies report that port 80 and 443 traffic is significantly increasing (some accounts report up to a 50% increase)
We’ll now take a look at some recent examples…
3.2EXAMPLES
Complex Web-Based Attack: Scob
Many products claiming to be “proactive" actually monitor the patterns and tell-tale signs exhibited by the network traffic, rather than the content’s behavior. Packet inspection products (e.g., intrusion detection and intrusion prevention systems), for instance, have difficulty in identifying complex attacks, such as spyware and phishing, which are driven by active content and do not leave identifiable “fingerprints” at the network or data layers.
SSL Spoofing
In Phishing example, the recipient receives an email with a spoofed address, containing a message designed to entice the recipient to click on a provided link. The links and branding within the email look completely genuine.
By clicking on the link provided, the user arrives at the page shown here, which appears to be a secure HTTPS website. The phisher hides the real address of the site by exploiting an Internet Explorer vulnerability related to non-printing characters.
By right-clicking on the toolbar and ticking “Address bar”, the true address bar is revealed. As illustrated in the screen below, this is really a non-secure HTTP site with a fake address.
3.3 WHY EXISTING SECURITY SOLUTIONS ARE NOT EFFECTIVE
Anti-Virus: only protects against known viruses, leaving companies exposed during a virus outbreak while the anti-virus vendors are busy updating their signature databases.
Firewalls are no longer sufficient for preventing today's malicious code, because complex threats, such as spyware and phishing, enter the network via port 80 and port 443, which are typically left open in the firewall.
Intrusion Detection System are designed to detect situations when the network has already been infected and at best can help to control the damage.
Intrusion Prevention Systems on the other hand, and similar “smart packet filtering” solutions usually attempt to identify communication patterns (ie; the rate of transmission) of packets coming into the network, rather than analyzing application-level behavior.
When it comes to URL Filtering…. URL sites used by hackers are short-lived in order to avoid detection; and less than 20% of the world’s websites are actually categorized by URL Filtering vendors
4.INTRODUCTION TO CLOUD COMPUTING
Cloud computing is Internet-based computing, whereby shared resources, software and information, are provided to computers and other devices on-demand, like the electricity grid. It is a paradigm shift following the shift from mainframe to client–server that preceded it in the early 1980s. Details are abstracted from the users who no longer have need of expertise in, or control over the technology infrastructure "in the cloud" that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet. It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet
The term "cloud" is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network, and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents. Typical cloud computing providers deliver common business applications online which are accessed from another web service or software like a web browser, while the software and data are stored on servers.
Most cloud computing infrastructure consists of reliable services delivered through data centers and built on servers. Clouds often appear as single points of access for all consumers' computing needs. Commercial offerings are generally expected to meet quality of service (QoS) requirements of customers and typically offer SLAs.] The major cloud service providers include HP, IBM, VMware, Amazon, Google and Microsoft.
Cloud computing logical diagram
4.1 Key features
· Agility improves with users' ability to rapidly and inexpensively re-provision technological infrastructure resources.
· Cost is claimed to be greatly reduced and capital expenditure is converted to operational expenditure. This ostensibly lowers barriers to entry, as infrastructure is typically provided by a third-party and does not need to be purchased for one-time or infrequent intensive computing tasks. Pricing on a utility computing basis is fine-grained with usage-based options and fewer IT skills are required for implementation (in-house).
· Device and location independence enable users to access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile). As infrastructure is off-site (typically provided by a third-party) and accessed via the Internet, users can connect from anywhere.
· Multi-tenancy enables sharing of resources and costs across a large pool of users thus allowing for:
· Centralization of infrastructure in locations with lower costs (such as real estate, electricity, etc.)
· Peak-load capacity increases (users need not engineer for highest possible load-levels)
· Utilization and efficiency improvements for systems that are often only 10–20% utilized.
· Reliability improves through the use of multiple redundant sites, which makes cloud computing suitable for business continuity and disaster recovery. Nonetheless, many major cloud computing services have suffered outages, and IT and business managers can at times do little when they are affected.
· Scalability via dynamic ("on-demand") provisioning of resources on a fine-grained, self-service basis near real-time, without users having to engineer for peak loads. Performance is monitored, and consistent and loosely coupled architectures are constructed using web services as the system interface. One of the most important new methods for overcoming performance bottlenecks for a large class of applications is data parallel programming on a distributed data grid.
· Security could improve due to centralization of data, increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels. Security is often as good as or better than under traditional systems, in part because providers are able to devote resources to solving security issues that many customers cannot afford. Providers typically log accesses, but accessing the audit logs themselves can be difficult or impossible. Furthermore, the complexity of security is greatly increased when data is distributed over a wider area and / or number of devices.
· Maintenance cloud computing applications are easier to maintain, since they don't have to be installed on each user's computer. They are easier to support and to improve since the changes reach the clients instantly.
· Metering cloud computing resources usage should be measurable and should be metered per client and application on daily, weekly, monthly, and annual basis. This will enable clients on choosing the vendor cloud on cost and reliability (QoS).
5.INTRODUCTION TO CLOUD ANTIVIRUS
In current antivirus software a new document or program is scanned with only one virus detector at a time. CloudAV would be able to send programs or documents to a network cloud where it will use multiple antivirus and behavioural detection simultaneously. It is more thorough and also has the ability to check the new document or programs access history.
CloudAV is a cloud computing antivirus developed as a product of scientists of the University of Michigan. Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis. The CloudAV system uses 12 different detectors that act together to tell the PC whether the item is safe to open.
5.1 WORKING
Cloud Antivirus is a cloud based security solution that can be installed and managed from anywhere through a web console. Since it is a hosted service, it doesn’t require infrastructure investment. You typically have options to delegate your security management to expert service providers.
So it is essentially more about management of Antivirus in any organization that goes in the cloud. There will still be an Antivirus product installed in each PC and laptop you have. However you have options to control the updates, profiles and levels of security from a cloud based control panel. However the installed part on PC is a thin version of traditional antivirus product.
Normally the Cloud Antivirus can be deployed in two ways. One in which the user clicks on an email which includes a link that will install the protection agent. The other way is where administrator can push the installation to workstations choosing workstations by name, IP address, IP range or by domain.
They are similar to other free anti virus but hosted in cloud. You get advantage of low footprint and up to date packages. An example of free cloud anti virus is Panda Cloud antivirus.
Example for Cloud Antivirus
Is a free version of Panda's security software. It is cloud-based, meaning that scanning of the files is handled on a remote server rather than on a user's machine. This results in less bloat as seen by the end-user. The cloud technology is based on Panda's Collective Intelligence
Features
· with 32bits Operating Systems as well as for 32bit processes under 64bit systems.
· Advanced configuration. Ability to turn on/off and tweak the behaviour of the different engines, cloud responses, advanced logging, recycle bin settings, exclusions, etc.
· Self-protection of the AV processes and configurations.
· Re-do detections that were previously un-done so that they are detected again.
· Automatic upgrades to new engine versions and new features automatically and transparently.
· Improved offline protection. Default deactivation of Windows Autorun.
· USB vaccination Automatic vaccination of USB memory keys and hard drives.
· Ability to run alongside other AVs and Anti-Spyware. Can now be run alongside other security tools and scanners.
· Full scan option. Added option to run a full PC scan easily.
· More languages. Added 9 new languages. PCAV is now available in a total of 20 languages: English, German, French, Spanish, Dutch, Italian, Portuguese, Swedish, Greek, Polish, Simplified Chinese, Traditional Chinese, Russian, Brazilian Portuguese, Turkish, Hungarian, Japanese, Slovak, Norwegian and Finnish.
· Quicker download & install experience thanks to new stub-installer which is 300kb in size.
· More options for restoring neutralized files. More flexibility when recovering neutralized files, allowing for automatic and manual recovery, exclusions, configuration of the Recycle Bin automatic emptying, path to recover, etc.
· Improved handling of known good files to reduce false positive rates by the new behavioural engine and automated classification from the Collective Intelligence servers.
· Optimized installation background scan by using adaptive low-priority scans.
· Improved scanning progress information by showing when a large compressed file is being scanned to avoid the perception that the stuck is stuck.
5.2 DETACTION METHODS
Signature based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.
Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses.
File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions.
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses.
Because new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary.
Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.
Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware.Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.
For example, the Vundo trojan has several family members, depending on the antivirus vendor's classification. panda classifies members of the Vundo family into two distinct members, Trojan.Vundo and Trojan.Vundo.B.
While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code Padded code is used to confuse the scanner so it can't recognize the threat.A detection that uses this method is said to be "heuristic detection."
Rootkit detection
Anti-virus software now scans for rootkits; a rootkit is a type of malware that is designed to gain administrative-level control over a computer system without being detected. Rootkits can change how the operating system functions and in some cases, rootkits can tamper with the anti-virus program and render it ineffective. Rootkits are also very difficult to remove, in some cases requiring a complete re-installation of the operating system
5.3 COLLECTIVE INTELIGENCE
Maximum protection with minimum impact on your PC. Panda Security’s Collective Intelligence works as an online, real-time database that stores the majority of signature files, keeping them at a minimum on the endpoint. Every Panda user is a sensor for new malware, sending statistical data about malware prevalence back to the cloud. This new approach reduces bandwidth consumption on customers’ PCs and provides faster and more comprehensive up-to-date protection.
We’d like to invite you to read the next pages and find out more about Collective Intelligence, its fundamentals, a simple description of the way it works and the outstanding benefits for the Panda 2010 product users.
What is Collective Intelligence?
Collective Intelligence is a security platform offering high-level protection in real time, exponentially increasing the detection capacity of your antivirus. It leverages the knowledge in the Panda Security user community and allows enormous quantities of malware to be processed, delivering mega-detection capacity while reducing resource consumption. To make the most of all the advantages of Collective Intelligence and increase the detection capacity of Panda Cloud Antivirus, your computer must be connected to the Internet during the scans.
What is the security cloud?
Cloud computing is a technology that allows services to be offered across the Internet. The cloud is a term used metaphorically around the Internet. Panda Cloud Antivirus heralds a new generation of security and antivirus services, in line with the trends of cloud computing: Cloud Security. Panda Cloud Antivirus connects to the Collective Intelligence servers in the cloud to protect your computer, without requiring traditional updates or penalizing the performance of your system. Now all knowledge is in the cloud, and thanks to Panda Cloud Antivirus, you can
Benefit from this.
What is the relation between Collective Intelligence, the cloud and the community?
Collective Intelligence, the cloud and the community are the cornerstones of the great detection capacity of Panda Cloud Antivirus and its minimal use of system resources. Collective Intelligence is a security platform with database servers hosted in the cloud, storing all the information needed to detect and neutralize threats on your computer. These servers are fed with information provided by the community of users about virus detections. Collective Intelligence processes and classifies all this information, allowing Panda Cloud Antivirus to consult these servers and maximize detection capacity, without affecting resources on your computer. This way, Panda Cloud Antivirus can detect millions of viruses, much faster than if it had to depend on traditional updates. Your computer will therefore have greater protection without affecting performance. You can also contribute to the community by sharing information about threats detected on your computer. This way, not only will Panda Cloud Antivirus protect your computer rapidly, but you will also allow millions of users around the world to benefit from the solutions to threats. To contribute to the community, make sure the Automatic management of possible viruses option is enabled in the Panda Cloud Antivirus settings.
Specialty
Each new file received is automatically classified within six minutes and the Collective Intelligence servers classify more than 50,000 new malware samples every day. These technologies correlate information on malware received from each computer to continuously improve the protection level for the worldwide community of users. Panda's 2010 solutions have continuous, real-time contact with this vast knowledge base allowing the company to offer users the fastest response against the new malware that appears every day.
5.4 BEHAVIOURAL BLOCKING
Panda Cloud Antivirus incorporates two types of behavioral protections; behavioral blocking and behavioral analysis. In this post we are going to concentrate on the behavioral blocking rules, which are included by default in both the Free Edition and Pro version of Panda Cloud Antivirus.
The behavioral blocking engine is composed of a collection of rules of typical malicious actions performed or exploited by or through a group of programs. The types of behavior blocking rules included in Panda Cloud Antivirus can be grouped into four main areas.
Malware family specific rules
· Rule 4001: Generic rules to block TDSS Rootkit installations.
· Rules 4002 & 4003: Block autorun type of malware by limiting autorun.inf file creation and modifications.
· Rules 4004 & 4005: Generically block certain rogue malware installers.
· Rules 4006 & 4007: Prevent installations of Lineage trojan family generically.
· Rules 4009 & 4010: All W32/Viking virus variants create files with a common name, so we don’t allow execution or creation of these files.
· Rule 4011: Typical files and processes from the W32/Beagle malware have been blocked from being created or executed.
Operating System Security Policies
· Rule 4008: Some application (email clients, MSN, IM, video/sound players) is trying to modify the host file. This is typical of malicious modifications to the Operating System to redirect websites to compromised hosts.
· Rules 4013 & 4014: Windows will always look if c:\explorer.exe exists and, if it does, Windows will execute it instead of the real Windows Explorer. If you receive an alert, some kind of malware is trying to create or execute the file c:\explorer.exe. This is a dangerous operation.
· Rule 5001: During normal behaviour DNS Server Application shouldn’t need to create or execute any executable. If you receive an alert, some kind of vulnerability is being exploited.
· Rule 5003: During normal behaviour, email clients, MSN, IM, video/sound players, text editors, Office app, compressors, shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
· Rule 5004: During normal behaviour, Network Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
· Rule 5008: During normal behaviour some applications shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
· Rule 5023: During normal behaviour DNS Server Application (dns.exe) shouldn’t need to create or execute any executable programs. If you receive an alert, some kind of vulnerability is being exploited.
Browser vulnerability exploit prevention rules
· Rule 5002: During normal behaviour, Web browsers shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
· Rule 5005: During normal behaviour Web browsers shouldn’t need to execute files from downloaded programs directories. This rule prevents some IE vulnerabilities normally exploited by drive-by downloaders. If you receive an alert, some kind of vulnerability is being exploited.
· Rules 5020 & 5021: Prevents Internet Explorer vulnerabilities from exploiting Microsoft HTML Application Hosts to create and execute malicious code. If you receive an alert, some kind of IE vulnerability is being exploited.
Generic application vulnerability exploit prevention rules
· Rule 5006: During normal behaviour multimedia aplications shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
· Rule 5007: During normal behaviour Windows Media Player shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
· Rules 5009 & 5014: During normal behaviour Microsoft Word shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
· Rules 5010 & 5015: During normal behaviour Microsoft Excel shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
· Rules 5011 & 5016: During normal behaviour Microsoft PowerPoint shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
· Rules 5012 & 5017: During normal behaviour PDF readers shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
· Rules 5013 & 5018: During normal behaviour Open Office shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
· Rule 5019: During normal behaviour Exchange Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of Exchange Server vulnerability is being exploited.
· Rule 5022: During normal behaviour IIS Web Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of IIS vulnerability is being exploited.
· Rule 5024: Generic rule to block exploitation of certain Operating System and third-party applications that try to create and execute malicious code. If you receive an alert, some kind of vulnerability is being exploited.
Thanks to this behavioural blocking engine Panda Cloud Antivirus is able to proactively and genericaly protect against a large variety of malware and exploits which specializes in bypassing signature and heuristic detection. More importantly, it is able to do this without any impact on performance.
6.ADVANTAGES
Cloud Antivirus is service not software and so has following advantages:
No installation required
Update without users intervention – always up to date
Access your account from anywhere
Reduces bandwidth consumption as large number of workstations look for updates in traditional software
Less false positive
A false positive is identifying a file as a virus when it is not a virus. If an antivirus program is configured to immediately delete or quarantine infected files (or does this by default), false positives in essential files can render the operating system or some applications unusable
Effectiveness
Independent testing on all the major virus scanners consistently shows that none provide 100% virus detection. One major review deemed Panda Cloud Antivirus as clean, fast, simple, and easy to use, offering good detection rates. The same review scored Panda 99.87% in malware detection and 91.4% in malicious URL detection. Its overall score was 95%, a strong protection factor considering it is freeware.
Light weight
It only uses a small amount of ram and hard disk
·Works with 32bits Operating Systems as well as for 32bit processes under 64bit systems.
·Advanced configuration. Ability to turn on/off and tweak the behaviour of the different engines, cloud responses, advanced logging, recycle bin settings, exclusions, etc.
·Self-protection of the AV processes and configurations.
·Re-do detections that were previously un-done so that they are detected again.
·Automatic upgrades to new engine versions and new features automatically and transparently.
·Improved offline protection. Default deactivation of Windows Autorun.
·USB vaccination Automatic vaccination of USB memory keys and hard drives.
·Ability to run alongside other AVs and Anti-Spyware. Can now be run alongside other security tools and scanners.
·Full scan option. Added option to run a full PC scan easily.
·More languages. Added 9 new languages. PCAV is now available in a total of 20 languages: English, German, French, Spanish, Dutch, Italian, Portuguese, Swedish, Greek, Polish, Simplified Chinese, Traditional Chinese, Russian, Brazilian Portuguese, Turkish, Hungarian, Japanese, Slovak, Norwegian and Finnish.
·Quicker download & install experience thanks to new stub-installer which is 300kb in size.
·More options for restoring neutralized files. More flexibility when recovering neutralized files, allowing for automatic and manual recovery, exclusions, configuration of the Recycle Bin automatic emptying, path to recover, etc.
·Improved handling of known good files to reduce false positive rates by the new behavioural engine and automated classification from the Collective Intelligence servers.
·Optimized installation background scan by using adaptive low-priority scans.
·Improved scanning progress information by showing when a large compressed file is being scanned to avoid the perception that the stuck is stuck.
7.CONCLUSION
Cloud Antivirus is a cloud based security solution that can be installed and managed from anywhere through a web console. Since it is a hosted service, it doesn’t require infrastructure investment. You typically have options to delegate your security management to expert service providers.
So it is essentially more about management of Antivirus in any organization that goes in the cloud. There will still be an Antivirus product installed in each PC and laptop you have. However you have options to control the updates, profiles and levels of security from a cloud based control panel. However the installed part on PC is a thin version of traditional antivirus product.
8.REFERENCES
· Distinguishing Cloud Computing from Utility Computing
· Where the Cloud Lives: Carrier Neutral Data Center
· http://www.engadget.com/2010/04/21/mcafee-update--shutting-down-xp-machines/. Retrieved 22 April 2010.
· Microsoft (January 2007). "Plus! 98: How to Remove McAfee VirusScan". http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q189/2/64.ASP&NoWebContent=1. Retrieved
· cloud-antivirus-rethinking-antivirus.html
· Google.com
· Wikipedia article about Cloud antivirus
· official documentation about Panda Cloud Antivirus
· Panda security solutions.com
For Complete Report: Contact Me @ Facebook
0 comments:
Post a Comment