Thursday, February 11, 2010

Anti-Malware. Part 2: Auto-Update Engine 5.0 and Heuristic Analyzer

In my last blog post, I discussed the antivirus engine advancements in the current version 6.7.3. Outpost 7 will continue this auto-update and traffic-saving approach and add even more stability and better performance. All this is thanks to the new anti-malware engine, version 5.0, which will be smoothly integrated into Outpost's other services in version 7.0.

Just to remind you of the improvements in Outpost Security Suite Pro and Outpost Antivirus Pro:
  • Continual signature-flow: The new engine allows increased frequency of malware database updates: three times a day on weekdays – twice with antivirus signatures and once with antispyware. Tip! Just tweak Outpost’s settings to opt for updates on an hourly basis instead of the default daily updates.
  • Smart updates: Version 5.0 of the anti-malware engine (anti-virus + anti-spyware) automatically updates itself as needed at the same time as the regular malware database updates (no separate product update is needed).
All these new benefits were introduced in a seamless fashion so you won't experience any PC slowdowns or performance disruptions. On the contrary, automatic updates do a great job in reducing traffic and easing the product operation. We are working hard to bring forward the public beta date when all of you will be able to judge the improvements for yourselves. The release of version 7 will come hand in hand with the new anti-malware engine, which will provide a solid foundation for future detection and disinfection improvements.


I’d also like to tell you about another important technology we’ll make visible in the Outpost 7.0 anti-malware module - HAX. HAX is designed to improve the accuracy of our detection, and has been in development for quite a long time. Outpost 7.0 will put this formerly hidden mechanism in the anti-malware's on-demand scan settings center stage, as you can see in this screenshot:

HAX’s full name is Heuristic Analyzer for eXploits, and it’s specifically designed to detect potentially harmful packed objects such as ZIP and RAR files as well as suspicious encrypted and protected files.

Packed objects can be monitored using both signature and heuristic, or non-signature, methods. The signature-based approach employs an updated base of packer definitions. The heuristic method builds on a static classifier which receives such input data as:
  • Characteristics of PE (portable executable) structure
  • Section chart check
  • Results of import chart analysis
  • Assessment of file section entropy
A separate check is performed in case there is an attempt by the malware to disguise an executable as a Windows system component.

That's it for now. Feel free to subscribe to Outpost 7 series and learn what's up and what's new while we develop Outpost 7 solutions. Your comments are always welcome!

Pavel Goryakin, Agnitum

6 comments:

Kolcho said...

Hello Pavel,

Everything you write here is very good and shows your commitment to deliver a really nice solution. I thought it could help if I share the most annoying things that I find in the current version (6.7.3). The web control is slowing my web page experience a lot. I found that pages are loading faster with all scripts/banners/etc compared to when I am using the web control. I really hope you will have something in your sleeve for this also.

Agnitum BLOG said...

Hi Kolcho,

That's a bit off topic :-) Anyway, there may be plenty of other reasons for the slowdown, so I strongly advise you to contact our Customer Service at https://www.agnitum.com/support/contact.php.

They'll request system logs and help you identify and solve the problem.

Anonymous said...

I for one, think all of this sounds very exciting. :) Outpost has a reputation as being bulletproof and it looks like that will continue for some time. Well done!

Anonymous said...

Hello .... i am from Romania and i want to congratulate you all from team AGNITUM for such a wonderfull software that is firewall pro 673....this piece of software prevent a lot of hackers gaining access to my computer , indeed very strong firewall and antispyware , keep the good work in keeping customers PC"s safe , i will tell to everyone to use OUTPOST FIREWALL PRO.....:)

Anonymous said...

Hello I am from Seattle WA USA. I like your hueristic PE analysis aproach! But I wish you would explain more about
•Characteristics of PE (portable executable) structure
•Section chart check
•Results of import chart analysis
•Assessment of file section entropy
And I wish that Outpost Security Suite Pro would tell me more about what is going on in my computer if I want to know such things. If you could put in an option for verbose explanations I would like that very much! Also I am trying slowly to make an IA-32 Assembler using Dolphin Smalltalk at sourceforge.net search picoLARC and I would like to know about links or books about the PE format and
•Characteristics of PE (portable executable) structure
•Section chart check
•Results of import chart analysis
•Assessment of file section entropy
So could you please tell me where to look to find out about PE etc?
- Also I wish that you could tell me when a program is trying to change a component. I get Dialogs that say programs are using changed or unknown components but I don't know when or how these changes happened( often they happen right after program installs ). Isn't it too late after the change? I would like Outpost to tell me when a component change is happening so I can block it or not ( Windows XP Pro ). I don't know what to do when these Dialogs come up. I don't know when the change was made. Was it part of the install I just did of Java? Or did it happen previously. I wish that Outpost would be more verbose because I want it to be. I chose Outpost over Norton because it tells me things. But no enough. I want to know way more about what is happening and when.

geohac said...

I love Outpost. Keep it up the good work.