marți, 4 decembrie 2012

Bitdefender 60-Second Virus Scanner

Today we’re launching the free 60-Second Virus Scanner desktop app, which will add a layer of elite cloud-based protection to PCs worldwide in an all-out assault on malware.

It’s called 60 Second Virus Scanner because it scours your system for malware in less than a minute.

The claim of speed and convenience may raise the eyebrows of many users who’ve already tried security products. Let’s face it - speed and low system impact haven’t been the strong points of the antivirus industry. An antivirus has been seen as something akin to medicine that tastes bad, but works.

Things have changed in recent years, and we’ve been investing a lot in our security products. No one likes a system slowdown. As developers, we hate it even more, since we have to work with advanced developer tools that take a lot of resources. Additional software that slows our systems can directly impact our performance, not to mention our sanity.

On the other hand, security is important. No one wants work stolen or lost. Even hardcore developers know they need a security product.

So, we set out to build a “One-Minute Wonder.”

First, we created a really tiny installer (about 155 KB). After installation, it unfolds into approximately 24 MB, but most of the space is occupied by the User Interface.

Second, we moved the entire detection system to the Bitdefender Cloud, which can collect and manage vast amounts of information. The application then creates a quick snapshot of the running processes and talks with our cloud about detection.

Anti-virus companies have used the cloud for many years, specifically for real-time virus reporting and detection of virus outbreaks. In this scenario, the anti-virus engine monitors the execution of unknown files and reports the event to the server. The server then decides whether the unknown file represents a virus outbreak by analyzing details such as file spreading, distribution and a set of geographic details.

Intrusion Prevention Systems have used the cloud to report the behavior of executables, extending detection capabilities of host-based intrusion prevention systems.

The simplest implementation of the client module, which proved to be remarkably effective, consisted of performing a live system analysis for compromise detection. Instead of reporting behavior events, our engine performs a snapshot of the live system and gathers information. This snapshot lasts no more than a few seconds for a normal system.

For the Bitdefender Cloud to perform its analysis, the snapshot of the running processes has to contain information extracted by the following three components:

The file information component extracts information such as Portable Executable structure abnormalities, entropy, whether or not the file is digitally signed with a valid digital signature, imported functions, etc. are all helpful in determining whether a file is suspicious.

The memory information component analyses the in-memory image of modules. Since the modules are already executing, it is safe to assume that, at this stage, most modules are decrypted/decompressed and we have access to their unencrypted memory image. Among information retrieved, we mention:

            • Exploits and shellcode.
            • Embedded executables (particularly device drivers!).
            • Strings used by various protocols, interesting registry keys, etc.
            • Whether the in-memory code section exactly matches the on-disk code section (of course, after we apply relocation information).

The System information component analyses the way the module interfaces with the system, and possibly other systems, by taking in consideration the following:

            • A hidden process, or a hidden module within a process, is a warning sign.
            • A process that waits on a specific port, or is connected to a server on a specific port may be a warning sign, depending on the port, server address and other flags.
            • A process with multiple valid and visible windows may be considered less suspicious than a process with no windows, or with windows outside the viewing area of the screen.
            • API hooking, although used in legitimate software as well, is mostly used by malware, typically by injecting unconditional branches to the new handler function.
            • A presence in a ‘hot’ area of the file system (the Windows or System32 directories, Startup, Temporary Folder, etc.) or presence of an executable in a file’s list of streams, may represent a warning sign, depending on other factors.
            • Different ways of loading a DLL into the system are important flags in determining whether a file is suspicious.
            • The way a process is started may reveal interesting information. A process automatically started via an autorun registry key may receive a different score compared to a process manually started by the user

… and so on.

By using all the above information, we are able to determine which running processes are malicious, and in less than 60 seconds we can tell the user that he is infected.

And once we find the system is infected, the 60-Second Virus Scanner will tell the user how to get his system cleaned.

Besides on-demand or scheduled scans, a real-time scan feature continuously watches the system for various hints of malicious activity (new processes in user mode with administrator privileges, tampering with the drivers functionality, different registry zones were modified, etc.), which triggers a system scan.

While beta-testing this technology, we discovered that 1 in 5 users had at least one piece of malware running on their computer. However, this statistic is biased because people used our scanning system because they already suspected they were infected.

Also, the 60-Second Virus Scanner can double check the user’s current security solution because it can work together with other antiviruses.

And now it is available, for free, here:

References and Further reading:


sâmbătă, 1 decembrie 2012

First post

This post was uploaded today 01.12.2012 in an unexplainable urge to see how the blogger platform works and with the small curiosity if it will be followed by another post in the following days or I should really stay away from blogging :)