Micropoint Forum
 
» Guest:  Register | Login

 

Author:
Subject: Heuristics and behavior judgements 2
sidineyqiao
Moderator





Credit 86
Totalpost 83
Registered 2007-12-24
#1  Heuristics and behavior judgements 2

[draft translation by sidineyqiao]
About the details of the micropoint

1. Why do the anti-virus software occurs?
We can resolve all the virus problems and the entire operations manually. why do it happens?
I think it HAS two reasons:
(1) Ability problem, not everyone has the ability to kill the virus manually
(2) Efficiency problem, the person above can't finish all the jobs to kill the inconsiderable quantity virus. So do it
For example, the CIH of 1990's can fixed manually. But it need to fixed 1000 infected files manually by once   

2. The behaviors analyze is not the newest thing
How does the antivirus crop handle a new sample? it is easy to analyze the behaviors, judge the category then name it and give the result to finish the virus.
Generally, the characteristic lib has three things: characteristic code, name and the project to finish the virus. People always pay attention to the name, but they don't care about the way of how to finish it.

These advantages of the characteristic code are very precise and good efficiency. but it depends on the acquire of the sample and it brought two problems:1.as you know, it always kill the virus after your pc has been infected.


2. IT’S HARD TO EXPRESS. You can see the words below chariness.   

We make an assumption that the parent virus A will produce the B virus, the C virus and the D virus after it start to run. And the B, C, D will delete the parent A automatically, and they protect each other. The C and D will reproduce the B after B was deleted. vica versa.

it is no doubt that some anti-virus factory get the parent virus A, cause the samples and the actions are contain in the A. commonly, the factory only get the B sample and the B can't produce the C and D by itself, in other word it doesn't get all samples. The virus will be created after you deleted some virus successfully.

The main reason above leads to the faultiness of the project B. the perfect project need clean the B,C D three viruses and clean the registry editor. The reason of the faultiness is they just kill the virus B.

The antivirus project have another typical instance, it should be lots of friends have the experience to clean the registry editor and the autorun garbage information when restarted pc after cleaning virus. And why do some software can clean the registry editor automatically, others can't.


As to the deformity project will influence the affection severity, so I don't have the high expectation on heuristics scan. Cause it is the only one operation to delete the files, and it need to clean the registry editor manually many times. So I insist proactive defense will be the mainstream of the next generation of the antivirus software, and the heuristics is the only one assistance. I think that monitor real time will be the mainstream and the scan technique will be less in future.

The quality of the antivirus software is to distinguish the virus name and provide the good project to kill the virus to a real user. It always be neglected that the project of killing the virus which is hard to test. The only standard of the software is whether it can report the virus name. Like some net friends yearn to download the virus sample to scan and don't care the real result... (This is the fact).so some of them are glad to have the full names of the virus library, and enjoy the sequel that the anti-virus corps never tell in the meantime.

PS: I am personal oppose to check the virus in dos, the reason is that can’t operate a registry editor under the dos, the sequel is very troublesome. To the anti-virus corps, who suggest the user to check the virus under the dos, is refuse to take the responsibility. You just need to restart the pc although have the driver protection when delete all the virus files in the windows.


3. What IS micropoint doing?
The main function is put the behaviors analyze from the anti-virus lib to the user desktop. As the 1st scene is the infected computer of the user. so the micropoint can get the accurate project to clean the virus under the protection in the monitor and control system of the micropoint .it is easy to clean the virus and the remains of the registry editor.

The meaning of the micropoint doesn’t produce the software, but try to use the new technology to resolve the severity problem of the virus at present. So I named the proactive defense to anti-virus software 2.0 individually. This product of the micropoint by Liu Xu is a very good innovation of the technique. I am tired and don't agree with Kaspersky updates the virus library every hour. it can't resolve the kernel problem.


4. Proactive defense
I think it is the initial period of the micropoint proactive defense software at present, and it still has much space to develop actively. For example, if the characteristic distinguish IS added into the application of the network in future, then micropoint can judge the unknown Trojan, and can report some of the category names of Trojan. of course, scanning and analyzing the application of the network need a lot of the cpu resource, it can't do that at present. But the several stone cpu will give the software the big challenge. it depends on themselves. Can it hold tight?


2008-9-11 17:21
Profile  Email  Pm   Edit



Forum Jump ...:

[ Contact Us :: Micropoint Forum ]