In an earlier post, we had shared some quick facts about the new and improved Quick Heal 2014 product series; particularly about its Advanced DNAScan technology. In this post, we will understand how this technology works.
Gone are the days when malware were a mere recreation or whims of computer enthusiasts. At the present time, they are the biggest threat to the digital assets of people. Malware are being used as cash cows by cybercrooks. Malicious programs are being used for stealing passwords, spreading spams, identity theft, and virtually anything that has monetary profit in it.
Not only are malware increasing at an alarming rate, they are becoming more robust and sophisticated with time. Cybercriminals keep on modifying and updating their malware code, to evade detection by security software.
While there is no silver bullet for the nuisance of malware, Quick Heal does have a solution
Before, Quick Heal was running the DNAScan technology. The technology works by detecting new threats heuristically and doesn’t depend on signature database. It analyses scanned files, and traces suspicious attributes of program. If the suspicious score exceeds a predefined threshold value, then the program is detected as potentially malicious, and is submitted to Quick Heal lab for further analysis. However, as discussed, modern malware are becoming more complex, and using advance detection evasion techniques. Thus, detecting such programs with signature-based technology or even heuristically is becoming a challenging task.
To overcome such challenges Quick Heal introduced the Advanced Behavior based Detection System in its 2014 product series. This system is built to monitor and track runtime activities performed by each program running in the computer. This is done in real time. The system then compares their activities against a set of malware behavior models. If the behavior of any program matches with any of the predefined malware model then that program is flagged as malicious, and appropriate action is taken to block it.
Advanced Behavior Based Detection System – General Overview:
Whenever any program is trying to execute on a user’s machine it is first intercepted by our Virus Protection Module. It scans the program for various malware signatures, generic detections, malware family-based detections and other heuristic detections. If any of the detections gets matched, the program is flagged as malicious and it is blocked.
If the program is not identified as malicious, then it is indicated to our Behavior Analysis Module which continuously monitors the activities carried out by it. If the program tries to carry one or more of the following suspicious activities, then it is immediately indicated as malicious:
– Dropping executable files in system folder
– Adding auto-execution entries in the registry
– Injecting code in system processes
Depending on the user settings, our Behavior Analysis Module will automatically quarantine the program or prompt the user to take an appropriate action.
Quick Heal’s Behavior Analysis Module is also fine-tuned for performance by excluding various system programs from monitoring.
Effective against Emerging Threats
Quick Heal’s Advanced Behavior Based Detection System is effective against latest and emerging malware threats. For instance, the recently discovered CryptoLocker family uses various advance obfuscation techniques to evade detections. Quick Heal’s Behavior Detection Module successfully detects and blocks around 90% of CryptoLocker samples.
The system has also been successful in detecting malware which try to exploit vulnerabilities especially in Microsoft Office and Adobe PDF reader applications.
In conclusion, the Behavior Detection Module greatly improves the proactive detection capability of the latest Quick Heal 2014 Product Series against modern malware such as ransomware, zero-day threats and advanced persistent threats.
Blog Acknowledgement: Quick Heal Scan Engine Team