Technology Highlights: antivirus, antimalware, Cloud ... Collective Inteligence

First Generation: Antivirus Second Generation: Antimalware Third Generation:
Proactive technologies
Collective Intelligence: 
The Next Generation

First Generation: Antivirus

The first generation of antivirus products was purely based on signature detection.

This generation of technology occupied most of the 1990’s and included polymorphic engines as well as basic rule-based MS-DOS, Win32, Macro and, later on, script heuristics. This period was also marked by the appearance of the first massively used win32 Trojans, such as NetBus and BackOrifice.

Second Generation: Antimalware

Starting in 2000 new types of malware started to emerge, with file-less network worms and spyware taking the spotlight causing massive and highly visible epidemics.

Basic antivirus engines evolved to integrate personal firewalls to be able to identify and stop network worms based on packet signatures as well as system cleaners to restore modified Operating System settings such as registry entries, HOST files, Browser Helper Objects, etc. It is within this second generation of technologies that Panda Software integrated the SmartClean functionality into the antimalware engine, designed to disinfect and restore the Operating System from a spyware or Trojan backdoor infection.

Third Generation: Proactive technologies


Panda released TruPrevent behavioural technologies in 2004 after more than three years of intensive research and development.

Since then, TruPrevent has evolved into a set of behavioral technologies that are substantially more effective at blocking zeroday malware proactively without any dependency on viral signatures than any other previous effort in such direction. TruPrevent is constantly adapted to new malware techniques and exploits. TruPrevent was built on top of the antimalware engine. Currently there are more than 5 million computers running TruPrevent. All these computers also act as high-interaction honeypot nodes which report to PandaLab any new malware sample that TruPrevent flags as suspicious and which is not detected by regular antivirus signatures.

Technically TruPrevent consists of 2 main technologies: behavioral analysis and behavioral blocking, also known as system and application hardening.

    Behavioral analysis

    Behavior Analysis acts as a true last line of defense against new malware executing in the machine that manages to bypass signatures, heuristics and behavior blocking. Proteus intercepts, during runtime, the operations and API calls made by each program and correlates them before allowing the process to run completely. The real-time correlation results in processes being allowed or denied execution based on their behaviour alone.

    Unlike other behavioral technologies, this is autonomous and does not present technical questions to the end user ("Do you want to allow process xyz to inject a thread into explorer.exe or memory address abc?"). This technology does not require signature updates, as it is based solely on the behavior of applications. A bot would not be a bot if it didn’t behave as such, but if it does so it will be detected by this technology, regardless of its shape or name.

    Behavioral blocking

    TruPrevent Behavior Blocking is the second main component. Hackers and malware abuse the privileges of legitimate applications to attack systems by injecting code. To prevent these types of attacks generically it is very cost-effective to use rule-based blocking technology which can restrict the actions that authorized applications can perform in the system.

    KRE is composed of a set of policies which are defined by a set of rules describing allowed and denied actions for a particular application of group thereof. Rules can be set to control an application’s access to files, user accounts, registry, COM objects, Windows services and network resources.

Genetic Heuristic Engine

“Genetic” technologies are inspired by the field of genetics in biology and its usefulness to understand how organisms are individually identified and associated to other organisms. These technologies are based on the processing and interpretation of "digital genes", which are represented in our case by a quite a few hundred characteristics of each file that is scanned.

The Genetic Heuristic Engine was initially released in 2005. Its objective of GHE is to correlate the genetic traits of files by using a proprietary algorithm. The genetic traits define the potential of the software to carry out malicious or harmless actions when executed on a computer. GHE is capable of determining whether a file is innocuous, worm, spyware, Trojan, virus, etc.

Collective Intelligence. The Next Generation.

Today there is over 10 times more malware being distributed than two years ago. The obvious conclusion is that a security solution must detect 10 times more malware to provide adequate protection to users. According to a report prepared by PandaLabs, 72% of companies and 23% of home users are infected even though they have protection installed. In the case of unprotected users, the percentage of infected computers is 33.28%. This data confirms that traditional solutions are no longer enough (you can view the full report in PDF format here Malware Infections).

While a fullfledged HIPS solution raises the bar substantially by detecting and blocking most of these with proactive technologies, it is still possible for unknown malware to slip through its defenses.

The Collective Intelligence approach is initially released at the end of 2006 in limited pilots with the objective of being able to reliably detect “10 times more than we are currently detecting with 10 times less effort”.

The pillars of this Collective Intelligence system are:

  • Collection of data from the community. The system centrally collects and stores behavioral patterns of programs, file traces, new malware examples, etc. This data comes from Panda users, and from other companies and collaborators. This wide capacity to collect information provides higher visibility of the threats that are active in the Internet.

  • Automated data processing. The system automatically analyzes and classifies the thousands of new samples received every day. To do this, an expert system correlates the data received from the community with PandaLab’s extensive malware knowledge base. The system automatically returns verdicts (malware or goodware) on the new files received from the community, thereby reducing the tasks that PandaLabs must carry out manually to a minimum.

  • Release of the knowledge extracted. This knowledge in delivered to users as web services or through signature file updates.

    We have developed and deployed a few services already that function purely based on the Collective Intelligence platform. These online services are designed to perform indepth audits of machines and detect malware not detected by the installed security solution.

    For consumers and stand-alone PCs we have deployed NanoScan which scans a PC for malware actively running and TotalScan which performs a full system scan of the entire PC, including hard drive, memory, email databases, etc.

    On the corporate front the requirements for performing and in-depth malware audit are more demanding. Therefore we have created a specific managed service called Malware Radar. Thanks to this service companies can quickly perform complete audits of their entire network endpoints to verify their level of security, pinpoint non-detected infection sources or to unveil executive machines which have been subject to targeted attacks.

     Here you can download a more detailed  Report on ‘Collective Intelligence’.

    Other resources:

  • Antimalware

  • Download Antivirus

  • Information Antivirus 2010

  • Cloud Antivirus Blog

  • List Of Viruses - The Cloud

  • Shop