Panda
Panda
Panda
Introduction
Most popular anti-virus programs are not very effective against new viruses, even those that use
non-signature-based methods that should detect new viruses. The reason for this is that the virus
designers test their new viruses on the major anti-virus applications to make sure that they are
not detected before releasing them into the wildSome new viruses, particularly ransomware, use
polymorphic code to avoid detection by virus scanners
Current malware is invisible, silent and most importantly, financially motivated. Security has
moved beyond protecting your computer to protecting your identity. Today it is not only about
computer security, it is about identity protection. Cyber-crime is migrating from amateurs to
professionals working for organized crime rings. These criminal enterprises are so efficient and
confident that they operate like legitimate businesses.The number of malware variants is growing
exponentially while the number of computers infected by each sample is decreasing. The gap
between created and detected malware keeps increasing.
Malware collected per month – AV-
As a result, security solutions solely based on continuously updated signature files cannot keep
up with malware growth. They are no longer sufficient to guarantee users’ security.
Features
1)Behavioural blocking
Panda Cloud Antivirus incorporates two types of behavioral protections; behavioral blocking
and behavioral analysis. In this post we are going to concentrate on the behavioral blocking
rules, which are included by default in both the Free Edition and Pro version of Panda Cloud
Antivirus.
The behavioral blocking engine is composed of a collection of rules of typical malicious actions
performed or exploited by or through a group of programs. The types of behavior blocking rules
included in Panda Cloud Antivirus can be grouped into four main areas.
Malware family specific rules
Rule 4008: Some application (email clients, MSN, IM, video/sound players) is trying to
modify the host file. This is typical of malicious modifications to the Operating System to
redirect websites to compromised hosts.
Rules 4013 & 4014: Windows will always look if c:\explorer.exe exists and, if it does,
Windows will execute it instead of the real Windows Explorer. If you receive an alert,
some kind of malware is trying to create or execute the file c:\explorer.exe. This is a
dangerous operation.
Rule 5001: During normal behaviour DNS Server Application shouldn’t need to create or
execute any executable. If you receive an alert, some kind of vulnerability is being
exploited.
Rule 5003: During normal behaviour, email clients, MSN, IM, video/sound players, text
editors, Office app, compressors, shouldn’t need to execute administration, network or
command shell tools. If you receive an alert, some kind of vulnerability is being
exploited.
Rule 5004: During normal behaviour, Network Server Applications shouldn’t need to
execute administration, network or command shell tools. If you receive an alert, some
kind of vulnerability is being exploited.
Rule 5008: During normal behaviour some applications shouldn’t need to create
executable files in the system. So if you receive an alert, some kind of vulnerability is
being exploited.
Rule 5023: During normal behaviour DNS Server Application (dns.exe) shouldn’t need
to create or execute any executable programs. If you receive an alert, some kind of
vulnerability is being exploited.
Rule 5002: During normal behaviour, Web browsers shouldn’t need to execute
administration, network or command shell tools. If you receive an alert, some kind of
vulnerability is being exploited.
Rule 5005: During normal behaviour Web browsers shouldn’t need to execute files from
downloaded programs directories. This rule prevents some IE vulnerabilities normally
exploited by drive-by downloaders. If you receive an alert, some kind of vulnerability is
being exploited.
Rules 5020 & 5021: Prevents Internet Explorer vulnerabilities from exploiting Microsoft
HTML Application Hosts to create and execute malicious code. If you receive an alert,
some kind of IE vulnerability is being exploited.
Rule 5006: During normal behaviour multimedia aplications shouldn’t need to execute
files. So if you receive an alert, some kind of vulnerability is being exploited.
Rule 5007: During normal behaviour Windows Media Player shouldn’t need to execute
files. So if you receive an alert, some kind of vulnerability is being exploited.
Rules 5009 & 5014: During normal behaviour Microsoft Word shouldn’t need to create
executable files in the system. So if you receive an alert, some kind of vulnerability is
being exploited.
Rules 5010 & 5015: During normal behaviour Microsoft Excel shouldn’t need to create
executable files in the system. So if you receive an alert, some kind of vulnerability is
being exploited.
Rules 5011 & 5016: During normal behaviour Microsoft PowerPoint shouldn’t need to
create executable files in the system. So if you receive an alert, some kind of
vulnerability is being exploited.
Rules 5012 & 5017: During normal behaviour PDF readers shouldn’t need to create
executable files in the system. So if you receive an alert, some kind of vulnerability is
being exploited.
Rules 5013 & 5018: During normal behaviour Open Office shouldn’t need to create
executable files in the system. So if you receive an alert, some kind of vulnerability is
being exploited.
Rule 5019: During normal behaviour Exchange Server Applications shouldn’t need to
execute administration, network or command shell tools. If you receive an alert, some
kind of Exchange Server vulnerability is being exploited.
Rule 5022: During normal behaviour IIS Web Server Applications shouldn’t need to
execute administration, network or command shell tools. If you receive an alert, some
kind of IIS vulnerability is being exploited.
Rule 5024: Generic rule to block exploitation of certain Operating System and third-party
applications that try to create and execute malicious code. If you receive an alert, some
kind of vulnerability is being exploited.
Thanks to this behavioural blocking engine Panda Cloud Antivirus is able to proactively and
genericaly protect against a large variety of malware and exploits which specializes in bypassing
signature and heuristic detection. More importantly, it is able to do this without any impact on
performance.
2) Collective Intelligence
Maximum protection with minimum impact on your PC
Panda Security’s Collective Intelligence works as an online, real-time database that stores the
majority of signature files, keeping them at a minimum on the endpoint. Every Panda user is a
sensor for new malware, sending statistical data about malware prevalence back to the cloud.
This new approach reduces bandwidth consumption on customers’ PCs and provides faster and
more comprehensive up-to-date protection.
We’d like to invite you to read the next pages and find out more about Collective Intelligence, its
fundamentals, a simple description of the way it works and the outstanding benefits for the Panda
2010 product users.
Cloud computing is a technology that allows services to be offered across the Internet. The
cloud is a term used metaphorically around the Internet. Panda Cloud Antivirus heralds a new
generation of security and antivirus services, in line with the trends of cloud computing: Cloud
Security. Panda Cloud Antivirus connects to the Collective Intelligence servers in the cloud to
protect your computer, without requiring traditional updates or penalizing the performance of
your system. Now all knowledge is in the cloud, and thanks to Panda Cloud Antivirus, you can
benefit from this.
What is the relation between Collective Intelligence, the cloud and the community?
Collective Intelligence, the cloud and the community are the cornerstones of the great detection
capacity of Panda Cloud Antivirus and its minimal use of system resources. Collective
Intelligence is a security platform with database servers hosted in the cloud, storing all the
information needed to detect and neutralize threats on your computer. These servers are fed with
information provided by the community of users about virus detections. Collective Intelligence
processes and classifies all this information, allowing Panda Cloud Antivirus to consult these
servers and maximize detection capacity, without affecting resources on your computer. This
way, Panda Cloud Antivirus can detect millions of viruses, much faster than if it had to depend
on traditional updates. Your computer will therefore have greater protection without affecting
performance. You can also contribute to the community by sharing information about threats
detected on your computer. This way, not only will Panda Cloud Antivirus protect your
computer rapidly, but you will also allow millions of users around the world to benefit from the
solutions to threats. To contribute to the community, make sure the Automatic management of
possible viruses option is enabled in the Panda Cloud Antivirus settings.
Specialty
Each new file received is automatically classified within six minutes and the Collective
Intelligence servers classify more than 50,000 new malware samples every day. These
technologies correlate information on malware received from each computer to continuously
improve the protection level for the worldwide community of users. Panda's 2010 solutions have
continuous, real-time contact with this vast knowledge base allowing the company to offer users
the fastest response against the new malware that appears every day.
Identification methods
Signature based detection is the most common method. To identify viruses and other malware,
antivirus software compares the contents of a file to a dictionary of virus signatures. Because
viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but
also in pieces.
Heuristic-based detection, like malicious activity detection, can be used to identify unknown
viruses.
File emulation is another heuristic approach. File emulation involves executing a program in a
virtual environment and logging what actions the program performs. Depending on the actions
logged, the antivirus software can determine if the program is malicious or not and then carry out
the appropriate disinfection actions.
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be
very effective, but cannot defend against malware unless samples have already been obtained
and signatures created. Because of this, signature-based approaches are not effective against
new, unknown viruses.
Because new viruses are being created each day, the signature-based detection approach requires
frequent updates of the virus signature dictionary. To assist the antivirus software companies, the
software may allow the user to upload new viruses or variants to the company, allowing the virus
to be analyzed and the signature added to the dictionary.
Although the signature-based approach can effectively contain virus outbreaks, virus authors
have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and,
more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify
themselves as a method of disguise, so as to not match virus signatures in the dictionary.
Heuristics
Some more sophisticated antivirus software uses heuristic analysis to identify new malware or
variants of known malware.
Many viruses start as a single infection and through either mutation or refinements by other
attackers, can grow into dozens of slightly different strains, called variants. Generic detection
refers to the detection and removal of multiple threats using a single virus definition.[11]
For example, the Vundo trojan has several family members, depending on the antivirus vendor's
classification. panda classifies members of the Vundo family into two distinct members,
Trojan.Vundo and Trojan.Vundo.B.
While it may be advantageous to identify a specific virus, it can be quicker to detect a virus
family through a generic signature or through an inexact match to an existing signature. Virus
researchers find common areas that all viruses in a family share uniquely and can thus create a
single generic signature. These signatures often contain non-contiguous code, using wildcard
characters where differences lie. These wildcards allow the scanner to detect viruses even if they
are padded with extra, meaningless code Padded code is used to confuse the scanner so it can't
recognize the threat.
Rootkit detection
Anti-virus software now scans for rootkits; a rootkit is a type of malware that is designed to gain
administrative-level control over a computer system without being detected. Rootkits can change
how the operating system functions and in some cases, rootkits can tamper with the anti-virus
program and render it ineffective. Rootkits are also very difficult to remove, in some cases
requiring a complete re-installation of the operating system
Effectiveness
Independent testing on all the major virus scanners consistently shows that none provide 100% virus
detection. One major review deemed Panda Cloud Antivirus as clean, fast, simple, and easy to use,
offering good detection rates. The same review scored Panda 99.87% in malware detection and 91.4% in
malicious URL detection. Its overall score was 95%, a strong protection factor considering it is freeware.
Light weight
It only uses a small amount of ram and hard disk
Other features
with 32bits Operating Systems as well as for 32bit processes under 64bit systems.
Advanced configuration. Ability to turn on/off and tweak the behaviour of the different
engines, cloud responses, advanced logging, recycle bin settings, exclusions, etc.
Self-protection of the AV processes and configurations.
Re-do detections that were previously un-done so that they are detected again.
Automatic upgrades to new engine versions and new features automatically and
transparently.
Improved offline protection. Default deactivation of Windows Autorun.
USB vaccination Automatic vaccination of USB memory keys and hard drives.
Ability to run alongside other AVs and Anti-Spyware. Can now be run alongside other
security tools and scanners.
Full scan option. Added option to run a full PC scan easily.
More languages. Added 9 new languages. PCAV is now available in a total of 20
languages: English, German, French, Spanish, Dutch, Italian, Portuguese, Swedish,
Greek, Polish, Simplified Chinese, Traditional Chinese, Russian, Brazilian Portuguese,
Turkish, Hungarian, Japanese, Slovak, Norwegian and Finnish.
Quicker download & install experience thanks to new stub-installer which is 300kb in
size.
More options for restoring neutralized files. More flexibility when recovering neutralized
files, allowing for automatic and manual recovery, exclusions, configuration of the
Recycle Bin automatic emptying, path to recover, etc.
Improved handling of known good files to reduce false positive rates by the new
behavioural engine and automated classification from the Collective Intelligence servers.
Optimized installation background scan by using adaptive low-priority scans.
Improved scanning progress information by showing when a large compressed file is
being scanned to avoid the perception that the stuck is stuck.
arunalc@gmail.com