Hi there,
Does "Live Protection" works like a very fast way to distribute signatures, or like a reputation database?
Does SOPHOS has any comparable "reputation system" like Insight?
Is there anythink like it on a near term roadmap?
Thanks
Hello Ricardo,
thanks for clarifying. Of course "fact sheets" emphasize the upside of a technology or feature which is usually depicted as not only being the distinctive excellence of a product but also of unparalleled power. More often than not it's not something no one else has thought of yet or unable to implement. What looks simple on the surface is actually quite complex.
Indeed in the scenario you described (combat server side polymorphism) a new malicious file will be blocked. But so will all legitimate as well until the quorum of unique customers (or at least clients) and/or the waiting time have been reached. Perhaps not really a problem for widely-used executables. Oh, did I say executables? Of course - you can't apply these rules to all content (think of "personalized" pages), I daresay you can't even apply it to JavaScript. IMO it is likely most useful for executables created "on the fly". Keep in mind that malware writers are not idiots and unaware of AV and how it works (for the latest developments on the Dark Side you might want to read the articles on Naked Security, for example the recent The PlugX malware factory revisited: introducing "Smoaler"). Apart from this - in order to be blocked from running a piece of malware has to make it to the disk first. As usually malicious scripts, manipulated web pages and rogue sites are involved there's a good chance that one of the other layers will prevent the download in the first place.
[Petite interlude]
Don't scan files that are known to be good
It depends what you mean by sex scan.. You can't just ignore a file altogether just because its name (and location), you have to make sure it is still the very file you trust and for this you have to acquire its fingerprint (which is not simple checksumming) thus you are still intercepting the open and still performing some kind of scan. Practically all vendors use something like this to avoid re-(deeper-)scanning of a "known" (i.e. already scanned) file. If the cache of known fingerprints does not survive a reboot (there are pros and cons as well) you just trade a cursory (note that legitimate and signed files usually don't cause the scanner to look deeper) scan for lookups.
[End interlude]
Having said this, the actual significance of various features is not as high as marketing is trying to convince you. Sure, there are situations where a certain one might save your day. And from time to time one or the other might give a vendor the edge over the rest for a limited time, long-term it evens out (although there are the ones occasionally ahead of the pack, those always found in the peloton and a few lagging behind). In real life and day-to-day operation other aspects are likely of more importance.
In short:
You have to consider the whole package - you likely won't prefer one car over the other just because it has eight instead of six air bags and cylinder-deactivation.
Christian
Hello Ricardo,
thanks for clarifying. Of course "fact sheets" emphasize the upside of a technology or feature which is usually depicted as not only being the distinctive excellence of a product but also of unparalleled power. More often than not it's not something no one else has thought of yet or unable to implement. What looks simple on the surface is actually quite complex.
Indeed in the scenario you described (combat server side polymorphism) a new malicious file will be blocked. But so will all legitimate as well until the quorum of unique customers (or at least clients) and/or the waiting time have been reached. Perhaps not really a problem for widely-used executables. Oh, did I say executables? Of course - you can't apply these rules to all content (think of "personalized" pages), I daresay you can't even apply it to JavaScript. IMO it is likely most useful for executables created "on the fly". Keep in mind that malware writers are not idiots and unaware of AV and how it works (for the latest developments on the Dark Side you might want to read the articles on Naked Security, for example the recent The PlugX malware factory revisited: introducing "Smoaler"). Apart from this - in order to be blocked from running a piece of malware has to make it to the disk first. As usually malicious scripts, manipulated web pages and rogue sites are involved there's a good chance that one of the other layers will prevent the download in the first place.
[Petite interlude]
Don't scan files that are known to be good
It depends what you mean by sex scan.. You can't just ignore a file altogether just because its name (and location), you have to make sure it is still the very file you trust and for this you have to acquire its fingerprint (which is not simple checksumming) thus you are still intercepting the open and still performing some kind of scan. Practically all vendors use something like this to avoid re-(deeper-)scanning of a "known" (i.e. already scanned) file. If the cache of known fingerprints does not survive a reboot (there are pros and cons as well) you just trade a cursory (note that legitimate and signed files usually don't cause the scanner to look deeper) scan for lookups.
[End interlude]
Having said this, the actual significance of various features is not as high as marketing is trying to convince you. Sure, there are situations where a certain one might save your day. And from time to time one or the other might give a vendor the edge over the rest for a limited time, long-term it evens out (although there are the ones occasionally ahead of the pack, those always found in the peloton and a few lagging behind). In real life and day-to-day operation other aspects are likely of more importance.
In short:
You have to consider the whole package - you likely won't prefer one car over the other just because it has eight instead of six air bags and cylinder-deactivation.
Christian
