AV signature

Hello Steve,

not sure what exactly you want to know (and why).
Not a hash, as it would be necessary to obtain a particular incarnation of a threat before it'd be possible to protect against it. It'd be far too easy for malware writers to create "unknown variants" by simply changing bits in a dead (meaning: not part of the code) area. Also not (solely) content in the sense of String or RegEx.
Signatures are intrinsically tied to the scanner and its strategy and are normally not self-contained entities, think of them as end-nodes in a decision tree.

Christian   

Hi Christian

Thanks for the response. I am new to Cloud Sandboxing concept and i had heard about hash vs. content based signatures

So was just curious to know how Sandstorm delivers the signature and the frequency.

There are some vendors claiming to send update interval in range of 2-7  minutes

Thanks

Steve

Really, Steve, the way Sandstorm works, it's not important to the end users how long it takes for the UTMs to be updated.  If the signature matches to known-safe or known-malicious, the file doesn't get sent to Sandstorm.  If it's unknown to the UTM, off it goes.

At one point, I guessed that there might be a local copy of the signatures, but now I suspect that the calculated signature is sent to Sandstorm.  In that case, the "update" time for new signatures would be instantaneous. 

Cheers - Bob

Hello Steve (and Bob),

I see, Sandstorm. Now the Endpoint products have something similar called Live Protection. A decision is locally cached, otherwise - as Bob's said - "the Cloud" sends an instantaneous reply for known files. Actual updates of the static detection identities take their usual time.

hash vs. content based
as already mentioned it wouldn't make much sense to base the query and decision on the file hash in its usual meaning. During scanning tell-tale characteristics are extracted and analyzed and should in most cases lead to a bad or good decision. Though there might be "leftovers" (already "reduced" so that they ideally maintain enough characteristics to be designative but general enough to be representative for other files of that ilk) that at the moment seem inconsistent with either. AFAIK it's this extracted and reduced information that is used to build "the hash".

Christian 

Hello Steve (and Bob),

I see, Sandstorm. Now the Endpoint products have something similar called Live Protection. A decision is locally cached, otherwise - as Bob's said - "the Cloud" sends an instantaneous reply for known files. Actual updates of the static detection identities take their usual time.

hash vs. content based
as already mentioned it wouldn't make much sense to base the query and decision on the file hash in its usual meaning. During scanning tell-tale characteristics are extracted and analyzed and should in most cases lead to a bad or good decision. Though there might be "leftovers" (already "reduced" so that they ideally maintain enough characteristics to be designative but general enough to be representative for other files of that ilk) that at the moment seem inconsistent with either. AFAIK it's this extracted and reduced information that is used to build "the hash".

Christian