Jump to content


Photo

Heuristics And A Behavior Blocker Or Host Intrusion Prevention.


  • Please log in to reply
5 replies to this topic

#1 Zurchiboy

Zurchiboy

    Advanced Member

  • Members
  • PipPipPip
  • 105 posts

Posted 28 March 2013 - 11:09 PM

Immunet Seems to be fairly signature based. I don't see a setting for heuristics and a zero-day protection module, Which I think is critical for the plus version since there is so many new undetected malware being created. I think It would be nice to add a good Behavior blocker and a nice HIPS module as well.

#2 Francis

Francis

    Sourcefire Administrator

  • Administrators
  • 75 posts

Posted 29 March 2013 - 01:24 AM

Hi Zurchiboy,

Thanks for the input! Immunet is actually more diverse than you think though. Our Clam and TETRA engines are mostly signature based (TETRA having some extra rootkit detection to boot) but we also have our in-cloud ETHOS and SPERO engines which work off of fuzzy hashes and decisions trees, respectively. We also do a lot of extra work in the cloud by comparing data coming in from various computers at once in order to track how programs are spreading, what they're connecting to, etc... to see if they might indeed be malicious or not. We do all of this in the cloud so that your computer doesn't suffer the performance penalties itself, which is why you don't see any of these settings in the UI. Thanks,

- Francis

#3 Zurchiboy

Zurchiboy

    Advanced Member

  • Members
  • PipPipPip
  • 105 posts

Posted 29 March 2013 - 04:03 AM

Does Immunet have behavioral analysis that can detect a file from malicious programs that have not been seen in the cloud before so that it can detected before too much damage happens. for example a piece of ransomware. Is there a feature that would detect an unknown piece of ransomware before it locks the user out.

#4 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,973 posts
  • LocationOil City, Pa. U.S.A.

Posted 29 March 2013 - 09:59 AM

The answer to that Zurchiboy is yes. That's where the ETHOS cloud detection engine would come into play. it has advanced heuristic capabilities that can detect and react to unknown or unseen threats in realtime. ETHOS will examine all files that are downloaded, executed or flash scanned thus protecting you from unknown or zero day threats. Also, if ETHOS does detect a threat this info is sent to the cloud where the rest of the Immunet community would be automatically protected from the new threat in almost realtime. That's something a strictly signature based AV could never do as you would have to wait for the newest definations to be downloaded which could take hours, days or even longer once the threat is detected, examined and found to be malicious! That's the advantage of having a cloud based anti-virus on your side, the speed at which Immunet can detect and react to a new, unseen malicious program!

Cheers, Ritchie...

* Immunet Global Forum Moderator *


#5 Zurchiboy

Zurchiboy

    Advanced Member

  • Members
  • PipPipPip
  • 105 posts

Posted 29 March 2013 - 03:06 PM

Thats nice. Does ETHOS stand for anything? I also noticed there is a reputation thing Because when I downloaded a piece of malware intentionaly that I new would be detected by the AV I have immunet supplementing it detected it as W32.DEFRC:Reputation....Is this new?

#6 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,973 posts
  • LocationOil City, Pa. U.S.A.

Posted 29 March 2013 - 09:45 PM

Ethos is a Greek term which means the disposition, character, or fundamental values peculiar to a specific person, people, culture, or movement. In regards to Immunet, it's most likely an acronym for something but I don't know what the letters stand for if that's the case. Maybe an Administrator can tell you that. As far as W.32 DEFRC:Reputation, I checked Virustotal's database and found nothing regarding that file so it's either "very new malware" and has yet to make it into Virustotal's database or it could also be a false positive from a legitmate file.

* Immunet Global Forum Moderator *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users