Engines Progress?

[dallas7]

So, what's the latest in the (not-Tetra) engines department... trees, convictions, training, whatever? Wasn't something big supposed to have happened on Nov 15?

 

Thank you and Cheers.

[alfred]

So, what's the latest in the (not-Tetra) engines department... trees, convictions, training, whatever? Wasn't something big supposed to have happened on Nov 15?

 

Thank you and Cheers.

 

Hey Dallas. You are right we had initially set out to double our detection rates in field by November 15 (starting Sept. 1) I think. I need to generate the graph but the short of it is that we have tripled it and then some. There is some allowance in there for high volumes of detects from other vendors using us in their sample processing back-ends and from our user base growing at a good clip but when normalized our numbers still hit about 3X the amount of In-field convictions.

 

The improvements were:

 

1. Addition of the W32.Invictus algorithm. - This is a cloud based 'temporal event' driven engine and it's been a powerful benefit. We are filing patents on it as we speak so I cannot disclose much more about it.

 

2. Addition of the W32.SPERO.Prolixus detection set. This is an enhancement to SPERO.

 

3. ETHOS refinement.

 

4. Sample Collection. We broadened our parameters for automated collection of in the the wild threat and have also brought in several new trading partners for sample data to work with. Samples collection in general is critical for training things like SPERO and ETHOS. Obviously in the wild data trumps collection/zoo data.

 

5. The Clam engine. This is likely one of our most significant additions. We've worked with the Clam team to get this integrated and it will allow for solid offline protection and the ability for our users to write their own sigs and trade them if they desire. This a is closed beta now and will be in public beta soon under the ClamAV for Windows umbrella (although it will also ship with IMP with it's out).

 

 

al

[dallas7]

Thanks again for such a detailed reply. Holy guacamole! This is outstanding news. Unless I'm reading too much into all that, those are some pronounced and significant enhancements.

 

@Immunet:

While your current implementation of BitDefender (traditional) tech in the Tetra engine is laudable, their stellar reputation is well established. Cloud tech is The New and many of your users and those straddling the fence on Immunet have more than a casual interest in your progress. The subject is security and stability, that of our own identities and of our costly systems.

 

The forum and the blog and the UI Notification continue to be preoccupied by interesting fluff wrapped in the silence of cricket chirps. That some one needs to post up here and twist your arm to detail all this advancement and hard work, I'll just never understand. And this isn't the first time I've expressed that sentiment.

 

Anyhow, keep up the great work and get on that blog and let us know what's going on. Don't hesitate to brag - it's a time honored tradition.

 

Happy Thanksgiving!

[dallas7]

The Clam engine. This is likely one of our most significant additions. We've worked with the Clam team to get this integrated and it will allow for solid offline protection...

How will this be marketed? Will it be an offline solution for the Free version and run in parallel with BitDefender/Tetra in Plus? Or will Free remain cloud only with Plus becoming Clam/Tetra (no more BD)?

 

Sorry if I'm asking about too many secrets. But you opened the door.

 

Cheers.

[bellgamin]

 

The improvements were:

 

1. Addition of the W32.Invictus algorithm.

 

2. Addition of the W32.SPERO.Prolixus detection set.

Is there any special meaning to the "W32" part of these titles? Or is it just a name?

 

The improvements were:

... ...

...

5. The Clam engine.

Improvement #5 points to ClamAV. In all the many tests of antivirus apps that I have seen, wherein ClamAV was included, it never did all that great. Ergo, please help me to have a little better understanding of your enthusiasm for this aspect of Immunet's pending improvements.

[alfred]

How will this be marketed? Will it be an offline solution for the Free version and run in parallel with BitDefender/Tetra in Plus? Or will Free remain cloud only with Plus becoming Clam/Tetra (no more BD)?

 

Sorry if I'm asking about too many secrets. But you opened the door.

 

Cheers.

 

Those are good questions. Tetra and Clam will not be suggested to be run with both enabled unless you are willing to deal with the delay in file IO or large scans. I do not know what those delays are yet because our beta is still just starting and the data will take time to generate. The Clam engine will always be free, period. It will be option as to whether you want to install it or not though.

 

al

[alfred]

Is there any special meaning to the "W32" part of these titles? Or is it just a name?

 

 

Improvement #5 points to ClamAV. In all the many tests of antivirus apps that I have seen, wherein ClamAV was included, it never did all that great. Ergo, please help me to have a little better understanding of your enthusiasm for this aspect of Immunet's pending improvements.

 

ClamAV is a Unix product directed, generally, at mail gateways. A product used in that context has a much narrower band of detections by it's nature. People who run it and compare it to desktop products are really not creating data of any real value from a comparative position. What we will ship is ClamAV for Windows. The engine in this supplementary role has clear benefits on top of the obvious offline support. One (big) additional value here is the ability for users to craft their signatures using the Clam formats (which are very flexible) or with their bytecode engine.

 

al

[bellgamin]

One (big) additional value here is the ability for users to craft their signatures using the Clam formats (which are very flexible) or with their bytecode engine.

Thanks for the prompt & informative reply. I become increasingly favorable toward Immunet, largely due to you, Orlando, and this continuingly improved forum.

 

As to user-crafted sigs, I doubt if many of us will be making sigs for advanced malware such as polymorphics, whereby the virus sig changes pretty much every time, AFAIK. However, time will tell.

 

I mainly look for Immunet to manifest more progress in the detection of polymorphs and in dealing with zero-day. To me, these factors are one of the main things that nowadays delineates between AVs as to their relative protective power for dealing with the latest trends in malware.

[alfred]

>As to user-crafted sigs, I doubt if many of us will be making sigs for advanced malware such as polymorphics, whereby the virus sig >changes >pretty much every time, AFAIK. However, time will tell.

 

I certainly agree with you. Typical users will not make use of this function. However if you look at an analogous problem space like IPS though you will find that a reasonable (although still small) number of folks write IPS sigs for public consumption (Snort is a prime example). The same people are often in the position to write AV sigs now, some will do so. What I am hoping for is that people who do write them, will share them. We shall see. Either way, people who are tracking APT's in their environment (which typically are not all that polymorphic) will find this feature very useful. Severe polymorphic threats in general btw are addressable by the new engine with hand crafted sigs but they need to be written for the bytecode engine. Most 'polymorphic' threats can still be found with the conventional sig language we are exposing.

 

>

>I mainly look for Immunet to manifest more progress in the detection of polymorphs and in dealing with zero-day. To me, these factors are >one of the main things that nowadays delineates between AVs as to their relative protective power for dealing with the latest trends in >malware.

 

 

Most of our engines are focused on non-exact matches which by definition is what you are referring to. I still argue though that one-to-one matches play a critical role in this technology and AV companies do well to continue investing here. By definition the first a user encounters any threat it is '0 Day' to them. One-to-one sigs allow for precise matches with 0 FP overhead (most often). Generic engines of any description are wonderful but expose you to the 'Omelet Problem' (which is to say in order to make an omelet you need to...) as far as FP's go.

 

Our belief is still that context and external meta data about a file are the key to aiding conviction of '0' day files and that's the route we'll be continuing to tread down. For now anyhow.

 

Best,

al

[bellgamin]

An engines-related question:

 

If I am running Immunet Pro while I am ONLINE, and during that time I run a full scan, which engine(s) will do the scanning? Tetra only? Or all engines? Or all engines OTHER THAN Tetra?

[alfred]

An engines-related question:

 

If I am running Immunet Pro while I am ONLINE, and during that time I run a full scan, which engine(s) will do the scanning? Tetra only? Or all engines? Or all engines OTHER THAN Tetra?

 

 

In this case, all of them (provided you have them all checked).

 

al

[dallas7]

Never mind. I just noticed the Insider thread and my question was answered.