Home > behavior analysis > How TruPrevent Works (I)

How TruPrevent Works (I)

May 24th, 2007

I recently came across an interesting document by Gartner's analyst Neil MacDonald, called Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough. There is confusion in the market about what a HIPS really is and Neil's work really helps in clarifying the different technologies that are being marketed as HIPS. Similarly other articles such as HIPS: what's in a name? also talk about the confusion in the market about the subject.

In Neil's document different HIPS solutions are analyzed based on the different technology approaches they use. He differentiates among technologies which work when code is entering the network, non-executing code, and code executing in the machine. As the document labels Panda TruPrevent Technologies as a HIPS and I've been asked about this many times already, I thought I'd write a couple of articles to explain exactly what TruPrevent is and how it works.

TruPrevent consists of 2 main technologies: behavioral analysis (intelligent analysis and termination of a running process by its behavior) and behavioral blocking (a.k.a. policy-based application control and system hardening). When integrated with an anti-malware signature-based engine, static heuristics, a deep packet inspection firewall, prevention of vulnerability exploitation and network access control it makes up what is considered an integrated, "converged HIPS" solution.

TruPrevent Behavioral Analysis
Code-named Proteus, it acts as a true last line of defense against new malware executing in the machine that manages to bypass signatures, heuristics and behavior blocking. Proteus intercepts, during runtime, the operations and API calls made by each program and correlates them before allowing the process to run completely. The real-time correlation results in processes being allowed or denied execution based on their behavior alone.

As soon as a process is executed all its operations and API calls are monitored silently by Proteus, gathering information and intelligence about that process's behavior. During the initial execution path, a malicious process will try to perform a series of actions, each of which is correlated by Proteus. It is then that Proteus decides, as early in the execution path as possible, whether the process is malicious or not. If it is determined as suspicious, the communication of the process is blocked. Immediately thereafter, as it's determined malicious, the process is blocked and killed before it can carry out all of its actions and prevented from running again.

Unlike other behavioral technologies, Proteus is autonomous and does not present technical questions to the end user ("Do you want to allow process xyz to inject a thread into explorer.exe or memory address abc?"). If Proteus thinks that a program is malicious it will block it without requiring user intervention. Most users cannot make informed decisions when it comes to security. Some behavioral products throw non-deterministic opinions — or behavioral indecisions — whose effectiveness depends on the user clicking on the right choice.  A key functionality of any behavioral technology must be making decisions without user intervention. Anything less is a potential point of failure.

Proteus has been built from the ground up to detect the maximum number of malware as quickly as possible, as early in its execution path as possible and without any user intervention. Our internal stats show that this technology alone is capable of detecting (without signatures and heuristics) 80 to 90 percent of the new malware that causes epidemics in the wild without generating problematic false positives or behavioral indecisions. A bot would not be a bot if it didn’t behave as such, but if it does so it will be detected by this technology, regardless of its shape or name.

In the next article we'll dive into TruPrevent's behavioral blocking, a policy-based application control and system hardening technology.

Categories: behavior analysis Tags:
  1. Pedro Bustamante
    May 25th, 2007 at 06:01 | #1

    Pedro,
    do you have (i think yes) a images of truprevent in working? if you have, please post this images

    Thanks

  2. Pedro Bustamante
    May 26th, 2007 at 09:25 | #2

    Great article! I hope to see many more like it!

  3. Pedro Bustamante
    May 28th, 2007 at 17:18 | #3

    Pedro, the 2° part is in working?
    I’m a curious guy :)

    Thanks

    Lucass

  4. Pedro Bustamante
    May 28th, 2007 at 18:17 | #4

    If you’re refering to behavior blocking, yes, it’s been integrated into TruPrevent for quite a few years now. Some more info on basic blocking rules here:
    http://www.pandasoftware.com/virus_info/rules/

  5. Pedro Bustamante
    May 30th, 2007 at 05:59 | #5

    An example of TruPrevent behavioral analysis killing a malicious process can be seen in the following screenshot at http://research.pandasoftware.com/blogs/images/truprevent_popup.jpg

  6. Pedro Bustamante
    May 30th, 2007 at 06:47 | #6

    I think there is a big problem in New version of panda.
    After testing some virus/trojan,there is no response of 11.01.00 ‘s Truprevent ,but stopped under the old version 11.00.02.

  7. Pedro Bustamante
    May 30th, 2007 at 23:40 | #7

    Fly please send me the details of your testing to pbustamante´at´pandasoftware.com.

  8. Pedro Bustamante
    May 31st, 2007 at 16:23 | #8

    Hi,
    In my test, the latest version of IS work fine, ah, truprevent have a “false positive” on new version of Hijackthis, detected a suspect operation on the hosts file

    Regards

  9. Pedro Bustamante
    May 31st, 2007 at 23:20 | #9

    Thanks lucass, we will take a look at this.

  10. Pedro Bustamante
    June 1st, 2007 at 03:09 | #10

    My friend has sent you the test issue.

    We have many samples to do the work for any vendors.

    such as me,i have 4GB active sampels include variants of

    malware.

    most of them has been send to your viruslab

    and from last year,your lab should have received my samples mail every day.

  11. Pedro Bustamante
    June 1st, 2007 at 04:34 | #11

    Pedro, generic malware/worm/trojan is a heuristic detection or a normal signature detection?
    Work fine!

    Regards

  12. Pedro Bustamante
    June 1st, 2007 at 06:53 | #12

    Generic detections are signatures that are able to detect many variants of a same family members. Our heurisstic detections are marked as suspicious.

  13. Pedro Bustamante
    June 1st, 2007 at 07:23 | #13

    Thanks for the reply.

    Regards

  14. Pedro Bustamante
    June 1st, 2007 at 07:50 | #14

    Pedro, very sorry for another comment but panda have a problem in the signature,
    in this moment i have a infected file, on virus total this file is detected by panda
    (generic malware)
    but my IS not recognized this file.
    In the last week\month, i sended to the pandalabs a similar problem.

    Regards

  15. Pedro Bustamante
    June 3rd, 2007 at 07:34 | #15

    Hello,lucass
    That’s not a problem,your desktop version of panda has not ability to detect the suspicious PACKERS ,but the online engine has ability to do so.

    If you want to try the online version,you should download the Command line version of Panda,that will satisfied you.

  16. Pedro Bustamante
    June 3rd, 2007 at 15:19 | #16

    Hi fly,
    the command line(normal and beta signature) don’t recognize the file, panda on virustotal use a old engine.
    It’s a old problem but the p.l. don’t reply on this problem.

    Regards

    PS:fly of unpack.cn?

  17. Pedro Bustamante
    June 6th, 2007 at 06:54 | #17

    lucass please send the details to my personal email to see what’s going on with these detections.

  18. AGK
    June 10th, 2007 at 03:41 | #18

    truprevent constantly locked up my computer. I feel I wasted 30.00. Updates constantly failed or did not install

  19. Michel
    June 22nd, 2007 at 14:24 | #19

    An overview of this new class of products can be found here:

    http://kareldjag.over-blog.com/article-1841115.html

    Panda TruePrevent can’t really be considered as an HIPS if we take into consideration the original terminolgy.

    Regards.

  20. Pedro Bustamante
    June 24th, 2007 at 16:00 | #20

    I agree with you Michel. At Panda we don’t consider TruPrevent a HIPS. Some people outside of Panda have done so but it is not our opinion that Behavioral Blocking and Analysis equals a HIPS. We consider HIPS our Panda Internet Security product for consumers and our ClientShield product for corporate endpoints. These products integrate AV, genetic heuristics, anti-spyware, DPI firewall, prevention of vulnerability exploitation, network access control AND TruPrevent’s behavioral analysis and behavioral blocking. Panda Internet Security and ClientShield are full-blown HIPS products.

Comments are closed.