Archive for the ‘behavior analysis’ Category

Tis the comparative season

April 25th, 2011 Comments off

There’s been a few comparative tests published as of late. In case you’ve missed any of them here’s a quick rundown of the most significant ones.

First on the list are the Q1-2011 quarterly results of the Full Product Test (FPT)  by These FPT’s are performed on a monthly basis and are very in-depth, covering pretty much all aspects of a modern security software and testing from a users’ perspective by replicating infection vectors and user experience. The areas tested include real-time blocking of malicious websites, detection of relevant and active malware samples (zoo malware, wildlist malware according to criteria of wildlist, not the limited list), false positive testing, performance testing, disinfection testing, detection and disinfection of active rootkits, behaviour-based dynamic detection, dynamic false positives and packing and archive support. Overall one of the most comprehensive regular tests out there. It’s such a tough test that 5 out of the 22 vendors tested did not obtain the minimum score to achieve certification. Panda Internet Security came out with very good scores and achieved certification. The report on Panda Internet Security can be found here (PDF) and the complete results for all vendors here.

Next in line are a couple of tests by The first one is the traditional On-Demand test from February 2011 which also tests false positives and performance of the on-demand scanner. In this test Panda Antivirus Pro achieved the #4 rank in terms of malware detection. We still had 18 false positives that, even though are of low prevalence according to, prevented us from achieving the Advanced+ certification. We’re doing a lot of work in improving in this area. Panda Antivirus Pro also achieved the #2 rank in the performance test for scanning speeds. The full report can be downloaded from the website here.

The second test by that has been published recently is the Whole-Product Test. Similar to the Full Product Test, this test tries to test user experience by replicating the infection vector. Unlike the FPT, this one focuses only on malicious websites and behaviour-based dynamic detection. Panda Internet Security scored very good with a 98.8% protection index. More information can be found at the site here.

If you’re interested in these types of AV tests, make sure to vote on your favourite AV testing outfit in our open poll here. So far both AV-Comparatives and AV-Test are leading the pack.

Arguments against cloud-based antivirus

December 1st, 2009 5 comments

With any advance in science and technology there will always be critics and people oppossed to change. This has happened over and over again in the course of history. Antivirus is no different. We saw resistance when we released behavioral analysis in 2004 (which is mainstream technology nowadays) and we have seen it recently with the release of Panda Cloud Antivirus.

In this post I have compiled a list of all arguments against cloud-based antivirus that I was able to find. Let us review these arguments against cloud-based antivirus and see why they are based on either misconceptions or simple lack of understanding and knowledge of how this technology works.

A malware could cripple the Internet connection and render the cloud antivirus useless
Exactly the same thing could happen to the traditional signature based antivirus. If a malware gets through the traditional signature defenses and manages to disable your Internet connection, you will not be able to get signature updates from your AV vendor and therefore will not be protected against the new malware variants, rendering your traditional AV just as useless.

A cloud-based antivirus needs to check everything against the cloud. Takes more time
Actually not everything is checked against the cloud. At least with Panda’s implementation of cloud-scanning there are locally installed technologies (heuristics, cache of cloud-detection, goodware cache, etc.) that are able to detect a good deal of malware threats and known good files. All these files are not checked against the cloud. Think about it, once you install the cloud-based antivirus, how many new programs do you install on your computer every day? Not that many, right? Once installed, only new programs copied or trying to run on your computer are checked against the cloud (if they are not detected first by the local technologies). From our beta testing phase we have seen that on average Panda Cloud Antivirus only consumes a few KB of bandwidth per day, less than the typical traditional signature updates.

It is an invasion of privacy. I do not want my files & documents to leave my computer
This is one of the most common misconceptions, maybe due to some weak implementations of cloud-scanning by some vendors. At least in Panda’s implementation of cloud-scanning when a file is “scanned by the cloud” it doesn’t actually leave your computer, it is not uploaded to our Collective Intelligence servers. What really happens is that Panda Cloud Antivirus creates a really small reverse signature of the file and the signature is what gets checked against the cloud. Also cloud-scanning is only implemented to Portable Executable (PE) files, so your Word/Excel documents, etc. are not checked against the cloud. There is one scenario with PE files where, if it is flagged as suspicious and Collective Intelligence doesn’t already have a copy of the file, then the file is uploaded for further analysis. But even then people can opt-out of participating in the community by simply un-checking this option in the product.

Cloud-based antivirus do not protect while offline
While this might be true of some cloud-based antivirus implementations, in the case of Panda Cloud Antivirus it is not true. Panda Cloud Antivirus has a local cached copy of the Collective Intelligence cloud servers. This local cache is tasked with detecting (even while not connected to the Internet) malware that is in the wild, non-PE malware and other threats. Unlike traditional signature updates, this local cache update is a “moving target” of what the community sees as circulating out there in the wild. Therefore it is able to efficiently protect against the important threats. This local cache does not protect against Win98 or DOS viruses or even malware that is dead or not circulating anymore. That is why the community aspect of Panda Cloud Antivirus is so important as, the more people use it, the better protection it offers.
UPDATE: Panda Cloud Antivirus 1.1 includes 4 additional new layers of offline protection: 2 behavioural engines (blocking & runtime analysis), autorun disabling and USB vaccination.

So that means that it provides lower protection while offline
First let’s take a look at the practical aspect: after running the beta and release of Panda Cloud Antivirus for over 7 months with millions of users, we have not had a single recorded incident of an infected user while not connected to the Internet. There’s a common misconception that protection = detection rates of millions of samples as tested by magazines. This is not really true as those tests include malware that is dead, not circulating anymore or even does not work on your operating system (like old DOS/Win98 viruses). If we define protection as stopping real-life malware that is circulating then the offline protection that is offered by Panda Cloud Antivirus is more than enough.

So if I have some old malware and disconnect from the Internet, can I infect myself?
Yes of course. You can also take a stroll down the worse neighborhood of your city sprouting a gold watch and necklaces and there’s a pretty good chance you will be (at least) mugged. Or you can just drive off a 200 meter cliff hoping your seatbelt and airbag will be enough to save your life. Panda Cloud Antivirus was designed for real people and real-life use. With that in mind you won’t have to worry about these highly unlikely scenarios during your normal computing experience.

I’m worried about latency and response time
This a very valid worry with regards to an AV whose real-time monitor (on-access scanner) works in a synchronous mode against the cloud. Currently we have two “timeouts” in the product, a first one to notify the user of problems with latency and a second one for blocking the execution altogether if no answer is received. However from our measurements these last months in over 98% of the cases the response time of the on-access scanner is below a second. Keep in mind that only a few bytes are sent back and forth when a file is queried, so the real impact is really low.

Cloud-scanning is just the latest marketing buzzword
It seems it is becoming much more a buzzword. But it doesn’t mean there is not benefit behind it. Many different products (not only security-related) are migrating their “intelligence” to the cloud and leaving behind those old, overloaded, slow applications in exchange of faster, always up-to-date clients. There is a clear benefit not only from the perspective of developers who are much less constrained by the limitations of a single PC, but also from the point of view of the user who gets an improved computing experience without all the negative aspects of resource consumption of his/her PC.

Cloud-scanning is just a way for AV vendors to lower their cost of downloading signatures
Yeah right, you should talk to our CFO about this (he stands out as the only one with grey hairs because of how expensive this whole thing has been :) ). Seriously, it would have been waaaaay cheaper to stick to the existing traditional signature download infrastructure approach than to set-up an additional multi-million infrastructure just for cloud-scanning. Not only is there the initial investment but also the continuous maintenance. And of course this does not take into consideration the additional investment in development and QA that’s also needed to develop and maintain this technology in the products.

Cloud-scanning is only good as a second opinion
This might have been true of the first cloud implementations a couple of years ago (online scanner, the first cloud-only products, etc.) but it is not true anymore. At least with Panda’s implementation, Panda Cloud Antivirus is a full replacement of a traditional AV. Panda Cloud Antivirus has the best of both worlds; it includes local protection for offline and the most effective protection while online. While some vendors are adding some cloud-scanning abilities to their existing products’ (as an additional technology in the mix of different technologies), Panda Cloud Antivirus has been developed from scratch to work in real-time in synchronous mode against the cloud. It has been proven as an effective replacement of traditional signature approach.

If you can think of any other argument against this type of technology feel free to let us know! :)

First Independent Test of Panda Internet Security 2010

June 26th, 2009 23 comments

As you may know we released our Panda 2010 products yesterday. In addition to the traditional Panda Antivirus Pro 2010, Panda Internet Security 2010 and Panda Global Protection 2010, this year we've also released a tailor-made product for netbooks and ultra portables called Panda Antivirus for Netbooks.

I just got word from Andreas Marx from that they've put Panda Internet Security 2010 (PIS 2010) to the test today. Some conclusions from the test can be seen below, using Andreas' own words:

WildList Test.  We started with a detection test against all samples from the most recent WildList 05/2009 and malware from older releases. Our test set includes 3,194 confirmed malicious and widespread samples. We tested the set with the on-demand scanner and on-access guard. In both cases, Panda was able to detect and remove these viruses, worms and bots easily.

Full Collection Test. We were able to test PIS 2010 against a larger set of about 680,000 malware samples, including ad- and spyware, trojan horses and other critters. It detected 99.6% of these files, without flagging any files in our false positive / clean file test set, which is a very good result.

TruPrevent Test.  We have tested the dynamic (behaviour-based) detection with a few recently released malware samples which are not yet detected by heuristics, signatures or the "in the cloud" features and found that Panda warned in about 45% of the cases when we executed the malware sample. However, it only blocked and quarantined just a few of these tested samples. (More testing in this area needs to be performed to report statistically significant results.)

Disinfection Test. The detection and removal of an already infected PC was working properly, all active components were removed during the system repair process and just in some cases, registry keys belonging to the malware were left behind.

Rootkit Test. The detection and removal of actively running rootkits was quite impressive: all rootkits in our test were successfully identified and deleted.

As you may imagine we're very happy about the results of this test and hope other independent tests come along soon that also validate the highest level of quality provided by our most advanced ever anti-malware solutions.

For detailed testing methodology (for rootkit detection and removal, system disinfection, dynamic detection, etc.) I recommend you visit Papers selection.

Other advanced testing methodologies worth reading up on can also be found at ATMSO's Document Library.

Panda Collective Intelligence and VirusTotal

February 12th, 2009 21 comments

As you know we've been using Panda Collective Intelligence from-the-cloud-scanning technologies since about two years ago, initially in our online scanners ActiveScan and also in our Panda 2009 consumer products. Thanks to Collective Intelligence we are able to use complete automation (community-driven information, threat analysis, multiple technology checks, malware/goodware determination and signature creation) to protect against the newest and most dangerous variants faster than using the traditional signature approach.

I'm happy to report that we've now integrated the Panda Collective Intelligence cloud-scanning technology into the VirusTotal service. You'll notice it by the 10.x version numbering next to the Panda engine.

To see Panda Collective Intelligence in action let's look at a new malware that started spreading a few hours ago (MD5: a0713a3639c9d4901daf774022f4bfd2). It is an Adware/Antivirus2009 rogue antivirus. Let's run it through VirusTotal and see the results as of 02.12.2009 12:35:51 (CET):


Check the updated VirusTotal scan result here (search for a0713a3639c9d4901daf774022f4bfd2) to see how other engines add detection progressively.

TruPrevent stops Conficker.A worm proactively

November 28th, 2008 3 comments

As I'm sure you've heard already, there's a new worm called Conficker.A out there exploiting the latest critical Windows MS08-067 vulnerability which allows remote code execution via specially crafted RPC calls. SANS has been tracking this and has seen an important increase in port 445 scans as is shown on their website:

As we've been seeing quite a bit of this worm's activity specially in corporate networks, Isma has created a new TruPrevent Security Policy which can effectively stop this worm on its tracks generically (without antivirus signatures):



Panda users don't have to worry about this worm. Simply make sure your protection is configured to update itself automatically (which it is by default) and don't forget to patch your Windows installations.

Categories: behavior analysis, Malware, Vulns Tags:

Exploits vs Antivirus – The Last Stand

October 14th, 2008 17 comments

Internet Security Suites fail to block exploits and do little to protect users against exploits, according to a recently released "test" [here] by Secunia, a Danish vulnerability notification firm. I quoted the word "test" as it's very common to see vulnerability companies use close-to-unethical tactics to oversell problems with the AV industry in order to promote their own services [another example here].

Now its Secunia's turn. In their "test" they assume that anti-virus products have poor performance in detecting vulnerability exploits because of their limited focus on traditional AV signatures. So along comes Secunia's Chief Technology Officer (CTO) Thomas Kristensen with the bright idea of testing 12 different Internet Security Suites from McAfee, Norton, Kaspersky, Panda and others against a testbed of exploit files. So far so good, it’s an interesting idea for comparing technologies and I believe it should be performed.

However when testing exploits one very important aspect is that these products don't just rely on traditional signature detection. Yet Secunia's "test methodology" only takes into consideration manually scanning 144 different inactive exploit files. This is very much like saying that you're going to test a car’s ABS breaks by throwing it down a 200 meter cliff. Absurd, sensationalist and misleading at best.

Just to clarify, if you only test 1 part of a product against exploits, which by the way is the part of the product which IS NOT designed to deal with exploits, and leave out of the test the part of the product that DOES deal with exploits and vulnerabilities, there's a very good chance the results will be misleading. Mr. Kristensen, as a Chief Technology Officer, should know this and should be very well aware of the consequences of a faulty methodology. So the question remains, why did he ignore it and just go for the yellow sensationalist approach?

But the absurd doesn't stop with Secunia's flawed testing methodology. Mr. Kristensen concludes that "… major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities." Well duh, if you only test traditional signatures and neglect the other technologies included in the product which ARE designed to block exploits, what do you expect? Oh, wait, I just saw on their website that Secunia actually sells a vulnerability scanner! Hmmm, I wonder if that has something to do with the flawed conclusions of this test… Internet Security Suites do not rely on signature detection alone since many years ago. Panda's (and other) products integrate behavioral analysis, context-based heuristics, security policies, vulnerability detection, etc. However none of these technologies were tested by Secunia.

Let's just take 1 of the many protection technologies included in Panda Internet Security 2009 which DOES deal with prevention of vulnerability exploitation and see how it behaves against these exploits if tested correctly. I'm talking about Kernel Rules Engine, a security policy technology incorporated in 2004 to all Panda products which effectively prevents zero-day exploits of PDF, DOC, XLS, PPT and many other vulnerable applications. While Secunia's test grants Panda a lowly 1.59% detection rate of the important threats, if they would have tested correctly they would have found out that just with Kernel Rules Engine Panda's product is able to generically and proactively block 56% of the important threats. And this just with KRE technology. But Panda's  products also include other technologies such as TruPrevent's Behavioral Analysis, URL Filters and the Vulnerability Detection module which would prevent other exploits if Secunia cared to run their tests with a minimum level of professionalism.

Note to Secunia:
The following exploits (at least), which in your study are marked as "not detected by Panda", are actually detected generically with the correct testing methodology. Hint: have you tried actually "running" the exploits?

SA14896 CVE-2005-0944 PoC.mdb
SA20748#1 CVE-2006-3086 PoC.xls
SA21061 CVE-2006-3655 POC1.ppt
SA21061 CVE-2006-3656 POC2.ppt
SA21061 CVE-2006-3660 POC3.ppt
SA22127#1 CVE-2006-4694 PoC.ppt
SA23540 CVE-2007-0015 PoC.qtl
SA23676#2 CVE-2007-0028 Exploit1.xls
SA23676#2 CVE-2007-0028 exploit2.xls
SA23676#2 CVE-2007-0028 PoC.xls
SA23676#3 CVE-2007-0029 PoC.xls
SA23676#4 CVE-2007-0030 PoC.xls
SA23676#5 CVE-2007-0031 PoC.xls
SA24152 CVE-2006-1311 PoC.rtf
SA24359#1 CVE-2007-0711 PoC.3gp
SA24359#3 CVE-2007-0713
SA24359#4 CVE-2007-0714
SA24359#8 CVE-2007-0718 PoC.qtif
SA24359#9 CVE-NOMATCH PoC.jp2
SA24659 CVE-2007-0038 GameOver.ani
SA24664 CVE-2007-1735 PoC.wpd
SA24725 CVE-2007-1867 GameOver.ani
SA24784 CVE-2007-1942 Exploit.bmp
SA24784 CVE-2007-1942 PoC.bmp
SA24884 CVE-2007-2062 GameOver.cue
SA24973 CVE-2007-2194 GameOver.xpm
SA25023 CVE-2007-2244 PoC.bmp
SA25034 CVE-2007-2366 GameOver.png
SA25044 CVE-2007-2365 GameOver.png
SA25052 CVE-2007-2363 GameOver.iff
SA25089 CVE-2007-2498 PoC.mp4
SA25150#1 CVE-2007-0215 PoC1.xls
SA25150#1 CVE-2007-0215 PoC2.xls
SA25150#3 CVE-2007-1214 PoC.xls
SA25178 CVE-2007-1747 PoC.xls
SA25278 CVE-2007-2809 GameOver.torrent
SA25426 CVE-2007-2966 PoC.lzh
SA25619#1 CVE-2007-0934 PoC.vsd
SA25619#2 CVE-2007-0936 GameOver.vsd
SA25619#2 CVE-2007-0936 PoC.vsd
SA25826 CVE-2007-3375 PoC.lzh
SA25952 CVE-2007-6007 PoC1.psp
SA25952 CVE-2007-6007 PoC2.psp
SA25952 CVE-2007-6007 PoC3.psp
SA25988 CVE-2007-1754
SA25995#1 CVE-2007-1756 PoC.xls
SA25995#2 CVE-2007-3029 PoC1.xls
SA25995#2 CVE-2007-3029 PoC2.xls
SA25995#3 CVE-2007-3030 PoC.xlw
SA26034#4 CVE-2007-2394
SA26145 CVE-2007-3890 PoC1.xlw
SA26145 CVE-2007-3890 PoC2.xlw
SA26433 CVE-2007-3037 PoC.wmz
SA26619 CVE-2007-4343 Exploit.pal
SA26619 CVE-2007-4343 GameOver.pal
SA27000 CVE-2007-5279
SA27151 CVE-2007-3899 GameOver.doc
SA27151 CVE-2007-3899 PoC.doc
SA27270 CVE-2007-5709 GameOver.m3u
SA27304#1 CVE-2007-5909 GameOver1.rtf
SA27304#1 CVE-2007-5909 GameOver2.rtf
SA27304#1 CVE-2007-5909 PoC1.rtf
SA27304#2 CVE-2007-6008 PoC1.eml
SA27304#2 CVE-2007-6008 PoC2.eml
SA27361#4 CVE-2007-2263 PoC.swf
SA27849 CVE-2007-6593 GameOver1.123
SA27849 CVE-2007-6593 GameOver2.123
SA27849 CVE-2007-6593 GameOver3.123
SA28034 CVE-2007-0064 PoC1.asf
SA28034 CVE-2007-0064 PoC2.asf
SA28034 CVE-2007-0064 PoC3.asf
SA28034 CVE-2007-0064 PoC4.asf
SA28083#2 CVE-2007-0071 PoC.swf
SA28092#1 CVE-2007-4706
SA28209#10 CVE-2007-5399 PoCbcc.eml
SA28209#10 CVE-2007-5399 _PoC_cc.eml
SA28209#10 CVE-2007-5399 PoC_date.eml
SA28209#10 CVE-2007-5399 PoC_from.eml
SA28209#10 CVE-2007-5399 PoC_imp.eml
SA28209#10 CVE-2007-5399 PoC_prio.eml
SA28209#10 CVE-2007-5399 PoC_to.eml
SA28209#10 CVE-2007-5399 PoC_xmsmail.eml
SA28209#11 CVE-2007-5399 PoC.eml
SA28209#12 CVE-2007-5399 PoC.eml
SA28209#13 CVE-2007-5399 PoC.eml
SA28326 CVE-2008-0064 GameOver1.hdr
SA28326 CVE-2008-0064 GameOver2.hdr
SA28506#1 CVE-2008-0081 Exploit.xls
SA28506#1 CVE-2008-0081 PoC.xls
SA28506#2 CVE-2008-0111 PoC1.xls
SA28506#2 CVE-2008-0111 PoC2.xls
SA28506#2 CVE-2008-0111 PoC3.xls
SA28506#4 CVE-2008-0114 PoC.xls
SA28506#7 CVE-2008-0117 Exploit.xls
SA28506#7 CVE-2008-0117 GameOver.xls
SA28506#7 CVE-2008-0117 PoC.xls
SA28563 CVE-2008-0392 Exploit_CommandName.dsr
SA28563 CVE-2008-0392 GameOver_CommandName.dsr
SA28765 CVE-2008-0619 PoC.m3u
SA28765 CVE-2008-0619 PoC.pls
SA28802#1 CVE-2007-5659 GameOver.pdf
SA28802#1 CVE-2007-5659 PoC.pdf
SA28904#2 CVE-2008-0105 PoC1.wps
SA28904#2 CVE-2008-0105 PoC2.wps
SA28904#3 CVE-2007-0108 GameOver.wps
SA29293#1 CVE-2008-1581 PoC.pct
SA29321#2a CVE-2008-0118 PoC.ppt
SA29321#2b CVE-2008-0118 GameOver.ppt
SA29321#2b CVE-2008-0118 PoC.ppt
SA29620 CVE-2008-0069 GameOver.sld
SA29650#5 CVE-2008-1017
SA29704#1 CVE-2008-1083 PoC.emf
SA29704#2 CVE-2008-1087 PoC.emf
SA29838 CVE-2008-1765 Exploit.bmp
SA29838 CVE-2008-1765 GameOver.bmp
SA29934 CVE-2008-1942 PoC_ExtGState.pdf
SA29934 CVE-2008-1942 PoC_Height.pdf
SA29934 CVE-2008-1942 PoC_MediaBox.pdf
SA29934 CVE-2008-1942 PoC_Width.pdf
SA29941 CVE-2008-1104 Exploit.pdf
SA29941 CVE-2008-1104 PoC.pdf
SA29972 CVE-2008-2021 PoC.ZOO
SA30143#1 CVE-2008-1091 PoC.rtf
SA30953 CVE-2008-1435
SA30975 CVE-2008-2244 PoC1.doc
SA30975 CVE-2008-2244 PoC2.doc
SA31336#2 CVE-2008-3018 PoC.pict
SA31336#4 CVE-2008-3020 PoC.bmp
SA31336#5 CVE-2008-3460 PoC1.wpg
SA31336#5 CVE-2008-3460 PoC2.wpg
SA31336#5 CVE-2008-3460 PoC3.wpg
SA31385 CVE-2008-2245 PoC.emf
SA31441 CVE-2008-4434 PoC.torrent
SA31454#2 CVE-2008-3005 Exploit.xls
SA31454#2 CVE-2008-3005 PoC.xls
SA31675#3 CVE-2008-3013 PoC.gif
SA31675#4 CVE-2008-3014 PoC.wmf
SA31675#5 CVE-2008-3015 PoC.ppt
SA31821#6 CVE-2008-3626 PoC1.mp4
SA31821#6 CVE-2008-3626 PoC2.mp4
Categories: behavior analysis, News, Vulns Tags:

How to prevent zero day exploits

October 31st, 2007 3 comments

With all the talk about the latest wave of PDF exploits in the wild,
proactive protections against vulnerabilities in common applications (MS
Office, Acrobat Reader, RealPlayer, WinAmp, Windows Media Player…) are proving
to be an effective solution for protecting users. These proactive measures
allow the vast majority of users to be protected against any and all new 0-day
exploits without going bananas over whose vulnerability it is, where to
download the latest hotfix from, whether this hotfix will prevent future
similar vulnerabilities or even introduce new ones.


But how can we achieve effective proactive protection against these vulnerabilities? Some protections against Buffer Overflows, Heap Overflows, Integer Overflows, etc. have to overcome some great technological difficulties.
We need to search for a different path when designing an effective proactive
solution for end users. At Panda we developed a project of proactive
protections over 3 years ago which is now known under the commercial name of
TruPrevent ("How TruPrevent Works" Part 1 and Part 2).
The second part of this technology was specifically designed to avoid these types of
0-day exploits, protecting users from the very same moment the exploit is
released and before the vulnerability is widely patched.


The main idea consists of establishing a behavioral profile for

Basically, if we are able to establish which actions are legal and
which actions are outside of the normal behavior of an application, we can
detect potentially dangerous actions. You might think that establishing this
type of profile can be complicated, but let's go over a few examples that,
while being fairly simple, have allowed us to proactively block 100% of the
Microsoft Office and PDF exploits seen recently.


For example, how can we block 100% of the vulnerabilities that affect
Microsoft Office products?

If we review the malware that exploits vulnerabilities in Word, Excel,
PowerPoint, etc. we will find a common behavior which occurs when the
vulnerability is exploited: the creation of executable code in the system by
the Microsoft Office applications. Now we should ask ourselves the following
question: is it really necessary that Word, Excel, and PowerPoint should be able to create and launch executable code on the system? Is this not an atypical
behavior for these types of applications?


Let's think about some more examples. What applications really need to
execute cmd?

Does Adobe Acrobat need to execute cmd? NO.
Does Windows Media Player need to execute cmd? NO.
Does RealPlayer need to execute cmd? NO.

These are very simple examples but which have demonstrated their
effectiveness against many vulnerabilities during the last years. These types
of protections can be greatly enhanced with the help of event correlation
logic, which allows for establishing a baseline of application behavior,
thereby avoiding the limitation of basing decisions only on individual or point


Why don't we block these behaviors by default?
But the big question is "who is we?" Who is responsible for
creating a safe computing environment that does not allow these types of
vulnerabilities to run wild and spread more malware with complete immunity?
Without going into another finger-pointing war about who's fault it is (Adobe
has issued a patch even though it doesn't solve the underlying problem), "we" is the
entire computing industry, including OS and third-party vendors as well, not
only the anti-malware vendors. Fixing point-problems (patches for
vulnerabilities) without attacking the root of the problem will continue to allow
malware to prevail.

TruPrevent's Kernel Rule Engine proactively blocking a PDF exploit 

Thanks to Ismael Briones for his great contributions and continued work on vulnerability exploitation prevention.

Categories: behavior analysis, Vulns Tags:

Technology Paper: From AV to Collective Intelligence

August 27th, 2007 2 comments

There is more malware than ever being released in the wild, and antivirus
companies relying on signatures to protect users cannot keep up with the pace of
creating signatures fast enough. As a result, the current installed base of
anti-malware solutions is proving to be much less effective against the vast
amounts of threats in circulation.

As we have been able to proof in a recent research study, even users
protected with anti-malware and security solutions with the latest signature
database are infected by active malware. Complementary approaches and
technologies must be developed and implemented in order to raise the
effectiveness to adequate levels.

This paper presents the fourth generation of security technologies by Panda
Security, called Collective Intelligence. The Collective Intelligence allows us
to maximize our malware detection capacity while at the same time minimizing the
resource and bandwidth consumption of protected systems.

The Collective Intelligence represents an approach to security radically
different to the current models. This approach is based on an exhaustive remote,
centralized and real-time knowledge about malware and non-malicious applications
maintained through the automatic processing of all elements scanned.

One of the benefits of this approach is the automation of the entire malware
detection and protection cycle (collection, analysis, classification and
remediation). However automation in and by itself is not enough to tackle the
malware cat-and-mouse game. With large volumes of malware also comes targeted
attacks and response time in these scenarios cannot be handled by automation of
signature files alone.

The other main benefit that the Collective Intelligence provides is that it
allows us to gain visibility and knowledge into the processes running on all the
computers scanned by it. This visibility of the community, in addition to
automation, is what allows us to tackle not only the large volumes of new
malware but also targeted attacks.

Available for download in PDF format.

Categories: behavior analysis, Heuristics, Malware Tags:

How TruPrevent Works (II)

June 13th, 2007 Comments off

This is the second part of the "How TruPrevent Works" article series. Apologies in advance if it seems a bit like shameless self promotion.

Code-named KRE (Kernel Rules Engine) this is TruPrevent’s second component, a Behavior Blocking module which complements TruPrevent's Behavioral Analysis. If we were to map these two modules within the HIPS framework used by Gartner to categorize the different technology styles used by integrated endpoint security suites, they would fit into the "Application Control, Resource Shielding and Behavioral Containment" styles. Such technology styles are not however as compartmentalized in commercial products as they may seem in Gartner's framework.

Hackers and malware mafias abuse the privileges of legitimate applications to attack systems by injecting code. To prevent these types of attacks generically a very cost-effective approach is to use rule-based blocking technology which can restrict the actions that authorized applications can perform in the system.

KRE is composed of a set of policies which are defined by a set of rules describing allowed and denied actions for a particular application of group thereof. Rules can be set to control an application’s access to files, user accounts, registry, COM objects, Windows services and network resources.

Despite offering a high degree of granularity to administrators for creating custom policies for deployment within a corporate network, KRE is shipped with a set of default configuration rules which are managed and updated regularly by PandaLabs. A limited list of the most relevant and queried rules can be viewed at These provide protection against attacks exploiting common weaknesses found in out-of-the-box as well as fully-patched installations of Windows operating systems, such as modifications of the HOST file, loading Browser Helper Objects (BHO) in a certain way, exploitation of browser and email vulnerabilities, downloading and running executable code from within the iexplorer.exe process, launching commands from service applications, and many more such policies.

In summary, KRE provides a true security lock-down of a typical Microsoft Windows installation, regardless if it's patched or not. This technology has allowed us to tighten the security of a box which is normally left open by newly discovered vulnerabilities and techniques commonly used by malware mafias.

A recent example of the effectiveness of KRE is the never-ending wave of Microsoft Office format vulnerabilities. These vulnerabilities have been used recently by targeted attacks on certain companies. According to a study of known (patched) and zero-day (un-patched) Microsoft Office vulnerability exploits, an average AV signature detection rate of 50% was achieved by all tested antivirus engines. That’s a one-in-two chance of being infected by simply opening an exploited Microsoft Word, PowerPoint or Excel document.

Instead of relying on signatures and heuristics for these type of attacks, Behavior Blocking technologies such as KRE proactively prevents Microsoft Word, PowerPoint, Excel, Access, Acrobat Reader, Windows Media Player and other applications from dropping and running any type of executable code on the system. Unlike any AV signatures tested, TruPrevent provides real zero-day protection against any of these Microsoft Office exploit, known or unknown.

For example, rules 1039 & 1042: Recent MS Office, Acrobat and Windows Multimedia vulnerabilities have been discovered (PowerPoint, Excel, Word, Wmplayer, Acrobat Reader and others are vulnerable). In a normal behaviour these applications shouldn't create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited, as shown on the blocking notification when trying to open an infected Microsoft Word document.

In this case KRE is preventing these applications from creating and executing code in the system and thereby stopping malware without having to rely on signatures or heuristics for protecting users. Of course there are many more examples of how to block a multitude of malicious behaviour, but I think if you've read this far you get the picture.

Categories: behavior analysis Tags:

How TruPrevent Works (I)

May 24th, 2007 20 comments

I recently came across an interesting document by Gartner's analyst Neil MacDonald, called Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough. There is confusion in the market about what a HIPS really is and Neil's work really helps in clarifying the different technologies that are being marketed as HIPS. Similarly other articles such as HIPS: what's in a name? also talk about the confusion in the market about the subject.

In Neil's document different HIPS solutions are analyzed based on the different technology approaches they use. He differentiates among technologies which work when code is entering the network, non-executing code, and code executing in the machine. As the document labels Panda TruPrevent Technologies as a HIPS and I've been asked about this many times already, I thought I'd write a couple of articles to explain exactly what TruPrevent is and how it works.

TruPrevent consists of 2 main technologies: behavioral analysis (intelligent analysis and termination of a running process by its behavior) and behavioral blocking (a.k.a. policy-based application control and system hardening). When integrated with an anti-malware signature-based engine, static heuristics, a deep packet inspection firewall, prevention of vulnerability exploitation and network access control it makes up what is considered an integrated, "converged HIPS" solution.

TruPrevent Behavioral Analysis
Code-named Proteus, it acts as a true last line of defense against new malware executing in the machine that manages to bypass signatures, heuristics and behavior blocking. Proteus intercepts, during runtime, the operations and API calls made by each program and correlates them before allowing the process to run completely. The real-time correlation results in processes being allowed or denied execution based on their behavior alone.

As soon as a process is executed all its operations and API calls are monitored silently by Proteus, gathering information and intelligence about that process's behavior. During the initial execution path, a malicious process will try to perform a series of actions, each of which is correlated by Proteus. It is then that Proteus decides, as early in the execution path as possible, whether the process is malicious or not. If it is determined as suspicious, the communication of the process is blocked. Immediately thereafter, as it's determined malicious, the process is blocked and killed before it can carry out all of its actions and prevented from running again.

Unlike other behavioral technologies, Proteus is autonomous and does not present technical questions to the end user ("Do you want to allow process xyz to inject a thread into explorer.exe or memory address abc?"). If Proteus thinks that a program is malicious it will block it without requiring user intervention. Most users cannot make informed decisions when it comes to security. Some behavioral products throw non-deterministic opinions — or behavioral indecisions — whose effectiveness depends on the user clicking on the right choice.  A key functionality of any behavioral technology must be making decisions without user intervention. Anything less is a potential point of failure.

Proteus has been built from the ground up to detect the maximum number of malware as quickly as possible, as early in its execution path as possible and without any user intervention. Our internal stats show that this technology alone is capable of detecting (without signatures and heuristics) 80 to 90 percent of the new malware that causes epidemics in the wild without generating problematic false positives or behavioral indecisions. A bot would not be a bot if it didn’t behave as such, but if it does so it will be detected by this technology, regardless of its shape or name.

In the next article we'll dive into TruPrevent's behavioral blocking, a policy-based application control and system hardening technology.

Categories: behavior analysis Tags: