Transcript New! - Dr.Web

Dr.Web ERA
Emergency Response Anti-virus
New features in Dr.Web 9.0 for Windows
New!
1. Dr.Web behaviour analyserprotection against latest actual
threats
Dr.Web Process Heuristic
Actual modern threats
Encoder, Winlock, Inject and Exploit Trojans
account for almost 90% of real threats
Actualities of modern AV
protection
 Today virus writing is an industry serving well-established
illicit business.
 New malicious programs appear daily in hundreds of
thousands. Virus analysts simply don't have time to
process so many suspicious files.
 It can take hours or even days for a new virus definition to
get into the database. If the malware is complex—it may
take even months.
There is always a risk of infection with an UNKNOWN
virus
Anti-virus is not a panacea, but:
No modern software other than an anti-virus
can cure a computer of malware that
penetrated the system.
What does anti-virus protection mean
today?
 Prevent viruses from getting into the system?
 Prevent viruses from launching in the compromised
system?
 Do not allow a virus to use its malicious payload?
 Remove a detected virus? Or completely clean (i.e.
cure) the system of any malicious impact?
And what do you think a modern anti-virus should be
able to do?
Dr.Web Anti-virus 9.0
 Neutralization of known threats whose
definitions are present in the virus databases
 Neutralization of threats that are unknown to the
virus database but can be detected by the heuristic
analyser
 New in version 9! Neutralization of unknown
malware using the DPH-technology
Almost 100% protection
History
 1992 — Igor Danilov created the world's first
version of anti-virus behaviour analyser for
MS DOS and OS/2.
 1999 — Dr.Web developers announced
SpIDer Netting for Windows 9.x — the first
behaviour analyser for MS Windows.
History
2013 — DPH-technology
New Dr.Web behaviour analyser
Malware behaviour
 Unique new viruses are few.
 Most of them can be divided into groups (families)
based on the characteristics they have in common
with regards to their malignant manifestation in a
system—data encryption, blocking access to
Windows, etc.
 Programs of the same family perform similar tasks,
i.e., they follow a single behaviour pattern. This is
their weakness.
DPH - protection against threats which are
unknown to the Dr.Web virus database
 Years of experience in analysing malware
behaviour patterns laid the groundwork for
this technology.
 It analyses all new processes that exhibit
malicious behaviour, unless an entry in the
database enables the anti-virus to be
completely certain that the process is
malicious.
DPH – how it works
 Once a program is launched, its behaviour is
analysed.
 The pattern is compared to those already known
to Dr.Web to determine if the application is
harmful.
 Next, the comprehensive curing is carried
out—the supposed malware is moved to
quarantine and files protected by Dr.Web are
restored to their original state.
Dr.Web Process Heuristic protects
systems against new, highly prolific
malicious programs that are capable of
avoiding detection by traditional signaturebased analysis and heuristic routines
because they haven't yet been analysed in
the anti-virus laboratory and, therefore, are
unknown to Dr.Web at the moment of
intrusion.
The DPH-technology of Dr.Web 9.0
enables the anti-virus to detect
up to 90% of unknown brand-new
malware.
New!
2. Protection from Data Loss
Threat: Trojan.Encoder
1. The first versions of the Trojan: 2007.
2. The ransom extorted by criminals for decryption varies from a
few dozen to several thousand dollars.
3. Geography: Russia, the CIS countries, as well as more recently
— the countries of Europe, North and South America.
4. The main trend in 2013 is to forward the encryption settings to
the attackers' server, so that no data that could help in decryption
remains on the infected machine.
5. Dr.Web virus database entries — about 300 modifications of
Trojan cryptographers.
All is lost? Not with Dr.Web!
To be detected by DPH, an unknown threat
must be running in the system.
In case of Trojan.Encoder it means that
some data (6-10 files) will have been
encrypted by the Trojan.
New in version 9
User data protection
Files from directories, defined by the
user, are regularly backed up and kept
safe.
How it works
 The user selects files to protect.
 These files are copied into a single directory (the
first snapshot includes all the data, while later ones
only contain modified data).
All Dr.Web-protected files that have been
encrypted by a Trojan.Encoder, will be restored!
Data loss protection features
 Directory list (Documents, libraries) — files
that require protection.
 Select the disc to store copies of protected
files — backup location.
 Backup frequency — how often snapshots of
protected files will be taken.
 Manual revision of data — at any time.
Preferences
IMPORTANT! The feature is disabled by default. To use it, you need to
adjust corresponding settings.
This data protection feature lets users of
Dr.Web 9.0 for Windows restore damaged
data* on their own, without contacting Doctor
Web's technical support—all users need to do
is to press the “Restore” button.
*in selected directories
The ability to create Dr.Web-protected
copies with the possibility of their
subsequent recovery is one of the
comprehensive treatment measures used
to cure unknown threats that have been
detected by Dr.Web Process Heuristic.
New!
3. Comprehensive analysis of
packed threats
The Dr.Web unique proprietary
technology
Threat: known malware + new packer =
"new" malware
 A large number of supposedly "new"
malicious programs are in fact well-known
malware wrapped up with other packers.
 Sometimes an anti-virus can't recognise
malware wrapped up by another packer.
 The same virus can be repacked several
times per hour and unleashed into the wild.
Improved detection of known viruses
New technology:
 Significantly improved detection of
supposedly "new" threats—the definitions are
already present in Dr.Web virus database
but malware is concealed by new packers.
 No need to add new entries about threats
over and over agian.
Dr.Web virus databases are small =
 no need for a constant increase in system
requirements
 Small updates
Traditionally high quality of detection and
curing
Improved!
4. Now even faster
Fast scanning
 Improved performance on machines
involved in processing large amounts of
data, thanks to the revamped Dr.Web
SpIDer Guard routines.
 Faster scan with Dr.Web Cloud — the
service's architecture has been redesigned to
provide a significant boost of speed.
New!
5. Full scan of all traffic
New!
Safe traffic— scanning on all ports is
carried out on traffic transmitted via Dr.Websupported protocols, including secure
connections (if the user has enabled the
option to scan SSL traffic).
New!
Safe Internet Surfing — with secure
search, Google, Yandex, Yahoo!, Bing and
Rambler will only return links to content
considered safe by the search engines and
Dr.Web. Dangerous sites will be excluded
from search results altogether!
New!
Secure Communication— filtering traffic of
instant messengers such as Mail.Ru Agent,
ICQ, Jabber, QIP and Pidgin.
 Links that lead to malware and phishing sites
are removed from messages.
 Scanning of transmitted files. Transfer of
potentially harmful files is blocked.
New!
6. With Dr.Web Parental Control,
removable devices and computers
can be protected against
unauthorised use.
Threats that spread with flash
drives and other removable
devices—Trojans
 Trojans are today’s most common threats.
 Trojans cannot replicate themselves—that is, can not
spread on their own.
 Users carry Trojans from computer to computer on
USB flash drives and other removable devices—not
only between home computers, but also from home
computers to their working desk.
 Removable devices are those that connect to a
computer via USB.
New!
Import /export white lists of trusted
devices—transfer the list to another
computer manually or transmit it to a
remote machine via the anti-virus
network.
New!
Block any adjustments to the system
time and time zone to prevent children from
using the computer without their parents’
permission.
New!
Disable printing jobs from being started
to prevent confidential documents from
being printed and to save printing paper.
New!
7. Protection of copyrighted
content
Blocking access to sites
involved in piracy
New!
A separate database for sites that distribute
unlicensed content.
New!
9. New databases of Dr.Web
Firewall
A new approach to protection
Ulitemately user-friendly
New Dr.Web Firewall
Previously: pre-defined database for
applications and custom rules defined by the
user.
To create a rule database, one had to respond
to dialogues to create a rule for every
application—something which proved to be
rather annoying.
New Dr.Web Firewall
Now: the database of trusted applications.
These are programs that incorporate a digital certificate.
Applications that Dr.Web believes to be legitimate can
connect to any address via any port.
Exception: if a program is not digitally signed, its
signature is invalid, or there is no signature at all, (e.g.,
those created by enthusiasts or open source programs),
the user is prompted to create a rule.
Advantages of the new Dr.Web
Firewall
 The new Dr.Web Firewall database makes
it much easier to create user rules.
 Far less annoying!
Also in version 9:
Easy upgrade from Dr.Web Antivirus to Dr.Web Security Space
Now there is no need to remove Dr.Web for
Windows before installing Dr.Web Security
Space — the necessary components will be
added to the existing installation.
Easy installation
Upgrade to version 9
From version 8 — AUTOMATIC
Dr.Web 9.0 for Windows —
real protection
from real threats
Thanks for watching!
Doctor Web