天氣預報
2007-10-01, 07:17 PM
Norton AntiBot 評測(譯自 PC Magazine)
原文譯者:
諾頓中國網友hljdqzr
不想學習,手又痒了。就再來一篇 ,出錯之處,大家見諒。 Norton AntiBot 同樣獲得PC Magazine的編輯選擇獎 The word robot comes from a Slavic root meaning "work," and the nasty programs that we call "bots" are always working, working, working to make trouble. But the more they do, the more likely they'll be caught by the behavior-based Norton AntiBot. Install NAB alongside your existing signature-based malware protection to add another level of security against threats too new to have a known signature. robot這個詞來自於斯拉夫語中的詞根,意味工作,且我們稱為bots的惡意程序一直在運行,運行,運行,來製造麻煩.但它們製造的越多,它們就越可能被以行為分析為基礎的Norton AntiBot所抓住。在你現有的以已知特征為基礎的惡意軟件保護上,安裝Norton AntiBot ,來增加另一層保護來對抗那些還沒有已知特征的最新威脅 Symantec licensed NAB's behavioral technology from Sana Security, and the program looks and acts just like Sana's Primary Response SafeConnect (PRSC) utility. The colors and logos are different, but the features and screens are almost identical. Sana's technology monitors all running processes and tracks nearly 300 distinct behaviors, boiled down to about 70 for display purposes. No single behavior identifies a malicious program. You won't get a warning just because a new program added itself to the Startup sequence or connected to the Internet. Many of the individual behaviors also occur in perfectly valid programs. Like an FBI profiler, it weaves together the whole collection of behaviors to identify bad guys and only bad guys. 賽門鐵克發布的NAB,其基於行為的技術來自Sana Security,而且這個程序外觀與行為與Sana's Primary Response SafeConnect (PRSC) utility很像。顏色與標志雖然不同,但功能與界面幾乎一樣。Sana的技術能監視所有的進程與追蹤近300個不同的行為,簡化大概百份之70來展現目的。沒有單獨的行為被認作一個惡意程序。你不會僅因為一個新程序將自身加為啟動序列或連接到網絡,而得到警告。許多這樣單獨的行為也會發生在完全合法的程序。像一個 FBI profiler (?偵探),它將整個行為整理在一起,來辨別壞家伙,且只是壞家伙。 Keeping a Watchful Eye (保持著警惕的眼睛) I installed NAB on a clean test system and started throwing malicious software at it. NAB pays attention to the location from which a file was launched, so I downloaded fresh copies from the Internet when possible. NAB caught some of the threats almost immediately after launch. To activate the malware it hadn't caught, I tried surfing the Web, opening some documents, and rebooting the system, giving it more chances to see the processes in action. And if it still didn't sound an alarm, I left the system running over a weekend, rebooting from time to time. 我將 NAB 安裝在一個干淨的測試系統,並開始向裡扔入惡意軟件。 NAB 會注意一個文件啟動的位置,所以我在可能時會從互聯網下載干淨的拷貝。 NAB 抓住一些威脅,在差不多它們啟動時。為了激活那些它沒有抓住的惡意軟件,我試著閱覽網頁,打開一些文檔,並重起系統,給它更多機會注意到運行的進程。而如果,它仍沒響起警報,我會將系統運行一個周末,不停的重起。 The key point is that a behavior-based malware detection system needs to see a process doing something malicious before it can act. If the W32/Avada.Kedavra virus is completely inert except on July 31, then NAB will detect it only on July 31. It's quite possible that given time and the right circumstances, NAB could have detected more of my sample threats. I gave it full credit if it completely disabled the threat, preventing it from running. I insist that signature-based products remove all executable files in order to get full credit, but NAB is different. Its particular job is to hamstring a brand-new threat and keep it from doing harm until your signature-based scanner can manage a full cleanup. 關鍵在於,一個基於行為分析的惡意軟件偵測系統只有看到一個進程在做惡意行為時才能行動。如果W32/Avada.Kedavra病毒除了7月31日外不活動,那么 NAB 只能在7月31日偵測到。如果給予更多的時間與恰當的環境, NAB 應該能偵測更多的威脅樣本。如果它能徹底關閉威脅,阻止其運行,我便會充分信賴它。我想強調,以特征為基礎的產品清除所有可執行文件,來取得信賴,但 NAB 不同。它特定的工作是切斷一個全新的威脅與阻止它產生破壞,直到你的以特征為基礎的掃描器能成功地進行清除。 When tested against 20-odd malware samples, including adware, spyware, Trojan horses, rootkits, and rogue antispyware, NAB scored 7.1 out of 10. It got the same score in a separate test using commercial keyloggers. That's better than many products do even when they have a huge database of malware signatures to rely on. On the other hand, PRSC scored 9 out of 10 last year. The difference may be that my current collection includes more items using rootkit-style stealthy techniques, which aren't this bot-killer's strong point 當測試20個老惡意軟件樣本時,包括廣告,間諜軟件,木馬,rootkits與針對反間諜軟件的流氓程序,NAB 得到10分中的7.1分。在獨立的商業鍵盤記錄者測試中,NAB 得了同樣的分數。這比一些依賴巨大惡意軟件特征數據庫的許多產品好多了。另一方面,PRSC去年得到了9分。差異產生也許是我當前的收藏裡包括應用rootkit-style 隱藏技術的項目。 Do I Know You? 我認識你嗎? Though NAB reported most threats with descriptions like "Unknown" or "GENERIC PUP" (Potentially Unwanted Program), it fingered a few of them by name. I asked Symantec how it could do that, given that it doesn't use signatures. Is it cheating? Does it have a hidden stash of signatures? It turns out that waaay back at the beginning, Sana's early adopters really wanted to see which threats were being blocked, so Sana coded in a few thousand simple signatures strictly for naming purposes. Those signatures are still present in the current code, so after NAB detects a threat based on behavior, it checks whether it's a byte-for-byte match with one of the signatures─if so, it displays the name. 盡管NAB 報告大多數威脅已Unknownor GENERIC PUP (Potentially Unwanted Program)的描述,但它指出了一些威脅的名字。我詢問賽門鐵克如何做到不用特征來做到的。這是欺騙嗎?難倒它有隱藏的數據庫嗎?原因在於很久很久前,在開始時,Sana的早期使用者想知道那些威脅被阻止了,所以Sana嚴格輸入了幾千個簡單的特征,來命名目的。這些特征,在當前版本仍適用,所以在NAB 以行為偵查出威脅時,它會一個字節一個字節的查找特征-如果找到了,它會顯示名字。 In its default configuration, NAB is a real chatterbox. It reports each detected threat with an option to show the specific suspicious behaviors that contributed to its detection. It prompts you to save your work, shows progress as it does the job, and asks permission to reboot if necessary. I like to know what's going on, so I appreciate these messages. But the program is so reliable enough that you may choose to turn off all except the reboot prompt and tell it to quarantine automatically any threat it finds. There's also an option (turned on by default) to submit found threats to Symantec Security Response for analysis. If your signature-based protection is also from Symantec, leaving this option turned on will help shorten the time until you receive a signature for the newly found threat. 在默認設定下,NAB真是喋喋不休。它報告每個偵測的威脅的選項,展示可疑行為。它提示你保存工作,在工作時顯示進度,如果需要重起時詢問許可。我喜愛知道在進行什么,所以我贊賞這些信息。但這個程序如此可靠,以至於你除了能選擇迅速重起與告訴它自動隔離它找到的威脅外什么也干不了。還有一個選項,默認是打開的,將找到的威脅發送到賽門鐵克安全響應作為分析。如果你的以特征為基礎的保護也來自賽門鐵克,把選項打開會幫助縮短時間直到你收到新找到威脅的特征。太累了,下次再更新,見諒。
Bonus Round
額外回合
NAB doesn't promise to clean up malware that's already on your system; it leaves that job to your standard signature-based scanner. Still, I couldn't resist torturing it by installing it on badly infested systems. It ran into a couple of the same problems that have plagued other security products. It couldn't install on one system because the malware fought back, blocking the installation. And partial removal of a rootkit put another system into a blue-screen reboot death spiral. Symantec pointed out that both problems would have been solved by Norton Internet Security or another similar product. And yes, NIS 2007 breezed through these two problems, so installing NAB with NIS 2007 would've worked fine.
NAB沒許諾清理已經在你的系統的惡意軟件;它將這個工作留給了你的標準已特征為基礎的掃描器。然而,我抵擋不住折磨它的誘惑,把它安裝在嚴重感染的系統。它遇到了許多折磨其它安全產品的問題。它安裝不上,因為惡意軟件的抵抗,被阻止了安裝。而對一個rootkit不完全的清除令另一個系統進入了藍屏,重起,死機的循環。賽門鐵克指出這兩個問題都能被Norton Internet Security或其它的類似軟件解決。並且,是的,NIS 2007通過了這些考驗,所以安裝 NAB與 NIS 2007 會工作的很好。
As with the blocking test, if NAB didn't notice a threat right away, I tried exercising the system a bit, rebooting, and leaving it running for days, to give the program a chance to see more behaviors. I couldn't run a full test of NAB alone because of the problems mentioned above. Still, it managed to remove some of the threats, scoring about 3 of 10 against spyware and about 4 of 10 against commercial keyloggers. That doesn't sound impressive, but remember, this test is only for "bonus points." NAB doesn't promise to remove existing threats at all.
隨著這次阻止測試,如果NAB沒有立刻注意到一個威脅,我試著多一點測試系統,重起,讓它運行幾天,給這個程序注意行為的機會,我無法單獨運行NAB因為上面提出的問題。仍然,它成功的清除一些威脅,得了3分對抗間諜軟件,4分對抗商業鍵盤記錄者。這聽起來不引人注意,但記住,這個測試只是額外進行的。NAB根本一點沒有承諾清除存在的威脅。
Given the repeated mantra that NAB is designed to work in a team with a signature-based security solution, it darn well better be a good team player. Symantec emphasizes that it does work with security solutions from other vendors, and it will be marketed as a standalone product for the foreseeable future. (Symantec will wait until the product is more mature before rolling it into its Norton Internet Security suite.) For a quick check, I installed it along with a number of other security products, including the current suites from ZoneAlarm, McAfee, Kaspersky, and Trend Micro. Though I didn't do extensive testing on each system, I launched a signature-based scan with each; no problem. Overall, NAB seemed to get along with the other products just fine.
想到重複的mantra(?要求)NAB 設計為同以特征為基礎的安全解決方案一同工作,它作為一個好的團隊成員起補充作用會更好。賽門鐵克強調它能夠同其它廠商的安全解決方案一起工作,並且在可預見的未來它將作為獨立電腦的產品。(賽門鐵克會等到這個產品更成熟,才會將其加入Norton Internet Security套裝)對於這個簡短的測試,我會與許多其它安全產品安裝,包括當前來自ZoneAlarm, McAfee, Kaspersky, 與Trend Micro的最新套裝)雖然,我不能在每台電腦上做額外的測試,我一個個啟動以特征為基礎的掃描;沒有問題。總體上,NAB 看起來與其它產品工作的很好。
Norton AntiBot definitely offers protection against fast-changing, fast-acting malware such as bots─protection you might not get from a signature-based malware scanner. According to Symantec's threat research group there are 6 million active bots on the loose; scary! You don't absolutely need this additional layer of protection, but if you've got an extra $30 in your security budget, consider adding this tool to your security arsenal.
Norton AntiBot
Norton AntiBot 肯定能提供對抗快速變化的保護,快速變化的惡意軟件如bots-保護,這個保護也許是你無法從以特征為基礎的惡意軟件掃描器能得到的。根據賽門鐵克威脅研究隊伍世界上大體上有6百萬活動的bots;真是令人提心吊膽﹗你並不絕對需要這個額外層次的保護,但如果你在安全預算上有額外的30塊(美元),考慮這個工具作為你的安全儲備吧。
轉貼自諾頓中國
http://www.nortoncn.com/forum/viewthread.php?tid=4808
原文譯者:
諾頓中國網友hljdqzr
不想學習,手又痒了。就再來一篇 ,出錯之處,大家見諒。 Norton AntiBot 同樣獲得PC Magazine的編輯選擇獎 The word robot comes from a Slavic root meaning "work," and the nasty programs that we call "bots" are always working, working, working to make trouble. But the more they do, the more likely they'll be caught by the behavior-based Norton AntiBot. Install NAB alongside your existing signature-based malware protection to add another level of security against threats too new to have a known signature. robot這個詞來自於斯拉夫語中的詞根,意味工作,且我們稱為bots的惡意程序一直在運行,運行,運行,來製造麻煩.但它們製造的越多,它們就越可能被以行為分析為基礎的Norton AntiBot所抓住。在你現有的以已知特征為基礎的惡意軟件保護上,安裝Norton AntiBot ,來增加另一層保護來對抗那些還沒有已知特征的最新威脅 Symantec licensed NAB's behavioral technology from Sana Security, and the program looks and acts just like Sana's Primary Response SafeConnect (PRSC) utility. The colors and logos are different, but the features and screens are almost identical. Sana's technology monitors all running processes and tracks nearly 300 distinct behaviors, boiled down to about 70 for display purposes. No single behavior identifies a malicious program. You won't get a warning just because a new program added itself to the Startup sequence or connected to the Internet. Many of the individual behaviors also occur in perfectly valid programs. Like an FBI profiler, it weaves together the whole collection of behaviors to identify bad guys and only bad guys. 賽門鐵克發布的NAB,其基於行為的技術來自Sana Security,而且這個程序外觀與行為與Sana's Primary Response SafeConnect (PRSC) utility很像。顏色與標志雖然不同,但功能與界面幾乎一樣。Sana的技術能監視所有的進程與追蹤近300個不同的行為,簡化大概百份之70來展現目的。沒有單獨的行為被認作一個惡意程序。你不會僅因為一個新程序將自身加為啟動序列或連接到網絡,而得到警告。許多這樣單獨的行為也會發生在完全合法的程序。像一個 FBI profiler (?偵探),它將整個行為整理在一起,來辨別壞家伙,且只是壞家伙。 Keeping a Watchful Eye (保持著警惕的眼睛) I installed NAB on a clean test system and started throwing malicious software at it. NAB pays attention to the location from which a file was launched, so I downloaded fresh copies from the Internet when possible. NAB caught some of the threats almost immediately after launch. To activate the malware it hadn't caught, I tried surfing the Web, opening some documents, and rebooting the system, giving it more chances to see the processes in action. And if it still didn't sound an alarm, I left the system running over a weekend, rebooting from time to time. 我將 NAB 安裝在一個干淨的測試系統,並開始向裡扔入惡意軟件。 NAB 會注意一個文件啟動的位置,所以我在可能時會從互聯網下載干淨的拷貝。 NAB 抓住一些威脅,在差不多它們啟動時。為了激活那些它沒有抓住的惡意軟件,我試著閱覽網頁,打開一些文檔,並重起系統,給它更多機會注意到運行的進程。而如果,它仍沒響起警報,我會將系統運行一個周末,不停的重起。 The key point is that a behavior-based malware detection system needs to see a process doing something malicious before it can act. If the W32/Avada.Kedavra virus is completely inert except on July 31, then NAB will detect it only on July 31. It's quite possible that given time and the right circumstances, NAB could have detected more of my sample threats. I gave it full credit if it completely disabled the threat, preventing it from running. I insist that signature-based products remove all executable files in order to get full credit, but NAB is different. Its particular job is to hamstring a brand-new threat and keep it from doing harm until your signature-based scanner can manage a full cleanup. 關鍵在於,一個基於行為分析的惡意軟件偵測系統只有看到一個進程在做惡意行為時才能行動。如果W32/Avada.Kedavra病毒除了7月31日外不活動,那么 NAB 只能在7月31日偵測到。如果給予更多的時間與恰當的環境, NAB 應該能偵測更多的威脅樣本。如果它能徹底關閉威脅,阻止其運行,我便會充分信賴它。我想強調,以特征為基礎的產品清除所有可執行文件,來取得信賴,但 NAB 不同。它特定的工作是切斷一個全新的威脅與阻止它產生破壞,直到你的以特征為基礎的掃描器能成功地進行清除。 When tested against 20-odd malware samples, including adware, spyware, Trojan horses, rootkits, and rogue antispyware, NAB scored 7.1 out of 10. It got the same score in a separate test using commercial keyloggers. That's better than many products do even when they have a huge database of malware signatures to rely on. On the other hand, PRSC scored 9 out of 10 last year. The difference may be that my current collection includes more items using rootkit-style stealthy techniques, which aren't this bot-killer's strong point 當測試20個老惡意軟件樣本時,包括廣告,間諜軟件,木馬,rootkits與針對反間諜軟件的流氓程序,NAB 得到10分中的7.1分。在獨立的商業鍵盤記錄者測試中,NAB 得了同樣的分數。這比一些依賴巨大惡意軟件特征數據庫的許多產品好多了。另一方面,PRSC去年得到了9分。差異產生也許是我當前的收藏裡包括應用rootkit-style 隱藏技術的項目。 Do I Know You? 我認識你嗎? Though NAB reported most threats with descriptions like "Unknown" or "GENERIC PUP" (Potentially Unwanted Program), it fingered a few of them by name. I asked Symantec how it could do that, given that it doesn't use signatures. Is it cheating? Does it have a hidden stash of signatures? It turns out that waaay back at the beginning, Sana's early adopters really wanted to see which threats were being blocked, so Sana coded in a few thousand simple signatures strictly for naming purposes. Those signatures are still present in the current code, so after NAB detects a threat based on behavior, it checks whether it's a byte-for-byte match with one of the signatures─if so, it displays the name. 盡管NAB 報告大多數威脅已Unknownor GENERIC PUP (Potentially Unwanted Program)的描述,但它指出了一些威脅的名字。我詢問賽門鐵克如何做到不用特征來做到的。這是欺騙嗎?難倒它有隱藏的數據庫嗎?原因在於很久很久前,在開始時,Sana的早期使用者想知道那些威脅被阻止了,所以Sana嚴格輸入了幾千個簡單的特征,來命名目的。這些特征,在當前版本仍適用,所以在NAB 以行為偵查出威脅時,它會一個字節一個字節的查找特征-如果找到了,它會顯示名字。 In its default configuration, NAB is a real chatterbox. It reports each detected threat with an option to show the specific suspicious behaviors that contributed to its detection. It prompts you to save your work, shows progress as it does the job, and asks permission to reboot if necessary. I like to know what's going on, so I appreciate these messages. But the program is so reliable enough that you may choose to turn off all except the reboot prompt and tell it to quarantine automatically any threat it finds. There's also an option (turned on by default) to submit found threats to Symantec Security Response for analysis. If your signature-based protection is also from Symantec, leaving this option turned on will help shorten the time until you receive a signature for the newly found threat. 在默認設定下,NAB真是喋喋不休。它報告每個偵測的威脅的選項,展示可疑行為。它提示你保存工作,在工作時顯示進度,如果需要重起時詢問許可。我喜愛知道在進行什么,所以我贊賞這些信息。但這個程序如此可靠,以至於你除了能選擇迅速重起與告訴它自動隔離它找到的威脅外什么也干不了。還有一個選項,默認是打開的,將找到的威脅發送到賽門鐵克安全響應作為分析。如果你的以特征為基礎的保護也來自賽門鐵克,把選項打開會幫助縮短時間直到你收到新找到威脅的特征。太累了,下次再更新,見諒。
Bonus Round
額外回合
NAB doesn't promise to clean up malware that's already on your system; it leaves that job to your standard signature-based scanner. Still, I couldn't resist torturing it by installing it on badly infested systems. It ran into a couple of the same problems that have plagued other security products. It couldn't install on one system because the malware fought back, blocking the installation. And partial removal of a rootkit put another system into a blue-screen reboot death spiral. Symantec pointed out that both problems would have been solved by Norton Internet Security or another similar product. And yes, NIS 2007 breezed through these two problems, so installing NAB with NIS 2007 would've worked fine.
NAB沒許諾清理已經在你的系統的惡意軟件;它將這個工作留給了你的標準已特征為基礎的掃描器。然而,我抵擋不住折磨它的誘惑,把它安裝在嚴重感染的系統。它遇到了許多折磨其它安全產品的問題。它安裝不上,因為惡意軟件的抵抗,被阻止了安裝。而對一個rootkit不完全的清除令另一個系統進入了藍屏,重起,死機的循環。賽門鐵克指出這兩個問題都能被Norton Internet Security或其它的類似軟件解決。並且,是的,NIS 2007通過了這些考驗,所以安裝 NAB與 NIS 2007 會工作的很好。
As with the blocking test, if NAB didn't notice a threat right away, I tried exercising the system a bit, rebooting, and leaving it running for days, to give the program a chance to see more behaviors. I couldn't run a full test of NAB alone because of the problems mentioned above. Still, it managed to remove some of the threats, scoring about 3 of 10 against spyware and about 4 of 10 against commercial keyloggers. That doesn't sound impressive, but remember, this test is only for "bonus points." NAB doesn't promise to remove existing threats at all.
隨著這次阻止測試,如果NAB沒有立刻注意到一個威脅,我試著多一點測試系統,重起,讓它運行幾天,給這個程序注意行為的機會,我無法單獨運行NAB因為上面提出的問題。仍然,它成功的清除一些威脅,得了3分對抗間諜軟件,4分對抗商業鍵盤記錄者。這聽起來不引人注意,但記住,這個測試只是額外進行的。NAB根本一點沒有承諾清除存在的威脅。
Given the repeated mantra that NAB is designed to work in a team with a signature-based security solution, it darn well better be a good team player. Symantec emphasizes that it does work with security solutions from other vendors, and it will be marketed as a standalone product for the foreseeable future. (Symantec will wait until the product is more mature before rolling it into its Norton Internet Security suite.) For a quick check, I installed it along with a number of other security products, including the current suites from ZoneAlarm, McAfee, Kaspersky, and Trend Micro. Though I didn't do extensive testing on each system, I launched a signature-based scan with each; no problem. Overall, NAB seemed to get along with the other products just fine.
想到重複的mantra(?要求)NAB 設計為同以特征為基礎的安全解決方案一同工作,它作為一個好的團隊成員起補充作用會更好。賽門鐵克強調它能夠同其它廠商的安全解決方案一起工作,並且在可預見的未來它將作為獨立電腦的產品。(賽門鐵克會等到這個產品更成熟,才會將其加入Norton Internet Security套裝)對於這個簡短的測試,我會與許多其它安全產品安裝,包括當前來自ZoneAlarm, McAfee, Kaspersky, 與Trend Micro的最新套裝)雖然,我不能在每台電腦上做額外的測試,我一個個啟動以特征為基礎的掃描;沒有問題。總體上,NAB 看起來與其它產品工作的很好。
Norton AntiBot definitely offers protection against fast-changing, fast-acting malware such as bots─protection you might not get from a signature-based malware scanner. According to Symantec's threat research group there are 6 million active bots on the loose; scary! You don't absolutely need this additional layer of protection, but if you've got an extra $30 in your security budget, consider adding this tool to your security arsenal.
Norton AntiBot
Norton AntiBot 肯定能提供對抗快速變化的保護,快速變化的惡意軟件如bots-保護,這個保護也許是你無法從以特征為基礎的惡意軟件掃描器能得到的。根據賽門鐵克威脅研究隊伍世界上大體上有6百萬活動的bots;真是令人提心吊膽﹗你並不絕對需要這個額外層次的保護,但如果你在安全預算上有額外的30塊(美元),考慮這個工具作為你的安全儲備吧。
轉貼自諾頓中國
http://www.nortoncn.com/forum/viewthread.php?tid=4808