2007前哨戰開打 防毒軟體Panda Internet Security 2007 檢測

[proll]

樓上判斷正確，靜態啟髮式最好的還是NOD32，誤報低，現在誤報較低的3家是NOD32 BD Panda,備選的有VBA32 DRWEB。
那個帖子裡面有些問題牽扯到其他的問題，比如在線引擎的Panda與單機版不相符，在線引擎會報殼但單機版不會報殼。

帖子比較長，有否必要貼出來嗎，貼出來恐怕對有些廠家的代理商不利。

[ㄚ一]

樓上判斷正確，靜態啟髮式最好的還是NOD32，誤報低，現在誤報較低的3家是NOD32 BD Panda,備選的有VBA32 DRWEB。
那個帖子裡面有些問題牽扯到其他的問題，比如在線引擎的Panda與單機版不相符，在線引擎會報殼但單機版不會報殼。

帖子比較長，有否必要貼出來嗎，貼出來恐怕對有些廠家的代理商不利。

proll兄不要畏懼強權
防毒軟體有好有壞都要報給大家知道


我前幾天也用VIRUSTOTAL掃描一個多重殼的威金變種檔案
不過VIRUSTOTAL沒有報
可是用KAV掃實際上卻掃得到
而且這類的情形不只一次發生過了
VIRUSTOTAL頂多把它當作一個參考
主要還是實際在OS操作中軟體才是正確的

[harry_chang2003]

剛剛安裝KIS 6.0.1.411版後馬上測試我上次測PANDA電腦掛彩的那個病毒
http://www.pczone.com.tw/showthread.php?t=129153

KIS在沒有開啟 檔案即時監控的情況下 按下該病毒後 KIS免疫防護成功攔截

[proll]

剛剛安裝KIS 6.0.1.411版後馬上測試我上次測PANDA電腦掛綵的那個病毒
http://www.pczone.com.tw/showthread.php?t=129153

KIS在沒有開啟 檔案即時監控的情況下 按下該病毒後 KIS免疫防護成功攔截

Proactive作用是值得肯定的，但是非智能化不是每個人都用的上手的。

很多人沒有電腦經驗，他們不懂如何去判斷，所以這樣的功能也許對他們一點幫助都沒有。

Proactive的誤報率也是比較高，這些問題都要改進。

另外最新的MP1 又開始有中斷的情況發生了

[esjustin]

Kaspersky的免疫防禦對於程式的執行很敏感,只要符合規則就報...

Panda的HIPS雖然在下不是很了解,不過並非像Kaspersky只要符合就報

BD的HIVE技術,類似於NOD32,同樣是在虛擬環境中測試程式...

可否請proll大哥解釋一下HIPS的運作原理?

[proll]

Proactive不是HIPS吧，只是行為判斷，Truprevent是HIPS，而且是有規則的。

[harry_chang2003]

Proactive不是HIPS吧，只是行為判斷，Truprevent是HIPS，而且是有規則的。

可以說明Proactive和Truprevent不同之處和優缺點

[proll]

從用過的GSS來看
HIPS：Host Intrusion Prevent System 主機入侵防禦系統
我們個人用的HIPS可以分為3D： AD(Application Defend)--應用程序防禦體系、RD(Registry Defend)註冊表防禦體系、FD(File Defend)文件防禦體系。它通過可定製的規則對本地的運行程序、註冊表的讀寫操作、以及文件讀寫操作進行判斷並允許或禁止。
目前在有些殺軟或防火牆中，也含HIPS功能，比如Truprevent。

[proll]

Panda Truprevent的一些規則，我貼出來，Truprevent的規則我認為是比較夠用的。

Rule 1001: This rule prevents loading and viewing, by Internet Explorer and the Explorer.exe file, of the Browser Helper Objects (BHO) associated with spyware and which are normally used once installed.

Rule 1002: In order to protect against certain malware, command interpreters and user applications that require user intervention cannot be executed by specific programs: mail clients, instant messengers, Office programs, text editors, multimedia applications, system applications, etc.

Rule 1003: This rule prevents the installation, by any application, of the Browser Helper Object (BHO) associated with spyware and which are normally used once installed.

Rule 1004: If the file C:\explorer.exe exists, it is run instead of the file of the same name stored in the Windows directory. To prevent malware from modifying it, this rule blocks any attempt to create, modify or run a file called explorer.exe stored in C:\.

Rule 1005: This rule prevents the HOSTS file from being modified, which is stored in c:\WINDOWS\system32\drivers\etc\hosts in Windows 2000 or XP, for example.

Rule 1007: This rules blocks attempts to exploit the "MHTML URL Processing Vulnerability" in the browser or mail client. This vulnerability allows remote code to be run on the system.

Rule 1008: This rules blocks MSHTA when it tries to create .exe, .scr, .pif and .com files in order to prevent attempts to exploit "MHTML URL Processing Vulnerability" type vulnerabilities.

Rule 1009: This rule allows to detect Buffer Overflow exploits.

Rule 1016: In order to protect against certain malware, command interpreters, certain user applications that require user intervention and specific dangerous extensions cannot be executed by web browsers.

Rule 1019: This rule does not allow to modify the files HOSTS and LMHOSTS. Certain malware change these files so that web addresses belonging to security tools companies, such as those supplying antivirus programs and firewalls, cannot be solved, and therefore prevent those applications from being updated.

Rule 1020: This rule protects against certain vulnerabilities in Internet Explorer that allow to download and run applications from the Downloaded Program Files directory without user intervention, just by accessing a malicious web page.

Rule 1021: This rule avoids the modification of Windows Registry entries related to blocking Registry editing tools and disabling Windows protection against overwriting protected system files.

Rule 1022: This rule does not allow Microsoft HTML Application Host (MSHTA.EXE file) to run certain commands, such as COMMAND.COM. By doing this, certain Internet Explorer vulnerabilities are avoided.

Rule 1023: This rule does not allow Microsoft HTML Application Host (MSHTA.EXE file) to modify Windows Registry entries related to Internet Explorer settings (Start Page, Search Bar, Use Search Assistant, etc.). By doing this, certain Internet Explorer vulnerabilities are avoided.

Rule 3000: In order to protect against certain malware, command interpreters and user applications that require user intervention cannot be executed by Network Service Applications.

Rule 3001: In order to protect against vulnerabilities in certain programs, which would allow to modify entries in the Windows Registry, these entries cannot be changed by applications that do not need them: Network Service Applications.

Rule 4004: In order to protect against certain malware, command interpreters and user applications that require user intervention cannot be executed by specific programs: ISS Web Server.

Rule 5003: In order to protect against certain malware, command interpreters and user applications that require user intervention cannot be executed by specific programs: SQL Server.

Rule 6000: In order to protect against certain malware, command interpreters and user applications that require user intervention cannot be executed by specific programs: Exchange Server.

[harry_chang2003]

那Proactive呢?