Appendix B. Neutralizing Computer Threats

All Doctor Web anti-virus solutions use a set of methods to detect threats, which allows to scan suspicious objects thoroughly.

This method of detection is the first to run. It is applied by scanning object contents for known threat signatures. A signature is a continuous finite sequence of bytes necessary and sufficient to identify a threat unequivocally. At that, the search for signatures of the objects being scanned is performed using checksums, which allows to reduce virus databases significantly in size having preserved, at the same time, unequivocal matching and correct detection of threats and curing infected objects. Dr.Web virus databases are composed such that the same record can cover whole classes of families of threats.

This unique Dr.Web technology allows to detect new and modified threats using already known infecting and damaging techniques covered by virus databases. The technology is used after completion of the signature analysis and protects users utilizing Dr.Web anti-virus solutions against such threats as the notorious Trojan.Encoder.18 ransomware (also known as gpcode). Furthermore, using the Origins Tracing™ technology allows to considerably reduce the number of false positives of the heuristic analyzer. Objects detected using Origins Tracing™ have the .Origin postfix added to their names.

The technology of program code emulation is used for detection of polymorphic and encrypted viruses when a search by checksums cannot be performed directly, or is considerably complicated (for example, it is impossible to generate reliable signatures). The method consists in emulating the execution of an analyzed code with an emulator—a programming model of a processor and runtime environment. An emulator operates with a protected memory area (an emulation buffer). At that, instructions are not passed to a CPU for actual execution. If the code processed by the emulator is infected, the emulation results in restoring the original malicious code available for signature analysis.

The operation of the heuristic analyzer is based on a set of heuristics—assumptions about fingerprints of both malware and safe code, which statistical significance is proved experimentally. Each fingerprint has a certain weight (that is, a number which determines a level of its severity and reliability). The weight can be positive if the fingerprint is indicative of malicious behavior or negative if the fingerprint is non-typical for computer threats. Depending on the total weight of contents of an object, the heuristic analyzer calculates a probability of this object containing unknown malware. If a threshold is exceeded, the heuristic analyzer returns a verdict that the analyzed object is malicious.

The heuristic analyzer also uses the FLY-CODE™ technology, which is a versatile algorithm to unpack files. This technology allows to make heuristic assumptions about the presence of malware in objects packed not only by those packers that Dr.Web developers are aware of, but also by new, previously unknown programs. While scanning packed objects, their structural entropy is being analyzed, thereby allowing to detect threats on the basis of the allocation of their code segments. This technology allows to detect multiple different threats packed by the same polymorphous packer on the basis of a single record in a virus database.

As any system of hypothesis testing under uncertainty, the heuristic analyzer can make type I or type II errors (skipping unknown threats or raising false positives correspondingly). Thus, objects detected by the heuristic analyzer are treated as “suspicious”.

While performing any of the scans, Dr.Web anti-virus solutions use the most recent information about all known malware. Threat signatures, footprints and behavioral patterns are updated and added to virus databases as soon as experts of the Doctor Web anti-virus laboratory discover new threats, occasionally several times per hour. Even if the newest malicious program passes Dr.Web real-time protection and penetrates the system, this program will be detected in the list of processes and neutralized after updating virus databases.

Cloud-based detection methods allow to check any object (a file, an application, a browser extension, etc.) against its hash sum—a unique sequence of digits and letters of a given length. When checked against their hash sum, objects are searched in the existing database and then classified into categories: clean, suspicious, malicious, etc.

This technology reduces time required for file scanning and saves device resources. The verdict is almost instantaneous given that the hash sum and not the object itself is analyzed. If Dr.Web Cloud servers are unavailable, the files are scanned locally, and the cloud scanning is resumed when the connection is restored.

Thus, the Dr.Web Cloud service collects information from numerous users and quickly updates data on previously unknown threats thereby increasing the effectiveness of device protection.

Dr.Web products implement a number of actions that can be applied to detected objects to neutralize computer threats. The user can keep default actions applied to specific types of threats automatically, adjust these actions, or choose the required action manually each time upon detection. The following actions are available:

•Cure—attempt to cure the infected object by removing only malicious content from its body. Note that this action cannot be applied to all types of threats.

•Quarantine—put the infected object (if possible) in a specialized quarantine directory to isolate it.

If the threat is detected in a file inside a container (an archive, an email message, and so on), the container is quarantined and not deleted.

The following actions can be applied to email messages when Dr.Web MailD scans them:

•Tempfail—do not deliver the email message, instead return an error message to the sender or the recipient.

•Repack—before delivery of the email message to the recipient, modify this message by isolating threats in an archive attached to it, and add a threat detection notification to the email message.

•Add header—add a specified header to the email message and deliver it to the recipient.

•Change header—change the value of the specified header and deliver the message to the recipient.