Immunet Version 3.0 – The Next Step In Anti-Malware Protection

February 10, 2011 by admin
Filed under Security News

Introduction to 3.0

On February 9th we will be releasing our version 3.0 with some notable changes and improvements.

Before I detail what’s new from a feature perspective I should also note that we are changing the name of the product with this release, the new name is going to be Immunet 3.0 – Powered by ClamAV. The new product will look like this screenshot here:

Picture6 Immunet Version 3.0 The Next Step In Anti Malware Protection

In addition to our name change, you will also note a change in the icon we use in your tray. The new icon is the ’star burst’ in white and blue, it should like like this in your tray:

The name change is the result of the acquisition of Immunet Corp by Sourcefire Inc. This acquisition has brought both the Immunet and ClamAV teams under the same roof to deliver our 3.0 release and future products.

New Features

Our 3.0 release was primarily intended to sharpen our focus on malware detection and to provide comprehensive protection to users who are not always connected to the cloud. Some of the features we have added are cutting edge and allow both advanced and basic users of our software to benefit from much higher detection rates. Our new features are detailed below.

Complete Offline Protection

The 3.0 release will now ship with an ‘Offline’ engine. This engine (which is ClamAV .97) once enabled will automatically pull down our latest detection sets and allow for complete detection coverage, even when you are not connected to the Internet. We are creating detections for ‘hot’ threats, prevalent on the net, so that you will be protected from current ‘in the wild’ threats and their variants. With our Offline protection we now also have several complex engines for detection native to the desktop and have support for file formats such as .DOC, .XLS, HTML etc. as well as strong unpacking support.

If you are installing fresh, you will have the option to install this engine turned ‘On’ by default. If you are upgrading from ClamAV for Windows this engine will be turned off be default. The screenshot here shows how to enable it from the ‘Settings’ feature on the front the User Interface.

Picture8 Immunet Version 3.0 The Next Step In Anti Malware Protection

Cloud Recall

One of the advantages of a Cloud model for hunting and identifying threats is that we are able to retain and analyze vast amounts of data about what our community is seeing at any given time. Unlike traditional Anti-Virus, or even other Cloud Anti-Virus we constantly reconsider all the data we see or have seen in our community. This allows us to evaluate every decision we have made about a file in our community and see if we still agree with that decision as time advances. If we find that our position has changed about the security of a file in our community because of new information on that file we can now seamlessly act on it. To put this in practical terms if you look up a file today and we do not know it’s malicious yet and tonight or tomorrow we discover it is malicious we will alert your system to find the file and remove it, all without you needing to download a single definition update. This ‘Cloud Recall’ ensures that your security is advanced with every new piece of information we become aware of. You will always know as much as we do, when we do.

Custom Signature Creation

Something which has been missing in modern Windows Anti-Virus products is a feature which allows advanced users to craft and deploy their own signatures or detection capabilities. With 3.0 we now offer the first Windows Anti-Virus product which allows our users to write their own detections with our engines just as we would.

Users can now hunt threats (or Advanced Persistent Threats if you like) by creating signatures which range from simplistic (straight MD5 matches) to complex (logically chained expressive signatures w/ offset support and wild carding). Signature management is done with the new SigUI tool which is available in Start -> All Programs -> Immunet 3.0 and looks like this:

Picture7 Immunet Version 3.0 The Next Step In Anti Malware Protection

Documentation for the SigUI may be found here and our manual for creation of signatures can be found here. We encourage you to write your signatures and post them to our online Forum.

All in and all this represents the most ambitious release we have ever done. The beta program for this version has been full of very positive feedback and we are excited by it’s general release.

If you have any feedback about this release or questions, please do not hesitate to email me at ahuger @ sourcefire.com .

Tags: Anti-Virus, ClamAV, immunet, Protection, software, sourcefire inc, windows

New ClamAV for Windows Powered By ( immunet and sourcefire )

March 7, 2010 by admin
Filed under Protection Tools

11 Comments

0a9bbdc1730b8cb3ecb9c68c84309266 New ClamAV for Windows Powered By ( immunet and sourcefire )

The new ClamAV for Windows is the result of a partnership between Immunet Corporation (http://www.immunet.com) and Sourcefire, Inc. (http://www.sourcefire.com). It is designed to provide the ClamAV community with a free Windows-specific Anti-Virus (AV) solution using an advanced Cloud-based protection mechanism. You can use ClamAV For Windows as a stand-alone, host-based AV solution, or in conjunction with your pre-installed AV solution to provide enhanced detection for the latest malware threats.

Say goodbye to the days of watching AV software drain your memory and processing speed. Immunet’s unique Cloud-based technologies allow the ClamAV application to leverage the power of the Cloud to drive the AV engine. When you use ClamAV for Windows, you save system resources for the tasks they really want to run, like games and business applications.

ClamAV for Windows utilizes advanced Cloud-based and community-based detection methods. Developed by Immunet, these detection methods leverage the computers of your friends, family and a worldwide global community to harness their collective knowledge for securing your PC. Every time someone in this collective community encounters a threat, everyone else in the community gains protection from that same threat in real time. You no longer have to rely on the isolated security of your current Anti-Virus vendor. You are able to protect your friends and family while being better protected yourself. This is exactly what we designed ClamAV for Windows to do. By providing a fast and light layer of virus detection, and linking everyone in a global community, we harness a security sum that is far greater than its individual parts, we call this Collective Immunity.

Immunet placed ClamAV into their Cloud infrastructure alongside their Ethos detection engine, and several other detection technologies. By combining all these technologies, and utilizing the power of community-based detection, we feel we have the most effective Anti-Virus technology on the market. And it only gets better with every user that installs and utilizes our technology.

Download New ClamAV :

Minimum System Requirements

Windows XP SP2, Windows Vista SP1, Windows 7
A working Internet connection

Optional Requirements

A Facebook account
A Twitter account

Tags: Anti-Virus, ClamAV, clamav for windows, Cloud-based, Download, Free, immunet, immunity, Protect, Protection, software, sourcefire inc, windows, windows 7

Tests Show Problems With AV Detections

February 7, 2010 by admin
Filed under Security News

Leave a Comment

Dateline: Moscow.

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

Click on these to see some of the detections:

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

By Larry Seltzer from PCMag.com

Tags: a-squared, AhnLab-V3, antivir, Antiy-AVL, Authentium, Avast, AVG, BitDefender, CAT-QuickHeal, ClamAV, Comodo, DrWeb, eSafe, eTrust-Vet, F-Prot, F-Secure, false positive, Fortinet, GData, heuristic, Ikarus, Jiangmin, K7AntiVirus, kaspersky, Malware, Mcafee, McAfee+Artemis, McAfee-GW-Edition, microsoft, NOD32, Norman, nProtect, panda, PCTools, Prevx, Rising, Sophos, Sunbelt, symantec, TheHacker, TrendMicro, VBA32, ViRobot, VirusBuster