Nikolay Grebennikov – Chief Technology Officer at Kaspersky Lab.
– Nikolay, we wanted to talk to you about the changing face of the antimalware products – you know, there’s this false perception that antivirus and antimalware technology is based on signatures, but that’s obviously a false perception. Can you talk a little bit about how the antimalware software have to evolve to keep up with the changing face of the threats? And what are some very important components that have been added to the antimalware technology to make sure you move beyond signatures?
– Right now, signatures are just one of the layers in antimalware protection, and we’ve developed a lot of new layers. The most important of them are heuristics and emulation where we try to understand what this particular application will do if we run it in the system, and after that we can apply some – what we call – ‘behavioural heuristics’ to detect malware by behaviour. It’s a very powerful technology because it’s possible to detect the whole family of malware by just one or two signatures (behavioural signatures). At the same time, it’s very important to add the proactive component of analysis of execution of the files in the system in real time, and we do it with our ‘System Watcher’ component – so we watch applications and try to see what they will do in a real system, and if we detect malicious behaviour after some minutes since execution, we can roll back all the changes on the system. And moreover, it’s not enough to have just signatures, heuristics and some proactive defense in real time. It’s also very important to add malicious URL detection because in this case you can block the whole set of malware which was uploaded by bad guys to this URL; and additional components like sandbox and host intrusion prevention policies on the end point machine.
– Let’s just get back to the ‘System Watcher’ for a second. To the average IT guy – not necessarily a malware analyst – explain to him exactly what a system watcher does, and why it’s an important component he can rely on?
– ‘System Watcher’ is a protection component which monitors the behaviour of all applications in the system (except trusted ones) and understands the execution log of all actions that have been done by this application, as well as applies some heuristics based on our knowledge of what is a malicious application and what is non-malicious. And after the analysis of all these logs, we can detect bad behaviour. At the same time, this log of actions of an application is very useful when we have to roll back all the changes on the system.
– And a URL blocking component also becomes very important as you tie everything together. But you’re not killing signatures. I mean, signatures are getting smarter, the signature database is still an important component. And you’ve also been using the Cloud to make sure the signatures are distributed to end users. Can you talk a little bit about KSN (Kaspersky Security Network) and your Cloud component?
– Right now, we call it not KSN but Cloud Kaspersky Security Network. And the idea here is very simple: we have more and more signatures in our databases, and taking into account the whitelisting approach that we also push right now, we have to store all these data somewhere. And if you think about laptops and smartphones and other devices, it’s not such a good idea to upload all these files, all these signatures to each device. And we’ve come to the idea to use Cloud. So it’s Kaspersky Lab servers in different parts of the world, and all our applications connect to these serves and ask our Kaspersky Security Network about the reputation of a file when you, for example, run your application or download a new executable application. And in 40 seconds it’ll be read to answer and process the request.
– If it’s a new application and it’s potentially dangerous, can the Cloud detect that and tell the rest user bases about that?
– Sure. A very important part of the Cloud is that it’s not just a one-way road, it’s two-way. And we collect information about some potentially dangerous behaviour of applications from millions of machines, and based on this information we can detect new malware even without having the body of the file in the lab – just by analysis of statistical data. It’s a very powerful technology.
– Another big layer and component is application control – whitelisting. Talk a little bit about how you go about building this database of good files and the importance of whether you can build something on your own when you need to partner with additional whitelisting companies – maybe, download.com or some other databases to get that. How do you go about building your database?
– You touched a really interesting point because we really believe whitelisting is one of the key elements of Kaspersky’s technology strategy, and if you think about the future, a lot of new devices like your CPU in cars, airplanes, probably devices which control your heart and others – in this case, it’s a much better idea not to create the database of bad files but to create the database of good files and allow these applications to run while blocking the execution of others. We have been building the whitelisting database since 2007 and we’re using the Cloud to do that because without Cloud it would be hard to use such a big database. We partner with a lot of companies – I can mention Blizzard from the gaming industry, I can mention Hewlett Packard and other companies that create hardware (and we need to download new drivers and all these things), and also of course we partner with Microsoft, Adobe and other companies – in many cases, we get information to add to our databases about new files they are going to launch before end users have them on their machines. It’s not the only way we add files to our whitelisting database. We’ve also created crawlers to get data from sites like download.com and other sites that collect information on the Internet.
– Right, you mean other popular software repositories.
– And of course we use our Kaspersky Security Network to understand the prevalence of white files and what files are run on our users’ machines more often.
– How do you treat grey files for instance – the files that you don’t know whether they’re clean or dirty?
– The main idea here is to apply our technology called ‘Security Rating’ for understanding the level of risk for each unknown application. Based on the calculated level of risk, we can apply the Host Intrusion Prevention Polices to block the most dangerous operations made by malware usually, like low level access to the hard drive, getting your keyboard input and so on. At the same time, our goal is to decrease the number of unknown applications. In our lab, for example, we use technology to make grey applications white based on the database of white websites: if these grey applications are on white websites, we can label them white. And of course we have a very complex, complicated and very expensive infrastructure to monitor and calculate the reputation of all unknown files.