Digit of the month: 70K. Daily
The next post of Eugene Kaspersky is asking to please Habr:
Our service is both dangerous and difficult. And still very complicated. It is difficult for a mere mortal to understand all the details of the work of an anti-virus company. And oh, how we want to talk about them! So we try to translate them into human language as much as we can. And the tip of this iceberg is a compilation of numbers and facts that illustrate this service.
For example, here is such a curious infographics:
')
Many more interesting infographics here .
But one of the most asked questions is “how many viruses do you find every day?” .
The question is actually non-trivial, but what to do is a simple answer to a simple question. And until recently, we had a standard tsiferka - 35 thousand. Something like that. Averaged No mind-blowing details about malkuynyh families, polymorphism, vector patterns, records, etc.
But for several months already this clarifying question was often followed by a clarifying question that, they say, somehow not enough, does not converge! In general, we are tense, counted and were stunned. As a result, an update appeared: 70 thousand . Daily. Yeah.
Again, I will not go into details (if you are interested, ask in the kamentah). I'd better tell you how we even manage to shovel these daily seventy thousand samples.
Well, many people know that our family talisman is a woodpecker . And not without reason. In the good old days, our virlab worked this way. As if on a conveyor belt, viruses were also “dumbing”. By the way, very difficult, tiresome and respected profession! And I, too, many years woodpecker!
However, times are long gone. And it is clear that with the current flow it is simply unrealistic to “fuck”, it is economically inefficient, and just silly. We have for many years been on duty ... car-woodpeckers ! The human factor gets only the most intellectual work - to disassemble the most difficult samples, research botnets, make sure that auto-woodpeckers do not fold, and, of course, train and develop them in every way.
In general, there are several sources through which we receive samples for analysis: self-propelled (“stick” to special traps), submit (send users), exchange collections with other anti-virus companies and our cloud service KSN ( video , details ). Moreover, the last source now occupies a leading position in terms of contributions to user protection. Using the example of KSN, we will see how our automation system for processing Malvari works.
Computers participating in KSN (and now there are more than 50 million of them ) send statistics (non-personalized!) About the work of our products to the cloud. Here and information about the captured malware and infected sites, as well as many useful for detecting new Malvari - for example, the suspicious behavior of programs, hashes of downloaded files and more.
Here, for example, the user runs a previously unknown file. The local antivirus checks it with all available tools - cleanly. We ask the cloud - no data. Ok - we give the green light to the launch. And then it turns out that he somehow strangely registers himself in the registry, tries to gain access to system services, makes suspicious connections, has a double extension (jpg.exe) or something else. The signal arrives at KSN, where the system automatically calculates the file's reputation (the weights of all signs and actions) and makes a decision about the detection. As a result, the “face” command is sent to the protected computer, the file is blocked, and its actions are rolled back. Of course, the more messages about the same file from different computers, the higher the processing priority and the higher the accuracy and criticality of the verdict. Appear such a file on other computers connected to KSN - they immediately say that it is dangerous and not to experiment.
Another example.
Several users downloaded the file from the same link. But each time the file has a different hash. It smells of polymorphism! KSN starts to unwind the case and sees that, for example, the site is registered only a couple of days ago, some iframe is “hanging” on it or infected files have already been sent from it (well, there are a lot of different signs). Again, the cloud calculates the reputation and sends the command to block both the file itself and access to the site.
Important: thanks to this approach, an average of only 40 seconds passes between the detection and the verdict !
But the work of our auto-woodpeckers does not end there.
Already another system downloads the same suspicious file from the network and transfers it for analysis to an automatic handler. There is generally a whole bunch of all sorts of proprietary and not yet proprietary technologies, therefore I will not dig deeper. This handler develops and tests updates that are familiar to everyone and uploads it to servers for download.
Something like that. I still remember about 8 years ago competitors, envying, were delighted, how do we manage to do such a huge amount of such small resources with such small resources? Automation however! And only competent automation can cope with this crazy stream of Malvari! By the way, although the scope of work is constantly expanding and deepening, the number of employees in Virlab has not changed for a year.
This raises a logical question. So how do small antivirus companies survive ? It is known that to keep a good virlab is not only a matter of money, but also of brains. Where do they have the resources to keep afloat, while not spending much on R & D?
Sensitive subject.
For several years, the natural detection theft has been thriving in the antivirus industry. Instead of analyzing Malvar, developing their expertise and inventing new technologies, some (and these “some” are about a dozen!) Companies simply spy on the results of the work of others and stupidly add hash detection to their databases. They are assisted by incompetent tests that do not reflect the level of protection in real conditions. As a result, not the best software creeps to the top, the number of its installations grows, and the general level of security falls. Honest companies lose their motivation to research, the effectiveness of investments in R & D falls, but sales of thieves are growing, and cyber rascals rejoice.
Well, this is a topic for a separate story.
Our service is both dangerous and difficult. And still very complicated. It is difficult for a mere mortal to understand all the details of the work of an anti-virus company. And oh, how we want to talk about them! So we try to translate them into human language as much as we can. And the tip of this iceberg is a compilation of numbers and facts that illustrate this service.
For example, here is such a curious infographics:
')
Many more interesting infographics here .
But one of the most asked questions is “how many viruses do you find every day?” .
The question is actually non-trivial, but what to do is a simple answer to a simple question. And until recently, we had a standard tsiferka - 35 thousand. Something like that. Averaged No mind-blowing details about malkuynyh families, polymorphism, vector patterns, records, etc.
But for several months already this clarifying question was often followed by a clarifying question that, they say, somehow not enough, does not converge! In general, we are tense, counted and were stunned. As a result, an update appeared: 70 thousand . Daily. Yeah.
Again, I will not go into details (if you are interested, ask in the kamentah). I'd better tell you how we even manage to shovel these daily seventy thousand samples.
Well, many people know that our family talisman is a woodpecker . And not without reason. In the good old days, our virlab worked this way. As if on a conveyor belt, viruses were also “dumbing”. By the way, very difficult, tiresome and respected profession! And I, too, many years woodpecker!However, times are long gone. And it is clear that with the current flow it is simply unrealistic to “fuck”, it is economically inefficient, and just silly. We have for many years been on duty ... car-woodpeckers ! The human factor gets only the most intellectual work - to disassemble the most difficult samples, research botnets, make sure that auto-woodpeckers do not fold, and, of course, train and develop them in every way.
In general, there are several sources through which we receive samples for analysis: self-propelled (“stick” to special traps), submit (send users), exchange collections with other anti-virus companies and our cloud service KSN ( video , details ). Moreover, the last source now occupies a leading position in terms of contributions to user protection. Using the example of KSN, we will see how our automation system for processing Malvari works.
Computers participating in KSN (and now there are more than 50 million of them ) send statistics (non-personalized!) About the work of our products to the cloud. Here and information about the captured malware and infected sites, as well as many useful for detecting new Malvari - for example, the suspicious behavior of programs, hashes of downloaded files and more.
Here, for example, the user runs a previously unknown file. The local antivirus checks it with all available tools - cleanly. We ask the cloud - no data. Ok - we give the green light to the launch. And then it turns out that he somehow strangely registers himself in the registry, tries to gain access to system services, makes suspicious connections, has a double extension (jpg.exe) or something else. The signal arrives at KSN, where the system automatically calculates the file's reputation (the weights of all signs and actions) and makes a decision about the detection. As a result, the “face” command is sent to the protected computer, the file is blocked, and its actions are rolled back. Of course, the more messages about the same file from different computers, the higher the processing priority and the higher the accuracy and criticality of the verdict. Appear such a file on other computers connected to KSN - they immediately say that it is dangerous and not to experiment.
Another example.
Several users downloaded the file from the same link. But each time the file has a different hash. It smells of polymorphism! KSN starts to unwind the case and sees that, for example, the site is registered only a couple of days ago, some iframe is “hanging” on it or infected files have already been sent from it (well, there are a lot of different signs). Again, the cloud calculates the reputation and sends the command to block both the file itself and access to the site.
Important: thanks to this approach, an average of only 40 seconds passes between the detection and the verdict !
But the work of our auto-woodpeckers does not end there.Already another system downloads the same suspicious file from the network and transfers it for analysis to an automatic handler. There is generally a whole bunch of all sorts of proprietary and not yet proprietary technologies, therefore I will not dig deeper. This handler develops and tests updates that are familiar to everyone and uploads it to servers for download.
Something like that. I still remember about 8 years ago competitors, envying, were delighted, how do we manage to do such a huge amount of such small resources with such small resources? Automation however! And only competent automation can cope with this crazy stream of Malvari! By the way, although the scope of work is constantly expanding and deepening, the number of employees in Virlab has not changed for a year.
This raises a logical question. So how do small antivirus companies survive ? It is known that to keep a good virlab is not only a matter of money, but also of brains. Where do they have the resources to keep afloat, while not spending much on R & D?
Sensitive subject.
For several years, the natural detection theft has been thriving in the antivirus industry. Instead of analyzing Malvar, developing their expertise and inventing new technologies, some (and these “some” are about a dozen!) Companies simply spy on the results of the work of others and stupidly add hash detection to their databases. They are assisted by incompetent tests that do not reflect the level of protection in real conditions. As a result, not the best software creeps to the top, the number of its installations grows, and the general level of security falls. Honest companies lose their motivation to research, the effectiveness of investments in R & D falls, but sales of thieves are growing, and cyber rascals rejoice.
Well, this is a topic for a separate story.
Source: https://habr.com/ru/post/131431/
All Articles