Many malware programs operate according to similar algorithms, exploit the same operating system vulnerabilities, and have the same set of malicious functions.
If a suspicious program’s behavior resembles the behavioral patterns of known malware, the Dr.Web anti-virus protection system can detect and block that program—even if an entry for it has yet to be included in the Dr.Web virus database.
This is due to the fact that none of the software’s proactive technologies depend on the signatures of these suspicious programs being present in the virus database. All these technologies are developed solely by Doctor Web.
Here we’ve listed just some of them:
Attackers have to spend a lot of time on the development of each new malware species that is designed to go unrecognised by an anti-virus. They also have to spend a great deal of time testing their new malware against current anti-viruses. To bypass such labour-intensive activities, criminals encrypt their malware or compress it with packers whose format is not recognised by any archiving application. To recognise a packed or encrypted program, most anti-viruses require a corresponding entry (signature) in their anti-virus database, which means that the system is defenceless until the virus database is updated.
Dr.Web still protects systems in situations like these.
Today’s criminals are after data and money. This encourages them to create new types of malware that can’t be recognised or blocked by anti-viruses and other security software. The risk of unknown malware reaching computers before it can be analysed in an anti-virus laboratory increases every year. Under these circumstances, controlling the behaviour of running system processes and applications becomes an essential element of present-day anti-virus security.
Unlike traditional behavioural analysis, which relies on predefined rules describing the behaviour of legitimate programs that are well known to criminals, Dr.Web Process Heuristic analyses the behaviour of each running program in real time by comparing it with the reputation information stored in the Dr.Web cloud which is constantly updated. It determines whether the program is dangerous and then takes whatever measures are necessary to neutralise the threat.
This data protection technology helps minimise losses resulting from the actions of unknown malware — and consumes very few of the protected system’s resources.
Dr.Web Process Heuristic monitors any attempts to modify the system:
Dr.Web Process Heuristic starts protecting a system during the boot-up phase, even before the traditional, signature-based anti-virus is loaded!
Dr.Web Process Heuristic works right out of the box, but the user can always configure rules based on their own needs!
Dr.Web Process Heuristic, includes the technology Dr.Web ShellGuard, which blocks routes into the system so that programs that exploit vulnerabilities can’t get in. Exploits are malicious objects that take advantage of software flaws, including those not yet known to anyone except for the intruders who created them (i.e., zero-day vulnerabilities). The vulnerabilities are used to gain control over a targeted application or the operating system.
Impregnable systems don’t exist.
Developers try to release patches quickly for known vulnerabilities. For example, Microsoft releases security updates quite often. However, users often install some of them way too late (or don't install them at all). This encourages intruders to search for new vulnerabilities and exploit those that have been discovered but aren't yet closed on the computers that are being targeted.
Dr.Web ShellGuard protects the most common applications installed on almost all computers running Windows:
To detect malicious actions, Dr.Web ShellGuard uses information stored by the anti-virus locally as well as reputation data from Dr.Web Cloud which includes:
The cloud can collect information about the operation of Dr.Web on PCs, including data about brand new threats, which enables Doctor Web to promptly respond to discovered defects and update rules stored by the anti-virus on machines.
The preventive protection is available under Dr.Web Security Space and Dr.Web Anti-virus licenses.
The anti-virus laboratory receives hundreds of thousands of malware samples per day! And the number is growing. Just go to http://live.drweb.com/ and see for yourself.
Under these circumstances, the security of a protected machine greatly depends on how quickly a new malicious program is received and processed by the anti-virus laboratory. However, systems that have Dr.Web installed on them do not remain unprotected until an update arrives.
In Dr.Web for Windows, settings can be managed on the "Preventive Protection" tab.
The user is offered four setting modes: optimal (enabled by default), medium, paranoid, and user.
|The optimal mode protects only those registry threads that are used by the malicious software and that can be blocked (blocked from having any changes made to them)—without significantly burdening computer resources.|
|When the preventive protection mode is elevated, the system defends itself more vigilantly against malware programs with which the Dr.Web virus database is unfamiliar, but simultaneously the risk increases for a conflict to arise between the constraints created by the preventive protection and the needs of running applications.|
Let's take a closer look at what the user gains by switching on each setting.
The HOSTS file
This file lets you define the relationship between the host domain name and its IP address. The processing priority of the HOSTS file is higher than the priority for accessing the DNS server. The HOSTS file allows cybercriminals to block access to anti-virus company websites and redirect users to fake sites.
|Dr.Web preventive protection does not allow malware to modify the HOSTS file and redirect users to phishing resources.|
The integrity of running applications
The process is a set of resources and data that is located in a computer's RAM. The process of one program should not change the process of another program. But what about malicious programs? For example, Trojan.Encoder.686 (CTB-Locker) violates this rule.
|Dr.Web preventive protection prevents malware from injecting itself into other programs' processes (for example, it prohibits Trojans from modifying a browser's process in order to access the e-banking system), thereby not allowing them to implement their functionality, in full or partially.|
The integrity of user files
Some extortionist malware (ransomware) encrypts user data and demands a ransom for its decryption. Enabling this option helps protect against encryption ransomware, for example, Trojan.Encoder.94, Trojan.Encoder.102, and Trojan.Encoder.686 (CTB-Locker).
|Dr.Web preventive protection detects malware processes that modify user files and blocks encryption ransomware activity.|
Low-level disk access
When Windows is operating normally, file access occurs by referring to the file system, which is controlled by the operating system. Trojan bootkits that modify the MBR access the disk directly, bypassing the Windows file system and accessing certain disk sectors. Trojans injected into the MBR are extremely hard to detect and neutralise.
|Dr.Web preventive protection prevents malware from modifying the MBR and prevents Trojans from being launched in the system.|
Many rootkits secretly launch their drivers and services to hide their presence in the system and perform unauthorised actions, such as sending logins and passwords as well as other identifying information to cybercriminals.
|Dr.Web preventive protection prohibits new or unknown drivers from being downloaded without user consent.|
Application startup parameters
The Windows registry contains the Image File Execution Options key (entry), which can be used to assign a debugger (a program that helps the programmer debug written code as well as modify the data of a debugged process) to any Windows application. Malware that has been assigned to debug a system process or application (e.g., Internet Explorer or Windows Explorer), can use this key to get full access to whatever interests the intruders.
|Dr.Web preventive protection blocks access to the Image File Execution Options registry key.|
Ordinary users have no real need to debug applications on the fly, and the risk of malware using the Image File Execution Options key is very high.
Multimedia device drivers
Some malicious programs create executable files and register them as virtual devices.
|Dr.Web preventive protection blocks the registry branches that are responsible for virtual device drivers, making it impossible to install a new virtual device.|
Winlogon registry keys, Winlogon notifiers
The Winlogon notification package interface facilitates the ability to process events assigned to user entry and exit, operating system enablement and disablement, and some other tasks. H Once it has accessed a Winlogon notification package, malware can restart the OS, shut down the computer, and prevent users from entering the OS environment. This activity is typical of Trojan.Winlock.3020 and Trojan.Winlock.6412.
|Dr.Web preventive protection prevents the registry branches responsible for the Winlogon notification package from being modified, and prohibits malware from adding new tasks—those needed by the attackers—into the OS’s logic.|
Windows registry startup keys
This option simultaneously blocks multiple Windows registry settings in the branch [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]: For example, AppInit_DLLs (which causes Windows to download the DLL specified every time a program is started), AppInit_DLLs (which can be used to inject a rootkit into Windows), Run (which is required to run programs in a minimised form after the OS has been started), and IconServiceLib (which is responsible for downloading IconCodecService.dll library, the parameter needed for the desktop and icons to appear normally on the screen).
|Dr.Web preventive protection blocks a number of Windows registry settings, thus, for example, preventing viruses from modifying the normal desktop display or preventing rootkits from concealing a Trojan’s presence in the system.|
Executable file associations
Some malicious programs violate executable file associations, resulting in programs not being able to start, or in undesired programs starting up—those under the direction of malware.
|Dr.Web preventive protection does not allow malware to modify program startup rules.|
Software Restriction Policies (SRP)
In Windows, software restriction policies (SRP) can be configured in such a way as to allow only programs from certain folders to be launched (for example, Program Files) and prohibit the execution of programs from other sources. Blocking the registry branch responsible for the SRP’s configuration prevents configured policies from being modified, thus reinforcing previously implemented protection.
|Dr.Web preventive protection allows a system to be protected against malware that enters a computer through email and removable media, and launches itself from the temporary directory, for example. This option is recommended for use in a corporate environment.|
Browser Helper Objects (BHO) for Internet Explorer
This setting can be used to prevent new plugins for Internet Explorer from being installed. This is done by blocking the appropriate registry branch.
|Dr.Web preventive protection shields the browser from malicious plugins, from browser blockers, for example.|
Prohibits modifications from being made to some registry branches responsible for the autorun of programs.
|Dr.Web preventive protection can prevent the autorun of malicious programs by thwarting their attempts to register in the registry for subsequent launch.|
This option blocks the registry branch that helps run any program when the user logs in.
|Dr.Web preventive protection can prevent the autorun of certain programs, such as anti-antiviruses.|
Safe mode configuration
Some Trojans disable Windows safe mode to make it more difficult to cure a computer.
|Dr.Web preventive protection blocks modifications from being made to the registry to prevent the safe mode from being switched off.|
Session Manager parameters
This option protects the configuration of the Windows session manager—the system on which the stability of the operating system depends. Without such protection, malicious programs can initialise the environment variables, run a number of system processes, and execute operations to remove, move or copy files until the system is fully loaded, etc.
|Dr.Web preventive protection keeps malicious programs from being introduced into the operating system before it is fully loaded, and, accordingly, before the anti-virus is up and running.|
This option prevents the registry parameters responsible for the normal operation of system services from being edited. Some viruses can block the registry editor, complicating the user’s normal work. For example, they can clear the desktop of shortcuts to programs that were installed on the computer or prevent files from being moved.
|Dr.Web preventive protection prohibits malware from disabling operating system services. For example, it prevents malware from interfering with the regular backing up of files.|