Non-signature detection technology

In just one day, the Doctor Web virus laboratory receives up to a million potentially malicious samples.

Some of the files received aren't malware. However, they must all be processed by our security researchers. If knowledge about each new Trojan or virus were to be added in with the signatures, the size of the virus database would reach absurd proportions, and that would only be information about known viruses. And they are the minority!

A system is ALWAYS at risk of becoming infected with a newly emerged UNKNOWN virus.

Technologically complex and highly dangerous viruses especially designed for commercial gain are normally tested by virus writers using all known anti-virus software before being released into the wild; that way the viruses exist undetected by anti-viruses for as long as possible. That's why a time gap exists between when criminals release a Trojan and when virus laboratories actually get hold of a sample of it and design a cure. Before samples of such viruses get into the laboratory, they cannot be detected by any anti-virus that uses only signature-based detection technology (for example, free anti-viruses).

It is believed that anti-viruses should neutralise all malicious programs as soon as they try to get into a computer.

Going by signatures, a modern anti-virus can detect only 30% of malware programs.

And how does Dr.Web detect the other 70% of malware programs?

Dr.Web incorporates many effective non-signature technologies for detecting and removing unknown malware. Together, they make it possible to detect the latest (unknown) threats before they are registered in the virus database.

Heuristic analyser

It relies on knowledge (heuristics) about certain properties typical of virus code and, vice versa, properties that are extremely rare in viruses.

Heuristic analysis helps Dr.Web detect modifications of malicious programs that have already been analysed and whose behaviour is known to the anti-virus.

Origins Tracing TM technology

Detects viruses not yet added to the Dr.Web virus database by scanning an executable as a specific sample which it then compares against the database of known malicious programs.

Execution emulation module

Detects polymorphic and highly encrypted viruses when the search against checksums cannot be applied directly or is very difficult to perform (because secure signatures cannot be built) by simulating the execution of analysed code by an emulator—a programming model of the processor (and, in part, of the PC and OS).

Fly-Code technology

The high-quality scanning of packed executables.

Unpacks any (even non-standard) packers by using virtualisation for file execution.

Detects viruses unknown even to Dr.Web anti-virus software.

Comprehensive analysis of packed threats

Significantly improves the detection of supposedly “new” malicious programs that were known to the Dr.Web virus database before they were concealed by new packers.

Eliminates the need to add redundant definitions for new threats into the virus database.

Script Heuristic technology

It prevents any malicious browser scripts and PDF documents from being executed, without disabling the functionality of legitimate scripts.

It protects against infection by unknown viruses that try to access systems via web browsers.

It works independently of the Dr.Web virus databases, in any web browser.

Structural entropy analysis

Detects unknown threats by arranging pieces of code in objects protected with encryption compression.