Detection Methods

Doctor Web anti-virus solutions use several malicious software detection methods simultaneously, which allows them to perform thorough checks on suspicious files and control software behavior.

Signature analysis

The scans begin with signature analysis that is performed by comparison of file code segments to the known virus signatures. A signature is a finite continuous sequence of bytes which is necessary and sufficient to identify a specific virus. To reduce the size of the signature dictionary, Dr.Web anti-virus solutions use signature checksums instead of complete signature sequences. Checksums uniquely identify signatures, which preserves correctness of virus detection and neutralization. Dr.Web virus databases are composed so that some entries can be used to detect not just specific viruses, but whole classes of threats.

Origins Tracing

On completion of signature analysis, Dr.Web anti-virus solutions use the unique Origins Tracing method to detect new and modified viruses that use the known infection mechanisms. Thus, Dr.Web users are protected against such threats as notorious blackmailer Trojan.Encoder.18 (also known as gpcode). In addition to detection of new and modified viruses, the Origins Tracing mechanism allows to considerably reduce the number of false triggering of the heuristic analyzer. Objects detected using the Origins Tracing algorithm are indicated with the .Origin extension added to their names.

Execution emulation

The technology of program code emulation is used for detection of polymorphic and encrypted viruses, when the search against checksums cannot be applied directly, or is very difficult to be performed (due to the impossibility of building secure signatures). The method implies simulating the execution of an analyzed code by an emulator—a programming model of the processor and runtime environment. The emulator operates with protected memory area (emulation buffer), in which execution of the analyzed program is modelled instruction by instruction. However, none of these instructions is actually executed by the CPU. When the emulator receives a file infected with a polymorphic virus, the result of the emulation is a decrypted virus body, which is then easily determined by searching against signature checksums.

Heuristic analysis

The detection method used by the heuristic analyzer is based on certain knowledge (heuristics) about certain features (attributes) that might be typical for the virus code itself, and vice versa, that are extremely rare in viruses. Each attribute has a weight coefficient which determines the level of its severity and reliability. The weight coefficient can be positive if the corresponding attribute is indicative of a malicious code or negative if the attribute is uncharacteristic of a computer threat. Depending on the sum weight of a file, the heuristic analyzer calculates the probability of unknown virus infection. If the threshold is exceeded, the heuristic analyzer generates the conclusion that the analyzed object is probably infected with an unknown virus.

The heuristic analyzer also uses the FLY-CODE technology, which is a versatile algorithm for extracting files. The technology allows making heuristic assumptions about the presence of malicious objects in files compressed not only by packagers Dr.Web is aware of, but also by new, previously unexplored programs. While checking packed objects, Dr.Web anti-virus solutions also use structural entropy analysis. The technology detects threats by arranging pieces of code; thus, one database entry allows identification of a substantial portion of threats packed with the same polymorphous packager.

As any system of hypothesis testing under uncertainty, the heuristic analyzer may commit type I or type II errors (omit viruses or raise false alarms). Thus, objects detected by the heuristic analyzer are treated as “suspicious”.

Behavior Analysis

Behavior analysis methods analyze the sequence of actions of all the processes in the system. When the malicious behavior is detected, actions of this program are blocked.

Dr.Web Process Heuristic

The Dr.Web Process Heuristic behavioral analysis technology protects systems against new dangerous malicious programs that can avoid detection by traditional signature-based and heuristic analyses.

Dr.Web Process Heuristic analyses the behavior of each running program in real time. Using the information on malware behavior, it determines whether the program is dangerous and then takes necessary measures to neutralize the threat. Objects detected using Dr.Web Process Heuristic are indicated with the DPH prefix added to their names.

This data protection technology helps to minimize losses resulting from the actions of unknown malware while consuming very few of the protected system resources.

Dr.Web Process Heuristic monitors any attempts to modify the system:

Detects malicious processes that modify users’ files (such as encryption attempts of ransomware), including shared files and folders accessible through network.

Prevents malware from injecting its code into the processes of other applications.

Protects critical system areas from being modified by malware.

Detects and shuts down the execution of malicious, suspicious or unreliable scripts and processes.

Prevents malware from modifying boot sectors so that malicious code cannot be executed on the computer.

Blocks changes in the Windows Registry to make sure that the safe mode won't be disabled.

Prevents malware from changing launch permissions.

Prevents new or unknown drivers from being downloaded without the user's consent.

Prevents malware and certain other applications, such as anti-antiviruses, from adding their entries into the Windows Registry, so that they could be launched automatically.

Locks registry sections containing information about virtual device drivers, ensuring that no new virtual devices are created.

Prevents malware from disrupting system routines such as scheduled backups.

Dr.Web Process Dumper

Dr.Web Process Dumper, a comprehensive analysis of packed threats significantly improves the detection of supposedly “new” malicious programs that were added to the Dr.Web virus database before they were concealed by new packers. In addition, this type of analysis eliminates the need to keep adding new entries into the virus database. With Dr.Web virus databases kept small, system requirements do not need to be constantly increased. Updates remain traditionally small, while the quality of detection and curing remains at the same high level. Objects detected using Dr.Web Process Dumper are indicated with the DPD prefix added to their names.

Dr.Web ShellGuard

Dr.Web ShellGuard protects your device against exploits. Exploits are malicious objects that take advantage of software vulnerabilities. These vulnerabilities are used to gain control over a targeted application or the operating system. Objects detected using Dr.Web ShellGuard are indicated with the DPH:Trojan.Exploit prefix added to their names.

Dr.Web ShellGuard protects the most common applications installed on almost all computers running Windows:

popular web browsers (Internet Explorer, Mozilla Firefox, Google Chrome, and others);

MS Office applications;

system Applications;

applications that use java, flash and pdf;

media players (software).

Injection Protection

Injection is a method for introducing (or injecting) malicious code into the processes running on a device. Dr.Web monitors continuously the behavior of all the processes in the system and prevents any attempt to inject the code if considers it to be malicious. Objects detected using Injection Protection are indicated with the DPH:Trojan.Inject prefix added to their names.

Dr.Web scans the application that has executed the process according to the following criteria:

If the application is a new one.

How did it get into the system.

Where is the application situated.

What is its name.

If the application is in the list of trusted applications.

If it has a valid digital signature of a trusted certification center.

Dr.Web monitors the state of the executed process: checks whether remote threads are created in the process space, whether extraneous code is embedded in the active process.

The anti-virus program controls the changes that applications make, prohibits changing system and privileged processes. Separately, Dr.Web ensures that malicious code cannot modify the memory of popular browsers, for example, when you make purchases on the internet or make transfers in online banks.

Ransomware Protection

Ransomware Protection is one of the methods of Behavior Analysis that protects users' files from cryptoware actions. When entering a user's computer, such malicious programs block the access to user's data and then demand money for decryption. Objects detected using Ransomware Protection are indicated with the DPH:Trojan.Encoder prefix added to their names.

The component analyzes the behavior of a suspicious process paying particular attention to the processes of file search, reading the files and attempts to modify them.

The following information on the application is also checked:

If the application is a new one.

How did it get into the system.

Where is the application situated.

What is its name.

If the application is a trusted one.

If it has a valid digital signature of a trusted certification center.

The method for modification of files is also checked. When the malicious behavior is detected, actions of this program are blocked, and the attempts to modify files are prevented.

Machine learning

Machine learning is used for detecting and neutralizing malicious objects missing from the virus databases. The advantage of the method is detection of a malicious code without executing it, judging only by its features.

Threat detection is based on the malicious object classification according to specific features. Support vector machines (SVM) underlie machine learning technologies that are used for classification and adding code fragments written in scripting languages to the databases. Detected objects are then analyzed on the basis of whether they have features of a malicious code. Machine learning technology makes the process of updating these features and virus databases automatic.

The machine learning method significantly saves the resources of the operating system, since it does not require code execution to detect threats, and dynamic machine learning of the classifier can be carried out without a constant update of the virus databases that is used for signature analysis.