Dr.Web ERA Emergency Response Anti-virus New features in Dr.Web 9.0 for Windows New! 1. Dr.Web behaviour analyserprotection against latest actual threats Dr.Web Process Heuristic Actual modern threats Encoder, Winlock, Inject and Exploit Trojans account for almost 90% of real threats Actualities of modern AV protection Today virus writing is an industry serving well-established illicit business. New malicious programs appear daily in hundreds of thousands. Virus analysts simply don't have time to process so many suspicious files. It can take hours or even days for a new virus definition to get into the database. If the malware is complex—it may take even months. There is always a risk of infection with an UNKNOWN virus Anti-virus is not a panacea, but: No modern software other than an anti-virus can cure a computer of malware that penetrated the system. What does anti-virus protection mean today? Prevent viruses from getting into the system? Prevent viruses from launching in the compromised system? Do not allow a virus to use its malicious payload? Remove a detected virus? Or completely clean (i.e. cure) the system of any malicious impact? And what do you think a modern anti-virus should be able to do? Dr.Web Anti-virus 9.0 Neutralization of known threats whose definitions are present in the virus databases Neutralization of threats that are unknown to the virus database but can be detected by the heuristic analyser New in version 9! Neutralization of unknown malware using the DPH-technology Almost 100% protection History 1992 — Igor Danilov created the world's first version of anti-virus behaviour analyser for MS DOS and OS/2. 1999 — Dr.Web developers announced SpIDer Netting for Windows 9.x — the first behaviour analyser for MS Windows. History 2013 — DPH-technology New Dr.Web behaviour analyser Malware behaviour Unique new viruses are few. Most of them can be divided into groups (families) based on the characteristics they have in common with regards to their malignant manifestation in a system—data encryption, blocking access to Windows, etc. Programs of the same family perform similar tasks, i.e., they follow a single behaviour pattern. This is their weakness. DPH - protection against threats which are unknown to the Dr.Web virus database Years of experience in analysing malware behaviour patterns laid the groundwork for this technology. It analyses all new processes that exhibit malicious behaviour, unless an entry in the database enables the anti-virus to be completely certain that the process is malicious. DPH – how it works Once a program is launched, its behaviour is analysed. The pattern is compared to those already known to Dr.Web to determine if the application is harmful. Next, the comprehensive curing is carried out—the supposed malware is moved to quarantine and files protected by Dr.Web are restored to their original state. Dr.Web Process Heuristic protects systems against new, highly prolific malicious programs that are capable of avoiding detection by traditional signaturebased analysis and heuristic routines because they haven't yet been analysed in the anti-virus laboratory and, therefore, are unknown to Dr.Web at the moment of intrusion. The DPH-technology of Dr.Web 9.0 enables the anti-virus to detect up to 90% of unknown brand-new malware. New! 2. Protection from Data Loss Threat: Trojan.Encoder 1. The first versions of the Trojan: 2007. 2. The ransom extorted by criminals for decryption varies from a few dozen to several thousand dollars. 3. Geography: Russia, the CIS countries, as well as more recently — the countries of Europe, North and South America. 4. The main trend in 2013 is to forward the encryption settings to the attackers' server, so that no data that could help in decryption remains on the infected machine. 5. Dr.Web virus database entries — about 300 modifications of Trojan cryptographers. All is lost? Not with Dr.Web! To be detected by DPH, an unknown threat must be running in the system. In case of Trojan.Encoder it means that some data (6-10 files) will have been encrypted by the Trojan. New in version 9 User data protection Files from directories, defined by the user, are regularly backed up and kept safe. How it works The user selects files to protect. These files are copied into a single directory (the first snapshot includes all the data, while later ones only contain modified data). All Dr.Web-protected files that have been encrypted by a Trojan.Encoder, will be restored! Data loss protection features Directory list (Documents, libraries) — files that require protection. Select the disc to store copies of protected files — backup location. Backup frequency — how often snapshots of protected files will be taken. Manual revision of data — at any time. Preferences IMPORTANT! The feature is disabled by default. To use it, you need to adjust corresponding settings. This data protection feature lets users of Dr.Web 9.0 for Windows restore damaged data* on their own, without contacting Doctor Web's technical support—all users need to do is to press the “Restore” button. *in selected directories The ability to create Dr.Web-protected copies with the possibility of their subsequent recovery is one of the comprehensive treatment measures used to cure unknown threats that have been detected by Dr.Web Process Heuristic. New! 3. Comprehensive analysis of packed threats The Dr.Web unique proprietary technology Threat: known malware + new packer = "new" malware A large number of supposedly "new" malicious programs are in fact well-known malware wrapped up with other packers. Sometimes an anti-virus can't recognise malware wrapped up by another packer. The same virus can be repacked several times per hour and unleashed into the wild. Improved detection of known viruses New technology: Significantly improved detection of supposedly "new" threats—the definitions are already present in Dr.Web virus database but malware is concealed by new packers. No need to add new entries about threats over and over agian. Dr.Web virus databases are small = no need for a constant increase in system requirements Small updates Traditionally high quality of detection and curing Improved! 4. Now even faster Fast scanning Improved performance on machines involved in processing large amounts of data, thanks to the revamped Dr.Web SpIDer Guard routines. Faster scan with Dr.Web Cloud — the service's architecture has been redesigned to provide a significant boost of speed. New! 5. Full scan of all traffic New! Safe traffic— scanning on all ports is carried out on traffic transmitted via Dr.Websupported protocols, including secure connections (if the user has enabled the option to scan SSL traffic). New! Safe Internet Surfing — with secure search, Google, Yandex, Yahoo!, Bing and Rambler will only return links to content considered safe by the search engines and Dr.Web. Dangerous sites will be excluded from search results altogether! New! Secure Communication— filtering traffic of instant messengers such as Mail.Ru Agent, ICQ, Jabber, QIP and Pidgin. Links that lead to malware and phishing sites are removed from messages. Scanning of transmitted files. Transfer of potentially harmful files is blocked. New! 6. With Dr.Web Parental Control, removable devices and computers can be protected against unauthorised use. Threats that spread with flash drives and other removable devices—Trojans Trojans are today’s most common threats. Trojans cannot replicate themselves—that is, can not spread on their own. Users carry Trojans from computer to computer on USB flash drives and other removable devices—not only between home computers, but also from home computers to their working desk. Removable devices are those that connect to a computer via USB. New! Import /export white lists of trusted devices—transfer the list to another computer manually or transmit it to a remote machine via the anti-virus network. New! Block any adjustments to the system time and time zone to prevent children from using the computer without their parents’ permission. New! Disable printing jobs from being started to prevent confidential documents from being printed and to save printing paper. New! 7. Protection of copyrighted content Blocking access to sites involved in piracy New! A separate database for sites that distribute unlicensed content. New! 9. New databases of Dr.Web Firewall A new approach to protection Ulitemately user-friendly New Dr.Web Firewall Previously: pre-defined database for applications and custom rules defined by the user. To create a rule database, one had to respond to dialogues to create a rule for every application—something which proved to be rather annoying. New Dr.Web Firewall Now: the database of trusted applications. These are programs that incorporate a digital certificate. Applications that Dr.Web believes to be legitimate can connect to any address via any port. Exception: if a program is not digitally signed, its signature is invalid, or there is no signature at all, (e.g., those created by enthusiasts or open source programs), the user is prompted to create a rule. Advantages of the new Dr.Web Firewall The new Dr.Web Firewall database makes it much easier to create user rules. Far less annoying! Also in version 9: Easy upgrade from Dr.Web Antivirus to Dr.Web Security Space Now there is no need to remove Dr.Web for Windows before installing Dr.Web Security Space — the necessary components will be added to the existing installation. Easy installation Upgrade to version 9 From version 8 — AUTOMATIC Dr.Web 9.0 for Windows — real protection from real threats Thanks for watching! Doctor Web