To put it succinctly: Why signature-based security software is not enough
Normal security software recognizes Malware using Signatures, a type of digital fingerprint. What is problem with this? No fingerprint means no recognition. This means that the Malware must first be known to the manufacturer of the security software before it is possible to create a fingerprint allowing it to be recognized. The fingerprint database on your PC is then updated online on a daily basis. Only then can the Malware be recognized.
You are probably now thinking: "What about new Malware that manufacturer of the security software has never seen? They have no way of making a fingerprint of this...". Exactly!
This is where the behavior-based Malware defense of Mamutu comes into play. It does not use a fingerprint to recognize dangerous software but rather on the basis of the behavior of the software. This allows Mamutu to recognize new Malware long before the signature databases have been updated. These types of Malware attacks are known as Zero-Day attacks. In addition to this, behavior-based Malware recognition is the only efficient way of recognizing Malware that has been built for a single specific attack, e.g. for industrial espionage.
Mamutu - Protects against completely new pests in seconds!
The Mamutu Background Guard is clever. It recognizes and blocks all potentially dangerous programs before they can cause any damage. The new Malware Intrusion Detection System (Malware-IDS) is unique worldwide and immediately warns you when a program attempts to perform a potentially dangerous or suspicious operation.
Signature recognition or behavioral analysis - Which is better?
If you closely read the program description of Emsisoft Anti-Malware you will probably notice the term "Double real-time protection". Sounds good, sounds safe. However, what this really means and what technology lies behind this is not always clear to those who are not IT experts. This is reason enough for us to put aside all the marketing terms and bring some light to the topic.
The first computer viruses were detected in the wild in the middle of the 1980's. This topic first became really interesting through the increasing number of computers in private homes at the beginning of the 90's. A special mention should be made here of a pest called "Michelangelo" that became famous and feared in 1992 through many media reports.
An antidote to prevent the spreading of these relatively harmless viruses was naturally sought. The solution was to search an infected file for significant virus characteristics. These are patterns and regularities that only apply to the one specific virus. When you summarize this characteristic information you end up with a so-called Signature. This is metaphorically similar to a human fingerprint. A scanner examines the internal structure of all possible files on a computer and attempts to recognize potential pests based on their Signatures (fingerprint patterns).
These days, there are not only Viruses but also Worms, Trojans, Spyware and other types of nasty pests that are collectively known as Malware. This means a great deal of work for the manufacturers of hard drive scanners: A new Signature must be created for every new pest and even for every variant of an already known pest. With an estimated 3,000 new pests per day this is a time-consuming exercise.
This brings us to the basic problem with Signature-based Malware recognition - a pest that has been specially developed for a particular attack cannot be detected in principle. The security software manufacturers only receive a sample of the pest, and can create a Signature for their scanners, when a particular level of distribution has been reached. The flip-side of this is that the recognition is relatively reliable, benign software is rarely notified as being damaging.
These days, most pests come from Eastern Europe or Asia and are usually intended for targeted attacks on specific networks, or they are even commissioned online by Mafia-like organizations. Anti-virus laboratories rarely see this type of Malware and thus cannot provide Signatures for them.
Emsi Software already presumed many years ago that purely Signature-based protection of domestic computers would sooner or later become inadequate. To address this problem, a second protection feature was integrated into Emsisoft Anti-Malware: The Malware IDS (IDS = Intrusion Detection System) is able to recognize damaging behavior and thus belongs to the category of "Behavior Blockers". All active programs in the system are permanently monitored for this. As soon as a program exhibits potentially damaging behavior it is stopped and a notification is generated. This prevents further execution of a suspicious program at the wish of the user - completely without Signatures.
In addition to Behavior Blockers, another technology is becoming increasingly popular, the HIPS (Host-based Intrusion Prevention System) approach. These tools provide notification of attempts to manipulate many system interfaces such as autostarts, device drivers, services, the network, etc., but they do not provide exact information as to whether an action is actually damaging or not. You can imagine this as a type of personal Firewall that initially produces many (false) alarms until the software has been correctly trained. The user must decide whether simply a new driver is being installed or a malignant Trojan. In contrast to HIPS programs, the Malware IDS only provides notification of truly potentially damaging software and minimizes the number of false alarms. This is especially suitable for inexperienced users, whereas professionals can activate the "Paranoid" option in Emsisoft Anti-Malware and achieve functionality as similar to HIPS as they wish.
Both approaches, Signature-based scanners and Behavior-based Malware protection, have their strengths and weaknesses. Emsisoft Anti-Malware combines both technologies in a single product and thus offers extremely good protection with simple operation and almost no false alarms. However, if you already have a Signature-based scanner and wish to also have the functionality of a Behavior Blocker, then you should take a look at the new Mamutu 1.0. Mamutu provides you with a stand-alone version of Malware IDS without an built-in scanner.
Emsisoft is primarly known for our Anti-Malware products. Two years ago we started marketing and selling the German version of the Online Armor firewall from Tall Emu, who are based in Australia. Both the positive feedback from our customers and excellent cooperation with Tall Emu led us to proudly announce that Emsisoft has taken over the support and development of Online Armor, including aquiring all of its developers. Learn more...