Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
October 24 2009
Alan: If you want to make sure that you’re protected against today’s malware threats, you must rely on advanced heuristics. To discuss why this is absolutely necessary, our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Thanks, Alan. It’s great to be back.
Alan: Well, Randy, NOD32 Anti-Virus Protection has been on the market for years and years. I remember using the first edition that you ever put out. You came out with a concept called “Advanced Heuristics”. At that time, most of the other security companies thought that it was an unnecessary and only by using their tried and true definition testing could they catch malware.
But, now we are seeing other companies starting to use something called “Behavior Blocking”. How is different from the heuristics that you have been using in your NOD32 software for years?
Randy: In some cases it is not at all different. Technically speaking, all behavior blocking is a type of heuristics. It really has to do with whether or not you are just randomly blocking behavior or whether or you are trying to access whether or not something is really bad and deciding, based on that.
There are some behavior blockers that just say, “I don’t care if this program is good, bad, or otherwise, if it tries to write to the registry, I’m not going to let it write to the registry.” That’s just a kind of dumb behavior blocker. I don’t mean it’s a dumb thing to do, but there’s an appropriate time and place for a lot of different technologies; but it’s not looking at things in a smart way; it’s just saying, “This is the action. It doesn’t matter if it’s good or bad.” If you block all writes to the registry it will stop a whole bunch of malware; but you also can’t install most software nowadays, either that’s good.
The way that ESET does it is that we do a type of behavior blocking in that we if we determine that a program is malicious, then we are not going to let it run. We blocked it from running, which is another type of behavior blocking.
We will take a look and see what does it look like this program is going to do? In many cases, we will actually see what it is going to do, because we will emulate it, we will let the program run in a secure environment that we create inside the scanning engine – and say, “aha - this is what is what that program is actually doing.” We don’t want to let it run on the operating system because it will cause damage and then we just block it from running.
For behavior blockers that just blindly block specific types of behaviors as a class or we can use very smart technologies to determine, “Okay, this is doing something bad or this going to do something bad if we let it run so we are not going to that specific program run.
Alan: Because if you just block anything that just writes to the registry or writes to system files, you’re going to have a lot of false positives. False positives, in some cases are worse than what you’re trying to trap, aren’t they?
Randy: In some cases they are, but the funny thing is with behavior blockers, they don’t call it false positives, because we told you we were going to block this behavior. They did not say that they were only going to block bad behavior. So, it’s a little different from your standard false positives, but it generally becomes too onerous to keep using a traditional behavior blocker.
Alan: You actually assign a weight to each of the items that are happening. If it writes to the registry you give it a number; if it writes to the system file, you give it a number. At some point you make the decision that this is really not what we are supposed to be doing; this program is a little out of bounds. And then you say, “This could possibly be a virus.”
Randy: And that’s the way that the heuristics works. You observe behaviors or you observe potential behaviors and you will assign all of the risk factors – kind of like if you’re a security guard of a bank and someone comes in and they’ve got a mask on. You know that’s very suspicious, except if it’s a six-year-old and it’s Halloween. You know, the weight is a little bit different, there.
We have to look at a variety of factors and we get them different ways and then we add it all up and if it crosses a threshold, we will say, “You know, this looks suspicious.” Or if it crosses a higher threshold, we will say, “This is really suspicious,” and we’ll block it from running.
Alan: A lot of third-party companies have looked at how you do your heuristics and you have won a lot of awards for that.
Randy: ESET is one of the real true pioneers in the field of heuristics. It would not be fair and say that we are the only ones who have ever done it. We have been unparalleled in terms of our success rate with the successful implementation of it. Recently there have been some other companies that are making a lot of noise and I applaud them. They understand that our approach has been right for a long time. But, they are still struggling with the basics of how to do this without having false positives at a higher rate than a signature-based product does – and it’s trough.
Alan: Oh, it is tough and as I say, you have the track record, which means you have the experience so you know where all the pitfalls are as far as doing this so you are way ahead of the game.
Randy: You know, experience comes in really, really handy at times. You have seen where all these different things are going to bite you and you have been there and you know when you are going out to try something that you have already done that before; where as the new kid on the block has to learn what’s best for themselves the first time. When I say, “learn this stuff for their selves,” often times it is because the customer encountered a false positives.
Alan: It’s like learning how to do tricks on a bicycle. Anybody can basically ride a bicycle, but standing up on the seat or trying to swap hands on the handlebars – it takes a lot of experience. Well, you did this a long, long time ago. Now you have success story after success story.
As a matter of fact some of the tests that are done is actually to go back in the past with some of the viruses that have been hitting now and seeing what your track record would be if you just did heuristics only.
Randy: We call that retrospective testing. That’s the way that you actually properly test to see the quality of products’ heuristics technology. You check and see how does it fare against real-life threats? Because if you just write a bunch of viruses and say, “We’ll test the heuristics this way.” If you were not actually testing against what was actually infecting users; then maybe you’re not doing things the same way that the real bad guys would be doing it.
But, with retrospective testing, what you are doing is you’re saying, “Okay, I’m not going to update this scanner for awhile and I’m going to collect all the real brand new threats and at the end of this arbitrary amount of time (it might be a week, it might be 3 months) I will scan, without updating the signatures. And then, anything that’s caught is just the heuristics and the combination of speed, detection, and low, low, false positive rates that ESET specifically turns with this kind of testing are unparalleled.
Alan: And this is something that you have to have if you’re going to fight what they call, these “Zero Day Threats,” because you only get one shot at it.
Randy: Correct. Zero Day Threats are these brand new threats that no one has ever seen before. That’s what heuristics is all about is we need to stop something that we’ve never seen before. That’s where ESET has really come out shining is in the ability to detect these things in a far more accurate rate than any other product.
Alan: Definitions still has their place. You new update definitions all the time. How does a definition work, as opposed to say, heuristics?
Randy: Well, definitions, or signatures are designed to identify one specific threat. It might be the Storm Worm or it might a trojan or root kit, but it’s hard to identify one, specific threat; whereas heuristics will identify an entire class of threats. Heuristics won’t give you exact information; it won’t say this is exactly what this threat is – it will just say, “I know this one is bad and I’ll block it.” We do use the definitions, as well. They are a lot faster than heuristics.
So, even after we identify something heuristically, we will often go back and write what most people call “signatures,” where it will more quickly detect it. It helps us keep the performance of the scanning engine up to the level that our customers have come to expect.
Alan: I also have what they call “self-modifying threats,” and when you go to a website and especially a drive-by install, you may not get the same code every time that you go there. You may go there two minutes later and be somewhat of the same virus or the same threat, but it will be slightly different.
Randy: There are a variety of ways that they will do that. The Storm Worm is an example. The Storm Worm is automatically being repackaged every five minutes so that there is no way a signature-based product could keep up with the Storm Worm for five minutes, even.
That’s one thing that the bad guys do. Another thing the bad guys do is to make it hard for their companies to get a lot of samples is to track the IP address, the address of the computer that hits the site. Well, the same computer hits the site a second time and it might go to a place that has no malicious software, at all. They use every trick they can to try to keep us from detecting their software.
Alan: And they are very sophisticated. These are commercial establishments that are doing nothing more than putting out malware by the hundreds of thousands and they know that it’s got a big payback, doesn’t it?
Randy: It certainly does. Out of what we’re seeing now, are the bad guys making fake anti-virus software and tricking people into believing that they need this. They put up a fake scan that looks like their computer is being scanned, but it’s not. And where “We found all these viruses and you need to send us $40 to clean them out.” And that’s where education is very important because people need to know that if you didn’t approve a scan, if you didn’t say, “Yes, scan my computer,” it’s really not doing that.
Alan: We hear this fake pop-up that says, “ Such and such a pop-up has detected that you have been infected with a virus and if you want to remove this virus click here for yes and here for no.” What people don’t realize is “yes” means I’m going to infect your machine and “no” means I’m going to infect your machine. And in some cases, just clicking on the windows someplace says, “Yep, I’m going to infect your machine, too.
Randy: Usually in most cases, the best thing to do is bring up Task Manager and kill the Internet Explorer process.
Alan: These people that are writing these viruses are getting very tricky; they are using your machine or just basically innocent machines – schools or churches to do their bidding. They put what they call a bot on your computer and then you are the one that’s doing the attacking, and it makes it really hard for the authorities to trace them down.
Randy: That is really a good point. There’s a bot on a computer, which a bot is really just a remote-control program. It allows an attacker to remotely control your computer. When there is a bot on a computer, it’s really hard to know who actually owns it. If you’ve got a bot on your computer, you can actually be attacking your own government or you can be attacking a foreign government, as well.
Alan: This is where you really have to have sophisticated anti-threat software. Your NOD32 and ESET Smart Security looks at every file that comes across our machine and it looks at it when it’s open; when the file is closed; when the file is written to; when the file is read. You look at everything, don’t you?
Randy: We do. Of course, that’s configurable too. Some people might want it looking at it a little less to eke out a little more performance. ESET NOD32 has long been one of the highly configurable products for the advanced user that wants to really down underneath the hood.
Alan: If somebody would like to find more information about your award-winning NOD32 and your ESET Smart Security with a firewall, where would they go?
Randy: They can come to www.eset.com
Alan: Randy we are out of time. And I look forward to continuing this conversation when we will be talking about “The Major Roll that Education Plays in protection against Malware Threats – Next time.
Randy: I look forward to being back once again, Alan.
Visit ESET on Facebook
Follow ESET on Twitter