Question of the week: What is the antivirus setting called DeepScreen?
DeepScreen is a new technology inside avast! Antivirus 2014. When you are about to run a suspicious program which is not yet known to the other core antivirus technologies, DeepScreen is invoked. Its task is to simply distinguish between good and bad software. Although it seems obvious and simple, it is not.
How DeepScreen uses The Force for good
This (magic) technology is served by two software components (the Jedi, if you will) which work hand-in-hand. One of them is well known from the past: The avast! Sandbox.
When a file is “DeepScreened,” it is actually run in the Sandbox, which is mainly responsible for keeping things isolated while watching for various high-level events and behavior of the program running. For example, it monitors the system call invocation and overall behavior of the program which is being executed. This seems to be just enough to distinguish between the Dark Side and the Light Side of the Force, but unfortunately, it is not that simple.
Firstly, how can you tell good and bad behavior apart? There are plenty of legitimate software products that use “weird” techniques to protect themselves. On the other hand, there is a bunch of malware samples that look innocent and behave well.
Secondly, malware is used to hiding away from the vigilant eyes of the Sandbox. The most common and powerful technique is encryption. In fact, there are more ways of encrypting and packing these well - known bad guys and rendering them undetectable than there are distinct malware samples.
SafeMachine: The new Jedi Order
With the latest version of avast! Antivirus 2014, this technology is fully involved in fighting the bad guys. Whenever DeepScreen runs something in the Sandbox, it also performs binary instrumentation of the process.
AVAST antivirus developers strive for perfection in malware detection. Cybercriminals do not rest with their evil schemes to take advantage – mostly economical – over poor users. Always, but especially since version 8 of AVAST, we have improved the detection of recently discovered malware by trying to identify them before our users are threatened.
The AutoSandbox technology allows suspect processes to run inside of the avast! Sandbox, which is a completely isolated environment from where nothing can leave, trapping an eventual infection and blocking further harm to the system.
The AutoSandbox is used to monitor all files and Windows Registry operations
- that attempt to hook into running processes
- make changes in system components
- exploit and hide network connections
- attempt to disable the antivirus protection or Windows firewall, and so on.
The fundamental engine of this process are the generic virus signatures. They are like the fingerprints of a virus which allow them to be discovered. AVAST adds nearly 2,000 virus signatures each day to its virus definition updates. Generally, a single signature can identify multiple malware. A single malware can also be detected by several of the virus definitions of our database. Through our avast! CommunityIQ, almost 200 million users worldwide give us up-to-date information and we detect more than 50,000 new infections daily. The number of different malware analyzed daily by our Virus Lab reaches 40,000.
DeepScreen for potential threats Read more…