Panda Cloud Antivirus

AV-Test.org has just released the September & October test results of its Full Product Monthly tests. More information at http://www.av-test.org/en/tests/test-reports/. This is the second batch of test reports in which Panda participates with Panda Cloud Antivirus FREE Edition.

Of course we are happy to see that Panda Cloud Antivirus FREE Edition has achieved certification with some good scores. But I would like to focus this post on the performance part of the test, which is where Panda Cloud Antivirus FREE Edition has really shined. Of course an AV product needs to detect as much malware as possible with as little false positives as possible. But nowadays the top AV products are very aligned in both these respects. So what is it that makes the difference then when choosing an AV? Many people will say its the performance and how it behaves on your individual system. Will it slow you down? Will it consume too much memory or CPU cycles? How will it impact your system? Many times a big performance hit will make the best of AVs with the highest detection rates and lowest FPs useless if they don’t allow the user to work with his or her PC.

There are some (not many) AV performance tests out there. Unfortunately most of the are sponsored by such or such vendor, which is not ideal as the vendor pays for the test and therefore choose what the test should look at, which coincidentally will be the performance areas the sponsoring vendor is good at, instead of looking at the overall performance hit. The Passmark tests sponsored by Symantec are a good example of this. Eugene has a good criticism of these type of sponsored tests (google it). Luckly the AV-Test performance review looks at the overall performance hit and this is where the architectural design of CloudAV really shows how it improves performance over traditional AV:

AV-Test.org September/October 2011 Full Product Test Reports available at http://www.av-test.org/en/tests/test-reports/

If you haven’t seen it already, Panda Cloud Antivirus cloud-scanning backend, Collective Intelligence, has reached its 200 millionth file analyzed in the last few hours.

Being one of the first cloud-scanning backends in the AV industry, Panda’s Collective Intelligence processes automatically over 250.000 new files every day. It is able to automatically analyze new files, determine if they are malicious or not, create signatures for the malicious ones and respond to threats on user’s PC’s in real-time without requiring AV signature updates. In addition it also is able to create heuristic determinations for completely new and unknown malware which it has never seen before without actually having the file, as well as using prevalence to make determinations and prioritizations, making Panda’s Collective Intelligence the most advanced cloud-scanning technology in the market.

More information:
http://www.cloudantivirus.com/en/threat-information/
http://press.pandasecurity.com/usa/news/panda-security-processes-200-millionth-malware-file-via-the-cloud/

We are happy to announce that we just released Panda Cloud Antivirus version 1.3. This new version of Panda Cloud Antivirus has been made possible thanks to our large community of users and specially to our Support Forum Trusted Mods who have helped a lot of users and gathered enough feedback to incorporate major improvements as well as many different bug fixes. All new features have been included in both the Free and Pro Edition.

If you have Panda Cloud Antivirus 1.1.0, 1.1.1 or 1.1.2, you will get the upgrade automatically and transparently over the course of the next few days (see below for details). If you don’t have Panda Cloud Antivirus installed yet you can download it from www.cloudantivirus.com.

The main new features and fixes included in Panda Cloud Antivirus 1.3 are the following:

• Malicious Web & URL Filtering. This feature blocks websites that push malware, exploits and drive-by downloads. It is available both in Free and in Pro Editions and is installed by the toolbar. Unlike similar solutions, this web filtering works at a low level so it works under all browsers: Internet Explorer, Firefox, Chrome, Safari, etc. For those of you that didn’t install the toolbar but would like to install the Web & URL Filtering, you can download it from here and install it manually.
• Unified Recycle Bin and Quarantine. Previously the Recycle Bin handled suspicious detections and the Quarantine handled deleted malware detections. This has been unified into a new Recycle Bin for ease of management. This is included in both Free and Pro Editions.
• Automatic and transparent upgrades to new product versions, previously only available in the Pro Edition, this is now available in the Free Edition as well. All users of Free Editions versions 1.1.0, 1.1.1 and 1.1.2 will automatically and transparently upgrade to the new 1.3. See notes below for the upgrade schedule.
• No more nagging advertising. After listening to many of you we have decided to turn off the nagging advertising popups prompting to upgrade to Pro Edition. If you want to support Panda Cloud Antivirus and wish to get the Pro Edition, you can do so from here, but we won’t bug you anymore from the popups.
• Hot updating of behavioural blocking rules. In order to increase protection on the fly against new vulnerabilities and attacks and to fix false positives, hot updating of behavioural blocking rules allows faster response time in both the Free and Pro Editions.
• Immediate notifications of virus detections. Previously if Panda Cloud Antivirus encountered multiple viruses, it would delay its traybar notification and show them grouped. This behaviour has been changed so that the notifications are shown immediately.
• Suspicious detection counter. Under the statistics window there’s some new counters for the different types of heuristics and behavioural detections.
• New versioning format. Unified versioning format in GUI and other parts of the program.
• Many bugfixes as reported by users in our support forum:
  – Fixed issue with Windows 7 Start menu slow-down.
  – Fixed Panda traybar icon disappearing.
  – Fixed “you are not connected to the Internet” message when there is connection.
  – Fixed issue when Free Edition users can activate behavioural analysis.
  – Fixed slow-down and conflicts while playing Allods Online and AION.
  – Fixed cloud-response time configuration which defaults to 30 seconds.
  – Fixed constant accesses to the floppy disk drive.
  – Fixed BSOD issue after install.
  – Fixed bug while exporting an empty report to TXT/CSV.
  – Fixed Conficker detection.
  – Fixed BSOD while compressing malicious PDFs.
  – Fixed translation errors.

-

In case you still have some questions about Panda Cloud Antivirus 1.3, here are some frequently asked questions. If you don’t find an answer to your question please contact us at the support forum.

When will my Panda Cloud Antivirus upgrade itself?
The automatic and transparent upgrade to the new Panda Cloud Antivirus version 1.3 will happen progressively over the next week or two. Initially users of version 1.1.0 will be upgraded automatically and some days later users of 1.1.2. Finally users of version 1.1.1 will be upgraded automatically.

What if I don’t want to wait for the automatic upgrade?
Simply go to www.cloudantivirus.com, download the new 1.3 version and install it on top of you current one. As you run the installer, it will prompt you to unsintall your current version and, after a reboot, will install the new one. If you have any problems please contact us at the tech support forum.

My Panda Cloud Antivirus has been upgraded but I cannot see the Web & URL Filtering Toolbar
The Web & URL Filtering component is installed by the toolbar. If you don’t already have the toolbar installed (or you uninstalled it) then the automatic upgrade will not install the new toolbar (the automatic ugprade keeps the same config as you currently have). If that is the case, you can manually download and install the new Web & URL Filtering Toolbar from here.

I know I’ve installed the Web & URL Filtering Toolbar but want to “see” it in action
There is nothing visible in the toolbar like a button to “see” the Web & URL Filter. Simply make sure there is a process running on your computer called panda2_0dn.exe and you’re good to go. If you don’t see the panda2_0dn.exe process running, install the Panda Security Toolbar manually from here. You can test that the filter is working by trying to visit http://www.cloudantivirus.com/testurlfilter

How do I disable the Web & URL Filtering?
– Go to Control Panel, Add/Remove Programs and uninstall “Panda Security Toolbar URL Filtering”.
– If you only want to disable the filtering for a short time, simply kill the “panda2_0dn.exe” process.
– For those of you wanting to visit malicious pages and/or to manage potential false positives, very soon we will add an exclusion button in the blocked pages so that you can bypass the Web & URL filter.

I have and older Panda Cloud Antivirus, version 1.0.x. What should I do?
You can do one of two things:
– Wait for an automatic upgrade. We are developing an automatic upgrade for users of 1.0. It should be released in a few weeks.
– Manually upgrade to the new version 1.3. Simply download the new version from www.cloudantivirus.com and run it. It will prompt you to uninstall the previous version and, after a reboot, install the new one. If you have any problems please contact us at the tech support forum.

So what’s the difference between Free and Pro now?
You can see the feature-to-feature comparison in the following table. As you can see we have added many new things to the Free Edition to make Panda Cloud Antivirus the best free antivirus available anywhere!

As you’ve probably heard by now there’s a very nasty 0-day vulnerability in Adobe (CVE-2010-1297) that’s being used to infect people using drive-by exploits from infected websites. Of course all AV vendors are currently struggling and in a hurry to release updated signatures to detect the different variations of malicious PDF files that are being released into the wild.

Thanks to the Behavioural Blocking engine, users of Panda Cloud Antivirus Free Edition do not need to worry about this or any other Adobe 0-day as these types of exploits are blocked generically and automatically.

In the following video by Sean-Paul from PandaLabs you can see how PCAV blocks these 0-day exploits generically.

Thanks Sean-Paul & David from PandaLabs for all your work with KRE.

Today we are releasing a new version of Panda Cloud Antivirus, version 1.0.1. This version is basically a cumulative-fix release which incorporates Hotfix-1, Hotfix-2 and some small additional improvements.

The most notable improvement is that we have gotten rid of the initial account registration which used to be mandatory for first-time installs. Panda Cloud Antivirus will not ask for account during install anymore. Only if you want to participate in the Cloud Antivirus Support Forums will you need to create an account.

I have Cloud Antivirus 1.0 already installed. Do I need to download & install this version?
Not really. This new version incorporates hotfixes which you probably already have installed anyway. To check if you have them installed, simply browse to “C:\Documents and Settings\All Users” (XP) and you should see a subdirectory called “HF_PCA_somenumber”.

I have the hotfixes installed but I still have some problems with Panda Cloud Antivirus. Should I install this version?
Yes you might want to give it a try. Below you can find some more detail of what this version fixes which is not included in the existing hotfixes. In order to install this version on top of the one you already have, first uninstall your current version, then reboot and finally download & install the new version from http://acs.pandasoftware.com/cloud/CloudAntivirus.exe.

What’s the changelog of this version 1.0.1?

1. Preactivated version does not require account creation during install
2. Fix for certain conditions of stuck quick & full scan
3. Improved cloud-heuristic detection for unknown malware – From HF_2
4. Improved prevalence algorithms for priorization of new malware – From HF_2
5. Fix of problems scanning certain files in system directories – From HF_1
6. Fix for loss of connectivity after malware disinfection involving LSP – From HF_1
7. Improved cloud-heuristic detection – From HF_1

     
Which feature would you most like to see in the next version Panda Cloud Antivirus?

Take the poll and help us design the next versions of your new favourite antivirus:
http://www.cloudantivirus.com/forum/poll.jspa?pollID=50103

    

We have received some comments and reports from Beta2 users of version 0.08.82 of slowness of their PCs and lots of hard drive I/O activity from PSANHost.exe.

We are tracing this problem back to an interaction of the new synchronous OnAccess cloud-scan with the BackgroundScan. This interaction seems as it could be the source of the slowness of the system even though we continue investigating it. Basically this occurs under certain circumstances when both scans are consuming the same resource. We’re in the process of redesigning these two scan tasks so they are optimized in the use of critical system resources to avoid simultaneous accesses to common resources.

As a workaround you can disable the BackgroundScan altogether. Disabling this task does not compromise the security level of the PC as the OnAccess scan guarantess the protection of the machine. If you apply this workaround simply make sure to run an OnDemand scan periodically to ensure there are no inactive & latent malicious files in the drive.

To disable the BackgroundScan simply create the following registry entry and reboot the PC:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPanda SecurityPanda Service Host]
"BackgroundDisabled"="-"

If you are not used to playing around with the registry, simply download and execute the .REG file in the following file:
http://blog.cloudantivirus.com/wp-content/uploads/2009/07/background_disabled.zip

As we continue investigating this problem, if you are affected by this problem and are able to send us debug information please get in touch with us. Thanks again to everybody for your help

   

Thanks to the millions who have downloaded and installed Panda Cloud Antivirus Beta1 (0.08.80) and sent feedback to help us improve the product before its final release. Today we’re releasing Panda Cloud Antivirus Beta2 (0.08.81).

   

INSTALLATION INSTRUCTIONS
1- Uninstall the Beta1 from Control Panel, Add/Remove Programs. Reboot.
2- Download the Beta2 from http://www.cloudantivirus.com.
3- Install the Beta2.

   

BETA2 IMPROVEMENTS
We focused Beta2 on fixing the most important detection & disinfection aspects per feedback from the community. The following is a list of items that are either new or fixed in Beta2. If you have any doubts about any of them feel free to post your question as a comment.

New – “Undo” Option for Recycle Bin
Some users complained about the effect of the automated deletion of known malware. In some cases where users want these samples to not be deleted and/or in the case of false positives, there was no option to recover these files. A new option has been added with Beta2 to the Recycle Bin so users can recover deleted detections for a period of 3 days (configurable by CI). During this time period file icons will be changed to show that the file is quarantined in the Recycle Bin. NOTE: this does not apply to “disinfected” files, only to “deleted” files.

     

New – Synchronous Real-Time Cloud-Scan
Under some circumstances files being executed (directly from Internet download, from a read-only network share, etc.) were checked asynchronously against the cloud after the file was loaded into memory. This resulted in detection+disinfection actions to be taken after infection. With Beta2 we changed this behaviour to block the execution until a response has been received by Collective Intelligence. In the event that it is malware, the file will be deleted prior to allowing it to execute.

New – Latency & Response Control of the Cloud-Scanner
We deployed 10 sensors throughout America, Europe and Asia and have detected that 98.41% of the Collective Intelligence queries are responded to within 3 seconds. However, in the remaining cases there is not a control mechanism and if the response is not timely (because of connectivity issues, latency, proxy delays, etc.) then the program would be allowed to execute prior to receiving the response from Collective Intelligence. With the new response control mechanism, programs executing which take longer than 6 seconds to receive an answer from Collective Intelligence are put “on hold” for a second timeout period of 30 seconds after which the program is unblocked and allowed to execute (although it will continue being scanned asynchronously).

Fixed – Slow Scans
Right after installation Panda Cloud Antivirus launches a BackgroundScan of the entire PC to ensure it is clean. Some users reported that launching an On-Demand scan of the entire PC right after install slowed down the PC and/or caused the scan to take a long time. This bug was due to both the BackgroundScan and OnDemandScan running simultaneously. With Beta2 this is fixed by having the BackgroundScan automatically pause in case it detects an OnDemandScan being launched. Once the OnDemandScan is finished, the BackgroundScan will resumen where it left off.

Fixed – Recycle Bin Unblock Functionality
Under some circumstances and with certain types of malware, some users reported that unblocking a suspicious/potentially unwanted malware that was sent to the Recycle Bin, resulted in it being continuously detected over and over again. This has been fixed in Beta2.

Other Fixes

Correct integration with Windows Security Center.

Crash during full PC scan.

Disinfection bug under Vista needing a reboot.

Continuous “reboot needed” for disinfection bug.

PSANHost.exe service entered unstable state after cancelling a running scan.

“Code 1 Error” during full PC scan.

Grayware (PUP) found on network shares was not sent to Recycle Bin.

Grayware could be deleted from folders where the user did not have write access.

Various system crashes fixed.

Other fixes during detection, uninstallation, and scanning.

By the way, we’ll still release a Beta3 version prior to final release of Version 1.0. For Beta3 we’re already working on new platforms (Windows7, 64bits), improved features, a new website, a Collective Intelligence real-time encyclopedia and some additional things. Expect the Beta3 to be released around September.

    

 

The following issues have been detected by our beta testers which should be taken into consideration.

Installation / Uninstallation Issues

• During an incomplete uninstall, after reboot, the uninstall process cannot be finished. SOLUTION: We’re creating an uninstaller, but in the meantime please send us the log that is shown in the warning message.
• Cannot install after an incomplete install. SOLUTION: We’re creating an uninstaller, but in the meantime please send us the log that is shown in the warning message.
• Error while re-installing as a file cache is in use. SOLUTION: click “Retry” and allow the installation process to finish. It will complete successfully in spite of the warning message.

 

Application Issues

• Report takes a long time to show over 10.000 detections. WORKAROUND: as the Panda Cloud Antivirus Log is saved in the Windows Event Viewer, delete the corresponding Event Viewer Log before launching an on-demand scan over many files to help improve the responsiveness of the report viewer.
• The Recycle Bin (quarantine) takes a long time to show when there are many items in it.
• In the Event Report the name of the detected malware is shown as “Not available”. This means that either Internet connectivity was lost during the synchronization with Collective Intelligence or the malware naming webservice is not responding correctly.

 

Detection & Disinfection Issues

• Boot scan not performing correctly.
• Infected PE files which are not file-infectors and which are downloaded via HTTP, the product prompts for reboot disinfection even though it’s not really necessary.
• In infected compressed or packed containers which hold multiple elements, where at least one is infected, the product prompts for reboot disinfection even though it’s not really necessary.
• In some cases after disinfecting a file-infector virus the product notifies as “not neutralized” even though it was disinfected correctly and vice versa (in the case where the virus is in memory or the user does not have write-access to the directory respectively).
• Does not intercept nested Office file formats.
• When launching and on-demand scan over a very large number of malware samples the scan may be stuck at 99% of completion. SOLUTION: Disable BackgroundScan (will post details soon on how to do this).

 

As always we appreciate and welcome testing feedback so please keep them coming at beta@pandasecurity.com or in the form of comments on this blog.

 

If you’ve read the introduction to Panda Cloud Antivirus and have come this far, you’re probably interested in “seeing” how this new approach to protection works, not just reading about it. We have enabled certain functionalities which you, as a tester, can use to “see” what Panda Cloud Antivirus is doing behind the scenes.

 

Turning Advanced Logging On/Off

One of the most important things to take into consideration while testing Panda Cloud Antivirus, especially against malware samples and its on-access scanner, is that the traditional on-access scanner has been replaced by 3 new types of interception techniques: OnAccess, OnPrefetch and OnBackground. As each of these operates at different priorities and risk situations, their final actions are not always immediately visible as you would expect from a traditional on-access scan. For example if you copy a directory full of malware samples from one drive to another (or from one directory to another) you will not experience an immediate block of the system and detection and disinfection as the copy operation occurs, as in this scenario an OnPrefetch Scan would be scanning these files asynchronously and using idle CPU times.

In order to give visibility of what is happening exactly behind the scenes, we have created 2 registry entries which can be tweaked to turn advanced logging on and off. Simply download and run the registry files below and run them. Make sure the directory C:Logs_CloudAV exists or replace with your choice of path in the REG file. We suggest you create a specific directory for it as multiple log files will be created, one for every time the service is started. A reboot or service restart will be required for Panda Cloud Antivirus to start logging.

 

Understanding the Log

The log file is basically a CSV file with the following fields:

TimeStamp: Time stamp of the event
JobID: Internal engine ID of the event
Profile: ID of the configuration profile with which the event has been executed. Different types of events use different profiles in order to apply a specific configuration.
Date: Complete date and seconds of the event.
JobType: Type of job. Can be AnalysisRequest, AnalysisResult or ActionResult
TaskType: Type of scan that generated the event: OnDemand, OnBackground, OnPrefetch, OnAccess
File: Full path to the file in question
Result: Result of the task. In the case of an AnalysisResult event will indicate the malware classification. In the case of ActionResult indicates the action taken.

In the following sections we’ll take a more in-depth look into some sample detections and how they can be interpreted by looking at the log file.

 

On-Demand Scan of a Folder

In this scenario we’ll launch an on-demand scan of a folder which has a combination of clean files with infected files. This example generates an OnDemand AnalysisRequest over all the elements inside the directory. An enumeration of said directory is performed and all objects found will be scanned with the OnDemand task. Of those found to be malware Cloud Antivirus will act upon (delete or disinfect).

A typical scenario while launching on-demand scans on a file or folder is the loss of Internet connectivity during the scan itself or simply no connectivity whatsoever. As Panda Cloud Antivirus is basing most of its detection technology on the cloud, it can be seen by the log entries how each file scan is throwing an error back, indicating loss of connectivity. Most detections while running an on-demand scan without Internet connectivity will be due to the local cache copy of Collective Intelligence and heuristics included in the agent.

 

On-Demand Scan of a Suspicious File

In this scenario we’ll launch an on-demand scan on a specific file. We’ll right-click the file suspect.dat which is classified as suspicious. In case of receiving a positive AnalysisResult the engine will throw an Action on the file.

 

Execution of a Malware PE File

In this test scenario we’ll execute a malicious PE file (files with extension EXE, COM, etc.). In this example we’ll double-click on the file EICAR.EXE which is considered malware and whose detection does not require connectivity to the cloud. As the execution of a file is an action which puts the security of the machine in danger, as soon as it is intercepted it is blocked and an OnAccess AnalysisRequest is launched. Depending on the result of the action access to the file is allowed or denied and a subsequent task is generated to neutralize the file.

In the next example we’ll repeat a similar scenario but whose detection of this particular malware file (MyFormatter.exe) is delivered from-the-cloud. In the following example we can see the reaction of the product against the execution of MyFormatter.exe.

 

Copy of a PE File

In this scenario we’ll copy a malicious PE file Eicar.exe to EicarCopy.exe. As a copy operation is not a high imminent risk to the PC the copy operation is permitted while an OnPrefetch AnalysisRequest is launched, anticipating its possible execution later on. If it is detected as malware, an Action will be requested on the file.

 

It is worth noting an error that may show up on the log (shown below) as a JobType “Cloud Error” which means that the communication between the Panda Cloud Antivirus agent and the server has failed, in this particular example during the OnPrefetch scan of the PE file GoogleDesktopResources_es.dll as the network connection was disabled on this machine.

 

Opening of a Non-PE File

This scenario consists of opening a non-PE file, in our case a Word document (mydoc.doc) which is not malicious. Opening a file, as executing a PE file, is considered a high risk action for the computer. Therefore the action is intercepted and blocked while an OnAccess AnalysisRequest is launched on the file.

 

 

 Copy of a Non-PE File

In this example we’ll copy a malicious non-PE file Achtung.doc to AchtungCopy.doc. As a copy operation is not a high imminent risk to the PC the copy operation is permitted and the default action is to launch an OnPrefetch AnalysisRequest on the resulting file. However in this case an OnAccess AnalysisRequest is launched on the original file as the Operating System needs to open a non-PE file in order to copy it to a new file. As we’ve seen before, the opening operation is considered a high risk operation and therefore an OnAccess AnalysisRequest is also launched on the file Achtung.doc. As it is detected as malicious, the copy operation is blocked.