The functionality of the Proactive Defense component is based on controlling and analyzing the behavior of all applications installed on the computer. The 2012 version of the Kaspersky Lab product decides whether an application is dangerous or not on the basis of the actions it performs. In this way, the computer remains protected not only from known viruses, but also from new, as yet uninvestigated viruses.
The following activity by software may refer to dangerous or malicious behavior:
Activity characteristic of Trojan applications.
Accessing system resources (such as the system registry).
The application copying itself to network resources, to the Auto Start directory, or to the system registry with a subsequent link to its copies.
Interception of data entered through the keyboard.
Hidden installation of drivers.
Changes to the operating system kernel.
Creation of hidden objects and processes with negative process ID values (PID).
Changes to the HOSTS file.
Injection into other processes.
Sending DNS requests.
All of the above-mentioned types of activity are controlled and analyzed by the product through the use of a statistical set of heuristics (models of suspicious application activities). To improve the response time to new threats, support for updatable heuristics is included as a special functionality in Kaspersky Internet Security 2012, in addition to the statistical set of heuristics.
Updatable heuristics are a regularly updated set of patterns (signatures) of dangerous behavior by applications. Upon detection of a new virus or of a new modification to already known malware , this technology does not update the whole Proactive Defense module, but rather adds a new signature to the heuristics database, updating it together with the product's antivirus databases.
In addition to the ability to make regular updates, the heuristics database also supports trial behavior patterns. If Proactive Defense detects application behavior that is considered suspicious according to one of these patterns, a special report is sent to Kaspersky Lab via Kaspersky Security Network (KSN). This occurs if the user confirms agreement to participate in KSN. This feature means that the likelihood of false positives is minimized in the future.
In the 2012 version of Kaspersky Lab products, the reputation services include the Astraea expert system. The purpose of the Astraea expert system is to analyze statistical information about applications and URLs, on the basis of which a verdict is reached regarding any hypothetical danger.
Reputation services are online services containing information about:
Kaspersky Lab’s specialists add information to these services before it becomes available in the form of updates to signature databases. This makes for much faster response times when new threats appear.
If the reputation services have no information about an application, the approximate threat level is calculated. You can then modify the rating that is assigned, thereby affecting the level of rights granted to the application for its operations within the system. In addition, information about modified threat levels is sent via Kaspersky Security Network (KSN).