Kaspersky Internet Security 2010

	Useful references
	Kaspersky Security Network in Kaspersky Lab 2009 products

With rapid development of information technologies and further spread of the Internet into masses number of threats, to which computer users are subjected to, grows proportionally. The former mechanisms of replenishing databases of malicious objects do not allow to timely prevent such threats, that is why new methods to provide security are needed. One of such methods is Kaspersky Security Network (KSN), whose aim is to decrease the time necessary to detect and block new types of threats. This system collects the information about files run on the user’s computer and thus traces presence of malicious objects and their distribution channels.

In product 2010 version (unlike version 2009) you can send unknown files or their parts to Kaspersky Lab servers within the framework of Kaspersky Security Network (KSN). It allows to block malicious objects directly from the moment they are detected by Kaspersky Lab experts.

The following and similar cases received from users of version 2009 and statistically processed caused the technology implementing: 

• Growth of the file popularity within a short period of time. Popularity growth is typical for common, frequently updated applications (browsers, IM-clients, e.g. ICQ, Skype and etc.); as a result of such application popularity a lot of requests about the application activity status (up to 1 million and more) come to Kaspersky Lab from the users’ computers within a short time period (3-5- days). Based on this information a verdict is made if the file is dangerous or not. Since such files do not normally have a digital signature, Kaspersky Anti-Virus 2010/Kaspersky Internet Security 2010 automatically places them into a restricted group thus causing inconveniences to users. The possibility to get and to analyze such files by Kaspersky Lab experts on the early stage of their spread allows to timely add such files to lists of trusted applications. As a result the corresponding components of products 2010 will be able to identify such applications more precisely without causing any difficulties to the user. 
• Virus containers. The situation is typical for unknown files which contain known viruses. Results of statistics received from the users reflected the following behavior scenario: first an unknown application is launched, next in a short period of time several known applications are run which are detected as viruses. As a result the feature to detect an unknown file during the first detected attempts to run itself has been added to Kaspersky Lab 2010 products thus allowing to add a virus to the databases without false alarms. 
• Activity analysis. Several technologies which allow to detect and to analyze launched applications (malicious activity, parts of malicious code and etc.) have been added to Kaspersky Anti-Virus 2010 and Kaspersky Internet Security 2010. Using the technology of transferring files from users’ computers will allow to increase analysis precision and timely add malicious objects to the corresponding databases.

How the technology works once a new version of a popular application is released:

When a new version is released, users download and install the program distributive. From the computers of the first users, with product 2010 version installed and KSN enabled (i.e. active), the statistics of the application activity is sent to Kaspersky Lab servers. Based on the received information the corresponding verdict is assigned to the file: dangerous – not dangerous. When other users run the same distributive on their computers Kaspersky Lab 2010 product gets the verdict: dangerous – not dangerous from Kaspersky Lab servers and sends the program file either entirely or partially to Kaspersky Lab. Upon the file receipt analysts make a decision to which databases the file should be added.