This section describes detection technologies that are implemented in Kaspersky Scan Engine.
Signature analysis
This detection method is based on searching for a predefined string in scanned files. Signature analysis also includes detection based on the hash of the entire malicious file. Traditional signatures allow for the detection of specific objects with high precision. Other signature-based technologies, such as structure heuristics signatures and SmartHash, can detect unknown and polymorphic malware.
Signature analysis can detect specific attacks with high precision and few false positives. However, this detection method is ineffective against polymorphic malware and different versions of the same malware. Effective signature analysis also requires frequent signature updates.
The frequently updated and comprehensive anti-virus database of Kaspersky Scan Engine ensures the highest level of protection from known malware, trojans, worms, rootkits, spyware, and adware.
Advanced heuristics
When scanning a script or an executable file, Kaspersky Anti-Virus Engine emulates its execution in a secure artificial environment. If a suspicious activity is discovered during analysis of the behavior of the emulated object, it is considered malicious. This method helps detect new and unknown malware.
The emulator component of Kaspersky Scan Engine emulates a functional execution environment for the object, including functions and different subsystems of the target operation system. No real functions or subsystems are used during emulation.
Machine learning technologies
SmartHash is a Kaspersky patented algorithm for building intelligent, locality-sensitive hashes. Locality-sensitive hashes are static file features that can be extracted and quantized. SmartHashes can be calculated for each file and different files can have the same SmartHash when they are functionally similar. Because of this, a single SmartHash allows for the identification of clusters of similar files and the effective detection of unknown malware from known malware families.The SmartHash technology utilizes several precision levels, a feature that allows for the detection of even highly polymorphic malware. Simultaneously, with a very high level of confidence, it minimizes the risk of false positive detection.
SmartHash benefits:
SmartHash online also helps to minimize false positive detections. SmartHash calculated on the client side can be compared against billions of known good files in the Kaspersky database through global Kaspersky Security Network.
Kaspersky uses machine learning to boost the detection rate of existing scanning technologies. It deploys machine learning for automated analysis of internal sandbox execution logs. Both known malicious files and unknown files are executed in internal behavioral sandbox systems. Some of these sandboxes mimic user systems running standard products. The most powerful sandboxes make use of granular logging capabilities, allowing for extremely fine-tuned detection.
Robots process the sandbox logs line by line. The execution logs of new malicious samples’ are studied by using Machine Learning, to find new detection indicators. These new indicators enrich mathematical models of non-signature-based detection methods as well as heuristic behavioral records created by Kaspersky experts.
Processing of Compressed Executables And Archives
Kaspersky Scan Engine includes technology that allows for detection of viruses and other objects inside compressed executables and archives. With this technology, infected archives and compressed executables can be safely disinfected or deleted.
Kaspersky Scan Engine supports approximately 4000 different formats of compressed executables and archives.
Disinfection of Archives
This technology is designed to disinfect archived files. With this technology, infected objects inside archives are successfully disinfected or deleted, depending on user-defined settings. You do not have to use any other archiving utilities.
Kaspersky Anti-Virus Engine is currently capable of removing viruses from ARJ, CAB, RAR, and ZIP archives.
Kaspersky Security Network
Kaspersky Security Network (KSN) is an infrastructure of cloud services that provides access to the online Knowledge Base of Kaspersky which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses to threats, improves the performance of some protection components, and reduces the likelihood of false positives.
KSN can block new malware seconds after it appears, by using automatic rules that are generated from data provided by Kaspersky users.
Kaspersky hosts KSN servers in data centers all around the world providing minimal latency for cloud checks. KSN database contains terabytes of information that is constantly updated by security analysts and automatic methods.
When using KSN, you provide Kaspersky with information about the installed copy of Kaspersky Scan Engine and detected objects. This information does not contain any personal or confidential information of the user. The information obtained is protected by Kaspersky in accordance with statutory requirements. For the full list of information that is transferred to Kaspersky when using KSN, see section "Data transferred to Kaspersky during File and URL Reputation Checking".
Kaspersky Scan Engine is compliant with the General Data Protection Regulation (GDPR).
To learn about use cases for working with KSN, see section "File and URL Reputation Checking in KSN".
Malicious and phishing URL detection
Kaspersky Scan Engine includes an offline database of malicious and phishing URLs. In addition, you can check the reputation of the scanned URLs in Kaspersky Security Network.
Page top