Less than a month ago, Avira released to the market an updated line of security products. The free version is, naturally, the center piece of Avira’s protection fleet, and it is also the target of this exclusive interview with Helmut Büsker, Product Manager at Avira GmbH.
The program introduces new features and technologies to the freebie user, shaped to increase detection rate, and put as little strain as possible on system resources. Behavior-based detection has been added as yet another layer of defense against malware, as well as generic repair of your system in case of disaster. Despite the fact that none of these fit in the free edition of Avira antivirus, the product has been brought to higher standards of usability and detection.
Softpedia: Version 10 of Avira AntiVir comes with a feature you call “generic repair.” This is supposed to repair the damage done to the system by a malware infection when no specific repair routine is available for that threat. Can you elaborate on how this actually works?
Helmut Büsker: Avira AntiVir’s version 10 released in March 2010 comes with a brand-new feature called „generic repair.“ Generic repair completes the script-based repair that is already part of the Avira Windows desktop products for a long time. Whereas the script-based repair is able to remove and fix damage done by well known malware, generic repair can remove and fix damage done by new malware. This is extremely important since new malware has been exploding over the last few years and script-based repair routines are less and less able to cope with this flood of new malware.
Generic repair is based on the fact that malware usually integrates itself into an operating system in well known places and using well defined methods. What generic repair basically does is it scans those places in the registry for the name of the malware file and either removes the registry key or value added by the malware or restores it to its original state.
Generic repair is normally used in a situation where there is active malware on the system and the script-based repair was unsuccessful. Generic repair together with the Scanner is able to detect this active malware, stop the corresponding running processes (if system processes are involved those will also be stopped) and disinfect the system after reboot. Sometimes the use of the Avira Rescue-CD is recommended.
Softpedia: What kind of data is collected from users who choose to take part in the community-based malware intelligence gathering effort accompanying the new Avira AntiVir ProActiv behavioral blocking component? Is this limited to submitting suspicious files or is other information, like a user's action when faced with a detection, also included?
Helmut Büsker: AV 10 introduces a new behavior-based detection technology called Avira AntiVir ProActiv. AntiVir ProActiv constantly monitors the behavior of the system in real-time and looks for unusual events. An integrated rule-system is able to decide proactively if a certain event (or a combination of events) indicates that the system is currently under attack from a new or unknown malware. If a rule matches the user is then able to decide what to do with this suspicious file, i.e. to trust it, to block it once, to block it always or to ignore it.
Part of this new technology is the Avira AntiVir ProActiv community that allows every user to take an active role in Avira´s world-wide battle against viruses and malware by automatically sending unknown malware samples to Avira. Taking part in the Avira AntiVir ProActiv community is completely voluntary. How does this work and what data is transferred to the Avira backend?
Whenever the rule system cannot decide if the system is under attack from a virus or not it will ask the Avira servers if the corresponding file or sample is needed for analysis. During this request it transfers the rule-id, the rule set version, the MD5 hash key and the size of the file/sample. If the Avira servers actually request the file/sample then the MD5 hash key, the file name and the file content are transferred to the backend. No other information or personal data is transferred. All the data that is sent in is only used for malware analysis.
Softpedia: Some of the biggest malware threats, in terms of financial loss, are banking trojans such as Zeus, which allow cyber crooks to steal millions of dollars from unsuspecting individuals and businesses. Since users of capable, up-to-date antivirus programs continue to get infected, it seems that the whole industry has a problem keeping up with these threats.
In addition, according to recent reports, the next major version of the Zeus crimeware will feature polymorphic encryption, making every single infection unique. How is Avira prepared to defend its customers against these high-risk complex trojans that have so far managed to defeat even the top heuristic detection engines?
Helmut Büsker: Avira's detection technologies belong to the most advanced antivirus and anti-malware technologies in the market. Avira does not depend on the more traditional detection technologies such as pattern-based detection but has integrated a number of very advanced technologies over the years that are able to cope with even the newest malware threats. The award winning Avira heuristic detection has one of the highest detection rates in the market and with the release of the AV 10 in March 2010 Avira has also introduced a new behavior based detection technology that especially targets new malware in real time. Avira customers are therefore protected even against the newest threats.
Softpedia: Gamers represent a market which has been addressed with increased interest by security product developers by offering specific non-disturbing protection while playing. Some developers have even included such features in the free version of their program. Will such features be available in future Avira releases of the free edition? As it is currently limited only to Premium Security Suite.
Helmut Büsker: The Game mode is a setting of the Avira desktop firewall which is presently a feature of the Avira Premium Security Suite and of the Avira AntiVir Professional. Right now it is not available in the free-of-charge Avira AntiVir Personal – Free Antivirus. It is Avira´s policy to introduce new features and modules into the paid-for versions first and add them to the Personal at a later point in time when those features have become more of a commodity and therefore are more in line with the Personal which offers basic protection. However, right now there are no definite plans to introduce the game mode to the Personal.
Softpedia: Some users were expecting Avira notifier to be excluded from the latest version, yet it is still nagging those that haven't found the way to deny its execution. Will the free version ever be free of the annoying display?
Helmut Büsker: We are constantly reviewing and changing our products to better meet our customer needs. The advertisement method used in our free product, the pop-up display, has been established many years ago, and we are actively investigating possible future evolutions of this communication method. In the coming versions there will be more focus put on user friendliness and communication, which will balance the business interest and user satisfaction.
Softpedia: Collective intelligence and cloud-based antivirus products seem to enjoy plenty of attention from users because of the fast scans it offers and low system resource usage. Do you plan on implementing such technology in future products?
Helmut Büsker: Collective intelligence and cloud-based computing are definitely things that we are looking at. Talking of collective intelligence – we have 145 million users worldwide and this is a resource that we will use and have already started to use. With the AV 10 we have introduced a new behavior-based detection technology called Avira AntiVir ProActive. Part of this new technology is the Avira AntiVir ProActive Community which allows Avira customers to take part in Avira’s world wide struggle against viruses and malware.
Members of that community will send suspicious files to Avira for analysis and the results will be made available to all Avira customers. The ProActive Community thus combines if you like aspects of reputation based computing with in the cloud-technologies. Avira has also just acquired a Dutch company that has specialized in online-services that also shows that the cloud computing and online services will definitely play a big role for Avira in the future.
Softpedia: Behavior analysis is another technology missing in Avira products, which in some cases is offered for free. Could this be integrated in your software in order to increase detection rate?
Helmut Büsker: Avira has just introduced a behavior-based detection technology into the version 10 of its commercial Windows desktop products. It is called Avira AntiVir ProActiv and it adds a 4th defense line against malware attacks to the products that is especially able to detect new malware that might have slipped through one of the other three lines of defense (signature-based detection, generic detection, heuristic detection) in real time. Avira products are renowned for their extremely high detection rates and we are sure that Avira AntiVir ProActiv will not only help us to keep these high detection rates but will give us that little extra in detection that will let us stay ahead of our competition in the long run.
Softpedia: One of the biggest downsides in a security product is the false positive rate. How has this been ameliorated in the latest version of Avira?
Helmut Büsker: False Positives are in fact one of the big problems of all security software. Especially when you use heuristic or behavior based detection technology the risk of producing false positives is definitely there and there are a number of ways to deal with that risk. First of all when we talk about false positives we have to understand that false positives are not a problem of the product only.
If you want to reduce the number of false positives you have to start right at the beginning, i.e. in the virus labs and in the development departments. And Avira does exactly that: Every Avira pattern update has to pass a very rigorous false-positive testing before it is released. Avira maintains a very big server farm exclusively to perform false-positive testing.
The products themselves and their heuristic and behaviour based detection technologies are constantly enhanced, the underlying detection algorithms and rules are fine-tuned to reduce the number of false-positives. This is an ongoing process from which the customers benefit with every engine, pattern or rule update.