Kaspersky Patents Hardware-Based Antivirus

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
The U.S. patent office has approved an application from Kaspersky Labs today for a hardware based antivirus solution. Supposedly the new hardware-implemented AV module can’t be bypassed by rootkits and has its own CPU and memory.

An anti-virus (AV) system based on a hardware-implemented AV module for curing infected computer systems and a method for updating AV databases for effective curing of the computer system. The hardware-based AV system is located between a PC and a disk device. The hardware-based AV system can be implemented as a separate device or it can be integrated into a disk controller. An update method of the AV databases uses a two-phase approach. First, the updates are transferred to from a trusted utility to an update sector of the AV system. Then, the updates are verified within the AV system and the AV databases are updated. The AV system has its own CPU and memory and can be used in combination with AV application.
Click to expand...
 
Interest concept, I wonder how well will it work?
 
Sounds a little more expensive than their current version. Hmmm probably catches your cc numbers as well so no need to send them money, they will just take it as needed.
 
This sounds like something that looks good on paper, but will be too costly to implement. Who is going to put essentially a second pc into their pc just for better anti-virus protection?
 
Doesn't sound any less vulnerable than a software solution. If there is a door to transfer data it, you can be sure viruses will find their way in.
 
weuntouchable said:
This sounds like something that looks good on paper, but will be too costly to implement. Who is going to put essentially a second pc into their pc just for better anti-virus protection?
Click to expand...

It makes sense in a corporate environment if it works, since no body likes to have downed servers for a reload. That kinda admits defeat on the part of IT, doing a reload that is.
 
Term-X said:
Doesn't sound any less vulnerable than a software solution. If there is a door to transfer data it, you can be sure viruses will find their way in.
Click to expand...

Exactly. If a "trusted utility" can update it, then so can an untrusted one.
 
LOL @ Ziggy on the bottom of the article: Link

It'll be interesting to see how this connects to the PC, via PCIe or whatnot. Until then, I'll just use a bootable USB key with SUPER and avast!
 
1: virii no matter what, etc, etc

2: Motherboard with onboard virus protection so no need to run anything in software, cool but probably unneeded. With the whole 4/6/8 core thing going on now, we really don't need the cpu cycles for anything (since most games are gpu bottlenecked anyway for most people).

i bet some companies are salivating over the thought though.
 
The hardware will still be run by their mediocre software detection engine. I spent a year excising K, from our network because they couldn't provide adequate protection even though I submitted positive samples as detected by other companies' av.
 
Hardware is only as good as the software written for it. Generally AV software sucks CPU cycles and hard drive accessing takes away performance. Regardless of whether or not it's a hardware or software base, it still has to scan your hard drive periodically, which is the weakest bottleneck of the entire computer system (standard SATA controllers and SATA hard drives)
 
Daemas said:
1: virii no matter what, etc, etc

2: Motherboard with onboard virus protection so no need to run anything in software, cool but probably unneeded. With the whole 4/6/8 core thing going on now, we really don't need the cpu cycles for anything (since most games are gpu bottlenecked anyway for most people).

i bet some companies are salivating over the thought though.
Click to expand...

Just to let it be known, virii isn't a word...lol. The plural form of virus is, literally, viruses.
 
Should be easy enough to put this on an add-in card.
This argument is worthless:
it does need host software in order to update itself, because the AV hardware won't have network access. This update application will need to be trusted and hardened against attack.
Click to expand...
How hard would it be to have a network port on the card? It's essentially a mini rig.....connect it to the network, and BAM.

You probably could just have the network connection go into the card, and be filtered to your main rig............like setting up an untangle box.......except there's no second case - it's right in your computer.
 
I think a lot of you guys miss the point of this. I'm not an expert, but if I understand correctly then the hardware (and software on it) will be far less susceptible to attack. When the AV updates, it will move the updates onto its private CPU and memory. From there it can scan the updates themselves for malicious material, independent of the primary CPU and memory, and therefore independent of malicious code that may already be on the computer. This would prevent anything all the way down to the root level from directly attacking your AV solution.
 
Daemas said:
[...]With the whole 4/6/8 core thing going on now, we really don't need the cpu cycles for anything (since most games are gpu bottlenecked anyway for most people).[...]
Click to expand...

it's not just cpu power that limits av software. it intercepts read/write calls from the operating system and thus your pc feels crippled while something's being scanned because it's not allowed to do anything without the av's ok. my guess is that av software is programmed highly inefficient. when i switched from kaspersky 2009 to 2010 and uninstalled the old version, then rebooted, my pc was fast as hell during bootup and accessing files, browsing directories etc. i was amazed, it made me want to not install the 2010 version. come on, don't give me crappy popups that show things i don't need to know to show off how awesome the av protection supposedly is. instead, find some more efficient algorithms.
 
theotherphil said:
Sounds just like the Yoggie Gatekeeper range. They work pretty well (I have the Pico Pro and Gatekeeper Pro) with no slowdowns.
Click to expand...

That's nice for under a hundred bucks.........although it isn't truly a hardware answer that's separate from the host - it's more a software/ hardware hybrid. I'd like to see some real-world test results ala av-comparatives for it.
 
All this will do is present another short challenge for malware/virus writers to be able to compromise.

What happens when something that doesn't have a definition for gets on the computer? Heuristics(sp?) scanning doesn't catch a lot of stuff... and without a definition for the specific virus it won't likely detect it at all.
 
I think just about every AV maker has attempted to make a hardware solution for this stuff, but I'm still waiting for THE one to come out.

I'll wait to make judgement on this, and see what we really get when it does come out.
 
This is how they will push the device that makes sure you don't have any illegal content also. First push it under the guise of security (like the Patriot Act) then slowly but surely abuse your power until .AVIs that match popular downloads are "caught as viruses". A music heuristic engine that will map into your sound card and see if any unlicensed tunes are playing.
 
Monkey34 said:
Should be easy enough to put this on an add-in card.
This argument is worthless:

How hard would it be to have a network port on the card? It's essentially a mini rig.....connect it to the network, and BAM.

You probably could just have the network connection go into the card, and be filtered to your main rig............like setting up an untangle box.......except there's no second case - it's right in your computer.
Click to expand...

Adding network capability to this AV subsystem exposes it to attack. It's not difficult, just outside of where the solution is meant to operate. Network drivers and protocols aren't the safest animals, to my knowledge (but I can't find a link to support that view).

theotherphil said:
Sounds just like the Yoggie Gatekeeper range. They work pretty well (I have the Pico Pro and Gatekeeper Pro) with no slowdowns.
Click to expand...

Yoggie devices wouldn't be active until after boot, so they are more of a performance solution working with the OS to prevent infections. The purpose of the new patent is to have something running independently of the OS and below the level of rootkits. On the other hand, the Gatekeeper et. al. do much more than what the Kapersky proposal addresses.

Mad Cat said:
I think a lot of you guys miss the point of this. I'm not an expert, but if I understand correctly then the hardware (and software on it) will be far less susceptible to attack. When the AV updates, it will move the updates onto its private CPU and memory. From there it can scan the updates themselves for malicious material, independent of the primary CPU and memory, and therefore independent of malicious code that may already be on the computer. This would prevent anything all the way down to the root level from directly attacking your AV solution.
Click to expand...

Exactly. You can't attack something remotely if there are no hooks into it. It'd be like a virus trying to change my video card's colour.

Unfortunately, there is a hook in the form of the AV software update. In order to compromise the system, someone would have to engineer code that updates the hardware while also introducing a payload that would fool the self-update heuristics. This is easily countered with a hardware requirement--say toggling a bios setting or flicking a switch on a riser card--and you would then need physical access to the machine.

cyclone3d said:
All this will do is present another short challenge for malware/virus writers to be able to compromise.

What happens when something that doesn't have a definition for gets on the computer? Heuristics scanning doesn't catch a lot of stuff... and without a definition for the specific virus it won't likely detect it at all.
Click to expand...

And that's the problem. The AV functionality (both for normal scanning and update verification) will only be as good as the installed module. Still, keep in mind this is a patent. There's nothing preventing other vendors from licensing the rights and installing their own engines.
 
MarshMellow said:
This is how they will push the device that makes sure you don't have any illegal content also. First push it under the guise of security (like the Patriot Act) then slowly but surely abuse your power until .AVIs that match popular downloads are "caught as viruses". A music heuristic engine that will map into your sound card and see if any unlicensed tunes are playing.
Click to expand...

How many points for unwarranted paranoia, nowadays?
 
I'd purchase it if it had a zero resource footprint - and relatively good imperviousness to attack (maybe writing to the device is USB only... Disconnect the cord, remove a substantial portion of the risk) etc.

I'd even pay a few hundred dollars for one if it worked well - and used no main resources... I hate losses to AV software, even if they're so small these days that they exist in the theoretical (it's an artifact of my early computing days... The same reason I defrag my media drives weekly, even though they're hardly ever written to.)
 
srangara said:
Adding network capability to this AV subsystem exposes it to attack. It's not difficult, just outside of where the solution is meant to operate. Network drivers and protocols aren't the safest animals, to my knowledge (but I can't find a link to support that view).
Click to expand...

Doesn't make it any more or less susceptible than current tech like the Untangle box I mentioned - or even the host computer itself.
 
My guess is that the engine will run on an alternative OS (their own or Linux, I suspect). It seems to me that makes attacks harder, if for no other reason than they have to attack an OS that's got a small footprint and then they have to attack the underlying OS on another box.

In the end, the main reason for this, I believe, is because if a zero day exploit gets passed the AV, the AV software is still uncompromised and thus able to find and, presumably, remove any infections.

With that said, price would be a key factor in this solution. After all, if it's expensive and has an annual fee, then I'm stuck with Kaspersky or an expensive door stop, if I don't like the software.
 
Monkey34 said:
Doesn't make it any more or less susceptible than current tech like the Untangle box I mentioned - or even the host computer itself.
Click to expand...

It is a separate computer completely inaccessible from the internet. You think that doesn't make it less vulnerable to attack? It wouldn't even have an IP or physical network address. :confused:

Unless you know of a way to compromise a system through its I/O monitoring process alone.
 
srangara said:
It is a separate computer completely inaccessible from the internet. You think that doesn't make it less vulnerable to attack? It wouldn't even have an IP or physical network address. :confused:

Unless you know of a way to compromise a system through its I/O monitoring process alone.
Click to expand...

You didn't read the whole thread did you? Read the post you just commented on in context to post #16. Regardless of how it's implemented, If it has access to the host - that has access to the internet - there remains a vulnerability to some degree. It'd just be how well they can mitigate it.
 
You must log in or register to reply here.
Back
Top