System Watcher gets smarter

How heuristic analysis and System Watcher work in Kaspersky Internet Security

Security solutions must be able to perform two big functions: prevention and, if necessary, remediation. Kaspersky Lab’s latest patent is a technology that makes both more effective.

The most common approach to prevention is to track what’s going on in your computer and neutralise harmful objects. If the security program spots a Trojan, a phishing or spam e-mail, or a malicious website, it does its best to protect the user.


When prevention fails, the security solution has to deal with an infected computer. Cleaning an infected system is not simply a matter of deleting a bad file. To clean an infected PC, the antivirus has to remove the malicious code and restore the normal functions of the compromised PC. It isn’t enough to remove the illness; you have to restore health — and that is a complicated prospect.

That’s exactly why independent security benchmark tests show that although many antivirus vendors perform relatively well at prevention, the field of excellence narrows quite a bit when it comes to disinfecting an already compromised system.

Better detection…

Lists of virus signatures and other traditional methods of detection have an important place in security solutions. However, heuristic methods also play a vital role. Heuristics, or using experience to learn and grow, enables antivirus software to watch not only for harmful objects, but also for suspicious activity.

Suspicious activity detection is at the core of a technology developed and recently patented by Kaspersky Lab’s Mikhail Pavlyuschik, Alexey Monastyrsky, and Denis Nazarov. This technology can map interactions between a program and other OS components and software. In this case, interactions means one program working with memory used by other processes.

It’s not necessary to track all activities — which is a good thing because monitoring everything would gobble up computing resources. Technology that tracks interactions is a higher-precision behavior monitor and it blocks many previously unknown malicious programs.

…and prevention

Consider a computer attacked by malware that collects keystrokes (a keylogger).

If the keylogger managed to infect the computer, that means it bypassed protection or infiltrated by exploiting flawed security configuration, which is a common scenario. It must be stopped before it sends the data (could be your e-mail password, bank login, a webcam capture, and much more) to the person behind the attack.

This is where behavioral analysis steps in. The technology is embedded in our System Watcher module and, with help of other security components, detects the known malicious interactions the untrusted software causes before the damage is irreversible. Moreover, it can roll back the modifications made by the malware because it tracks the malware’s behavior.

A strong security solution such as Kaspersky Internet Security rarely allows malware so deep inside the system that it requires rollback. We add new threats to our virus databases very quickly, as well; Kaspersky Security Network helps us learn about new malware samples from the cloud. But when it comes to antivirus development, you cannot have too much protection. Continual work on developing new technologies for detection and remediation is a fundamental difference between a great security solution and a mediocre one: comprehensive protection measures depend on it.