NEWS FROM THE LAB - Monday, November 26, 2007

Gemini 2.0 Posted by Sean @ 13:41 GMT

Host Based Intrusion Prevention Systems (HIPS) offer a very important complement to traditional antivirus software.

Behavioral blocking software nevertheless, does have its own problems, specifically "noise". Many harmless applications have the same behavioral patterns as malware. Trojan-downloaders connect to the Internet and download executable files onto their hosts in a similar way to an installer loading legitimate software.

So behavioral blocking software needs to be trained to know bad from good.

Gemini Update 2007-11-15_09

Our database releases of November 15th included Gemini Update 2007-11-15_09.

What's Gemini?

Our Gemini engine is a component used by System Control alias DeepGuard. That's our HIPS technology.

You've already received this update if you're using one of our products that includes DeepGuard.

The Research Lab team responsible for DeepGuard's development used what they've learned since its first release and have now re-trained the Gemini engine.

It's a fairly significant engine update that promises to result in more automatic malware detections with fewer interruptions from legitimate software. That is to say, less noise. It allows DeepGuard to do its job while asking fewer questions. It's been termed Gemini 2.0 in-house.

And while Gemini 1.0 was excellent, we think that Gemini 2.0 is even better.

One of our tests used all of the unique Orion detected malware samples collected during the month of October. (Orion is signature based.) From that set, we found that 51% received high scores from Gemini. Scores that will result in an automatic block should DeepGuard determine an attempt do something dangerous on the computer. (No traditional signature detections required.)

That's a 20% improvement over the old training that would have resulted in a prompt to "Allow" or "Deny". Our customers will no longer need to decide for a greater percentage of malicious files.

There should be fewer questions of legitimate applications as well. Tests show a marked improvement on the number of good applications that receive a low score.

And as there is an apparently never-ending stream of malware — research on Gemini's training also continues.

Kudos to our hard-working Antimalware Technologies team.