Simplicity, Efficiency and Compatibility

Orthrus is developed using Microsoft.net framework technology and is entirely written as a user-mode application without any kernel mode components.  It uses the .net WATCHER technique in conjunction with Windows Management Instrumentation (WMI) functions to detect intrusions.

Conventional anti-virus or host prevention intrusion products use a kernel mode driver (sometimes called a SHIM) to intercept kernel function calls made by each running process and then to analyze the activity. Afterwards, the activity is compared against a set of predefined malware behaviors (such as that in a buffer overflow attack), or base-line behavior profiles.  In the case of signature-based anti-virus products, the calling process is also scanned against a set of predefined malicious signatures.

Although technically precise, conventional anti-virus or host prevention intrusion products use the above in-band intercept and release method which proves to be resource intensive and tends to be invasive from an operating system point of view. This is because kernel mode process and file system driver codes (ring0 codes) are often involved.  These kernel mode driver components also warrant incompatibilities between these products and future security enhancements of the operating systems that Microsoft will introduce.

Orthrus, on the other hand, is entirely a user-mode application.  Using the out-of-band WATCHER technique, it has a much greater chance to be compatible with new security features that Microsoft may introduce to their operating systems.  In addition, by analyzing the higher-level (or human-level) malware behaviors such as how malware intrusions happen, malwares trying to hide themselves and modifying unusual registry values to avoid removal, etc, Orthrus presents a simple, more compatible and ultimately more efficient solution.