 |
|
Orthrus is an intrusion prevention application that stops malware infection mainly by malware behavior analysis. Since it does not posses a set of malware signature patterns, Orthrus may not identify existing malwares in a client computer. It does, however, have a collection of cryptographic signatures of commonly used legitimate applications. This collection of legitimate signatures, in combination with the File Protection security feature in Windows operating systems, allows Orthrus to prove the legitimacy of the majority of running applications and library modules. Security analysts at WNSC verify the executables by looking up file name references on the Internet. If there is no reference or there are only negative references, i.e., the executable has been reported malicious by other security vendors, then this executable is classified as malicious. A proprietary cryptographic signature of the executable (the ImageID), which is included in the information package sent to the web server is used to identify this executable. If there are conflicting references in the Internet search results of the file name, then identifying information such as the file version, file size, vendor, and last modified time of this executable will be compared against those sent by Orthrus. If the executable is available to download from the manufacturer's web site, it will be downloaded and its signature calculated and compared.
|