BitDefender^® Technology

B-Have

B-HAVE is BitDefender’s behavior-based heuristic detection technology. The technology is designed to detect and block new and unknown threats, without the need for new virus signatures. B-HAVE monitors files in a virtual computer environment and watches for malware-like behaviour.

B-HAVE simulates a relatively simple computer, by means of a system emulator that emulates a processor and memory and a virtual hardware emulator that emulates other bits of hardware such as a hard-disk or a display.

When an untrusted program reaches the start point of a known code sequence, or is packed with a known packer, or generates a known system call a (VM-) native routine (called an acceleration routine) is executed which functionally emulates the code sequence, unpacking routine or system call in question.

The end results are then analyzed by means of a virtual machine inspection engine, a file inspection engine (which inspects any files that get created as a result of untrusted code being executed) and a memory inspection engine.

A file may be deemed malicious if at the end of the emulation run one of the watched files on the hard disk has been modified (e.g., the hosts file) or if some other conditions are satisfied (e.g. a file has been created that matches the signature of a known virus, or the suspect program tried to change/read a sensitive memory location).

This entire process takes place in just fractions of a second. If the owner of the BitDefender software has set it up so, a malicious file which matches no known signature is then sent to the BitDefender lab for further analysis - eventually, a new signature is generated and distributed so the process needs not be repeated when another machine has to deal with the same file.

The B-HAVE technology has enabled BitDefender to consistently score high marks in pro-active detection effectiveness in independent tests.

AVC

BitDefender ® Active Virus Control is an innovative proactive detection technology which uses advanced heuristic methods to detect new potential threats in real time. It monitors each program running on your PC, as it executes, and notes malware-like actions. If enough such actions are detected, the program which performed them is declared harmful.

Unlike any other heuristic technology that only checks files when they are accessed or first started, Active Virus Control monitors everything applications do as long as they are active.

Monitoring is achieved through DLL injection at process startup - that is, each process is assigned a "watcher" which stays with it througout the entire time the process is active, reporting certain activities to a server which in turn decides (based on how many potentially harmful activities and of what kinds a process has performed) which processes should be classified as malicious and stopped.

Active Virus Control is included in all consumer versions of BitDefender products.

NeuNet

NeuNet is an “intelligent” spam filter which uses a series of neural networks that are pre-trained on waves of spam messages. The networks themselves are trained and updated in the BitDefender Labs using the latest spam waves.

The networks are organized so that they function as successive filtering layers - the "topmost" network being the good at distinguishing some types of legitimate messages from suspicious messages, with the subsequent layers able to recognize with great accuracy one of several pre-identified spam categories, such as phishing spam or spam advertising cheap replica watches.

One great advantage of pre-trained neural networks is that they have the capacity to recognize new spam e-mail pertaining to the same category as those in their training set. Another is that, surprisingly enough, they function faster than legacy rules-based filters in many cases.

The training is performed in the Labs, not on BitDefender client machines, for two separate reasons - performance (training is quite processor-intensive) and accuracy (the Labs can gather and classify much more diverse and recent spam than any one client machine could, making the training that more accurate).