Ottawa PC Users' Group, Inc.
 Product Review 


herdProtect
by Chris Taylor

 

According to Sophos, a U.K.-based security firm, there are over 250,000 new, unique pieces of malware per day. That is tough for anti-malware companies to deal with.

Consider the delays in getting protected from new malware. Your anti-malware vendor must get a sample, develop a signature to identify it, and get updated signature files delivered to you. Then think of whether you ever received an email that claimed “your package could not be delivered” and urged you to see an attached file for details. It was probably a new piece of malware spammed to the world for a couple of hours. The attacker’s aim is to infect your computer before your anti-malware company can get you an update that will block it.

Defence in depth remains the best way to deal with the possible failure of any one security layer. Anti-malware remains important, along with firewalls, anti-spyware, patching for security vulnerabilities, and caution.

Major anti-malware vendors are changing their products in the face of rapidly spreading malware. One way is to take a hash, which uniquely identifies a file in (typically) 64 bytes, of any file downloaded from the Internet and send the hash in real time to the anti-malware vendor. The vendor can then try to match the hash to the hashes of known malware. This can help detect new malware before you get updated signature files.

Knowing my anti-virus vendor might not be first to detect any particular new malware, I have used the free service VirusTotal.com to test an unknown file for malware against many anti-malware engines. Fig.1 – VirusTotal.com shows the results of such a scan. Note that I don’t think Sophos (one of 5 anti-malware engines to detect this particular sample) is necessarily better than AVG (one of 52 engines that didn’t detect it.) The next new malware on the Internet could have a different vendor picking it up first. The point is that there’s great value in having multiple anti-malware scanning engines examine files.

While VirusTotal.com is an excellent tool for checking a single file, it can’t be used to scan all files on your computer. Wouldn’t it be great if there was a service that could efficiently scan all files on your computer using multiple anti-malware engines?

herdProtect from Reason Software is a free anti-malware service that does exactly that. It can scan all the files on your computer using 68 different anti-malware engines. The big ones are represented; Avast!, AVG, BitDefender, eSet, McAfee, Microsoft, Panda, Sophos, Trend, etc. All 68 are listed at the herdProtect web site.
I wondered how it would be possible to scan all your files using multiple anti-malware engines in a reasonable time-frame. The typical means of scanning files is to download an anti-malware engine to your computer and run it against all your files. I couldn’t imagine doing this 68 times.

herdProtect takes a hash of all the executable files on your computer and send the hashes to the herdProtect server where they are compared to the hashes of known files – good and bad. If no match is made, the file in question is examined in more depth to find out how it behaves. If required, the actual file will then be sent to the herdProtect server to be checked against all 68 anti-malware engines.

Once the scan finishes, which on my computer took about an hour, you are presented with a list of files that were identified as bad. You can click any line to get information about which anti-malware engines found the file to be infected. There are buttons to delete the file or to get additional details. (Fig.2 – a PUP)

I am happy to say that although the program flagged a few files on my computer, there was nothing I was overly worried about. I had two flagged as “Adware/PUPs” – PUP being “Potentially Unwanted Program”. True enough for my copy of Remote Administrator – if I had not installed it, a remote control program would certainly be of concern. The other was a DLL associated with PopCap Games. I play games at Pogo.com and some of them are PopCap Games. If I want to play them, I will have the DLL on my computer. The lesson here is to not rush and assume everything identified by herdProtect should be wiped from your computer!

I also had 9 files on my computer flagged as Inconclusive”. In each case only a single anti-malware engine identified the file as a problem. This, and given that the files all came from trustworthy sources and had been on my computer for some time, were pretty certain signs that they were false positives. While herdProtect has some built-in smarts for detecting many false positives, it seems to have missed on these 9.

Fig.1 – VirusTotal.com

 

Fig.2 – a PUP

You will almost certainly run into cases where the scan reports “xx more currently scanning in the cloud”. At this point the client software has uploaded copies of the files to the herdProtect servers where they will be analysed by all 68 anti-malware engines. The next time you run a scan, hopefully the files will have been checked and you will then know if the files are okay or not. I say hopefully because after weeks of use, there were always some files still “scanning in the cloud”.

I did run into a strange thing. As I mentioned, herdProtect identified 9 of my files as Inconclusive, an assessment that can result from very few of the anti-malware engines identifying a problem. Eight were part of the program DxO OpticsPro 10, a well-known program for editing digital photos. The 9th was the Camera Window program distributed with just about every Canon camera on the market. For all 9, only a single anti-malware engine identified the file as problematic. Yet for all 9, when I uploaded them to VirusTotal.com, they were given a clean bill-of-health – including by the exact same engines that had declared them as bad in herdProtect.

I have no idea what to make of this.

For the Remote Administrator program (identified by 24 engines in herdProtect as Adware/PUP) and the PopCap DLL (identified by 15 engines in herdProtect as Adware/PUP), the results were more reassuring. There was only a single instance where an anti-malware engine in herdProtect identified the file as bad and the corresponding engine in VirsuTotal.com disagreed.

The idea of your executable files being uploaded to herdProtect’s servers might raise some hairs on the back of your neck. As well, the very fact that the folks who run herdProtect now know all the programs you run on your computer may concern some. You might want to read the privacy policy on the herdProtect web site and decide if you want to trust them or not.

herdProtect’s web site mentions Protection Platform which is “coming soon” and will “Scan and remove malware with real-time protection.” To me, that is when things could get very interesting. If you could do away with your single-vendor anti-malware program and have every new program that arrives at your computer checked in real time against 68 anti-malware engines, before they get a chance to infect your computer … wow!

I can think of at least one instance where Protection Platform might be problematic. herdProtect depends on an active connection to the herdProtect servers. What if they are down or unreachable for any reason? Is all your anti-malware protection gone? Only time – and the release of Protection Platform – will tell.

herdProtect is developed by Andrew Newman, who was the co-founder and chief software architect for GIANT Company Software, makers of one of the most respected anti-spyware programs on the market in its time. In fact, Microsoft bought the company and used it as the basis for Windows Defender (which became Microsoft Security Essentials, and with Windows 8, Windows Defender again.) Newman plans on keeping all versions of herdProtect free. The program itself is ad-free. The web site has a few ads and they accept donations via PayPal.

I think herdProtect is very valuable as a second line of anti-malware defence on top of your currently installed anti-malware. It is available as a regular installable program as well as a portable app not requiring installation.


Bottom Line:

Product name
herdProtect v1.0.3.0
Free
Reason Software
http://www.herdProtect.com


Click here to view the full OPCUG website with frames.

Copyright and Usage
Ottawa Personal Computer Users' Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews do not necessarily
represent the views of the OPCUG or its members.

Send comments or suggestions to the .