by Chris Taylor
Sophos, a U.K.-based security firm, there are over
250,000 new, unique pieces of malware per day.
That is tough for anti-malware companies to deal with.
Consider the delays in getting protected from new
malware. Your anti-malware vendor must get a sample,
develop a signature to identify it, and get updated
signature files delivered to you. Then think of whether
you ever received an email that claimed your
package could not be delivered and urged you to see
an attached file for details. It was probably a new piece
of malware spammed to the world for a couple of hours.
The attackers aim is to infect your computer before
your anti-malware company can get you an update that will
Defence in depth remains the best way to deal with the
possible failure of any one security layer. Anti-malware
remains important, along with firewalls, anti-spyware,
patching for security vulnerabilities, and caution.
Major anti-malware vendors are changing their products in
the face of rapidly spreading malware. One way is to take
a hash, which uniquely identifies a file in (typically)
64 bytes, of any file downloaded from the Internet and
send the hash in real time to the anti-malware vendor.
The vendor can then try to match the hash to the hashes
of known malware. This can help detect new malware before
you get updated signature files.
Knowing my anti-virus vendor might not be first to detect
any particular new malware, I have used the free service
VirusTotal.com to test an unknown file for malware
against many anti-malware engines. Fig.1
VirusTotal.com shows the results of such a scan.
Note that I dont think Sophos (one of 5
anti-malware engines to detect this particular sample) is
necessarily better than AVG (one of 52 engines that
didnt detect it.) The next new malware on the
Internet could have a different vendor picking it up
first. The point is that theres great value in
having multiple anti-malware scanning engines examine
While VirusTotal.com is an
excellent tool for checking a single file, it
cant be used to scan all files on your
computer. Wouldnt it be great if there was
a service that could efficiently scan all files
on your computer using multiple anti-malware
herdProtect from Reason Software is a free
anti-malware service that does exactly that. It
can scan all the files on your computer using 68
different anti-malware engines. The big ones are
represented; Avast!, AVG, BitDefender, eSet,
McAfee, Microsoft, Panda, Sophos, Trend, etc. All
68 are listed at the herdProtect web site.
I wondered how it would be possible to scan all
your files using multiple anti-malware engines in
a reasonable time-frame. The typical means of
scanning files is to download an anti-malware
engine to your computer and run it against all
your files. I couldnt imagine doing this 68
herdProtect takes a hash of all the executable
files on your computer and send the hashes to the
herdProtect server where they are compared to the
hashes of known files good and bad. If no
match is made, the file in question is examined
in more depth to find out how it behaves. If
required, the actual file will then be sent to
the herdProtect server to be checked against all
68 anti-malware engines.
Once the scan finishes, which on my computer took
about an hour, you are presented with a list of
files that were identified as bad. You can click
any line to get information about which
anti-malware engines found the file to be
infected. There are buttons to delete the file or
to get additional details. (Fig.2 a PUP)
I am happy to say that although the program
flagged a few files on my computer, there was
nothing I was overly worried about. I had two
flagged as Adware/PUPs PUP
being Potentially Unwanted Program.
True enough for my copy of Remote Administrator
if I had not installed it, a remote
control program would certainly be of concern.
The other was a DLL associated with PopCap Games.
I play games at Pogo.com and some of them are
PopCap Games. If I want to play them, I will have
the DLL on my computer. The lesson here is to not
rush and assume everything identified by
herdProtect should be wiped from your computer!
I also had 9 files on my
computer flagged as Inconclusive. In each
case only a single anti-malware engine identified
the file as a problem. This, and given that the
files all came from trustworthy sources and had
been on my computer for some time, were pretty
certain signs that they were false positives.
While herdProtect has some built-in smarts for
detecting many false positives, it seems to have
missed on these 9.
You will almost certainly
run into cases where the scan reports xx
more currently scanning in the cloud. At
this point the client software has uploaded
copies of the files to the herdProtect servers
where they will be analysed by all 68
anti-malware engines. The next time you run a
scan, hopefully the files will have been
checked and you will then know if the files are
okay or not. I say hopefully because after weeks
of use, there were always some files still
scanning in the cloud.
I did run into a strange thing. As I mentioned,
herdProtect identified 9 of my files as Inconclusive,
an assessment that can result from very few of
the anti-malware engines identifying a problem.
Eight were part of the program DxO OpticsPro
10, a well-known program for editing digital
photos. The 9th was the Camera Window
program distributed with just about every Canon
camera on the market. For all 9, only a single
anti-malware engine identified the file as
problematic. Yet for all 9, when I uploaded them
to VirusTotal.com, they were given a clean
bill-of-health including by the exact
same engines that had declared them as bad in
I have no idea what to make of this.
For the Remote Administrator program (identified
by 24 engines in herdProtect as Adware/PUP)
and the PopCap DLL (identified by 15 engines in
herdProtect as Adware/PUP), the results
were more reassuring. There was only a single
instance where an anti-malware engine in
herdProtect identified the file as bad and the
corresponding engine in VirsuTotal.com disagreed.
The idea of your executable files being uploaded
to herdProtects servers might raise some
hairs on the back of your neck. As well, the very
fact that the folks who run herdProtect now know
all the programs you run on your computer may
concern some. You might want to read the privacy
policy on the herdProtect web site and decide if
you want to trust them or not.
herdProtects web site mentions Protection
Platform which is coming soon
and will Scan and remove malware with
real-time protection. To me, that is when
things could get very interesting. If you could
do away with your single-vendor anti-malware
program and have every new program that arrives
at your computer checked in real time against 68
anti-malware engines, before they get a
chance to infect your computer
I can think of at least
one instance where Protection Platform
might be problematic. herdProtect depends on an
active connection to the herdProtect servers.
What if they are down or unreachable for any
reason? Is all your anti-malware protection gone?
Only time and the release of Protection
Platform will tell.
Fig.2 A PUP
is developed by Andrew Newman, who was the co-founder and
chief software architect for GIANT Company Software,
makers of one of the most respected anti-spyware programs
on the market in its time. In fact, Microsoft bought the
company and used it as the basis for Windows Defender
(which became Microsoft Security Essentials, and with
Windows 8, Windows Defender again.) Newman plans on
keeping all versions of herdProtect free. The program
itself is ad-free. The web site has a few ads and they
accept donations via PayPal.
I think herdProtect is very valuable as a second line of
anti-malware defence on top of your currently installed
anti-malware. It is available as a regular installable
program as well as a portable app not requiring
herdProtect v220.127.116.11 (Freeware)
Originally published: September, 2015
top of page
The opinions expressed in these reviews
do not necessarily represent the views of the
Ottawa PC Users' Group or its members.