The principles of operation of modern antiviruses using the example of Kaspersky Endpoint Security Cloud Automatic translate

The modern cyber threat is evolving at an unprecedented rate, requiring security systems to take radically new approaches to protecting corporate infrastructure. Antivirus technologies today are a complex set of integrated solutions that combine traditional detection methods with advanced machine learning algorithms and cloud services. Kaspersky Endpoint Security Cloud demonstrates how modern security systems are adapting to the challenges of the digital age, offering a multi-layered approach to ensuring endpoint security.

Architectural foundations of cloud security system

Hybrid infrastructure model

Kaspersky Endpoint Security Cloud is built on the principle of hybrid architecture, combining the provider’s cloud infrastructure with the organization’s client environment. This approach allows centralizing security management while maintaining local control over critical operations.

The Kaspersky Security Center Cloud Console cloud infrastructure includes a web-based administration console that enables the creation and support of a corporate network protection system. This console functions as a central management node through which administrators gain access to security policy settings, device status monitoring, and security incident analysis.

An organization’s client infrastructure may contain a variety of components: Windows workstations, servers, iOS and Android mobile devices, and macOS computers. Each type of device is protected by specialized agents adapted to the specific operating system.

Networking and Protocols

The system uses specific port ranges to ensure reliable communication between components. TCP ports 23100-23199 and 27200-27299 are used to connect to Kaspersky Security Center Cloud Console, providing flexibility in network configuration. Port 13000 is responsible for managing client devices and delivering updates, while port 443 is used to connect to Kaspersky cloud services and the console detection service.

This architecture ensures stable operation of the system even during temporary network connection failures, since agents on devices can continue to work in offline mode with subsequent data synchronization when the connection is restored.

Technological components of the protection system

Multi-platform security agents

Kaspersky Endpoint Security Cloud includes specialized components for each supported platform. Network Agent for Microsoft Windows works together with Kaspersky Endpoint Security, providing multi-layered protection through the integration of basic and advanced threat detection mechanisms.

The Basic level of protection effectively counteracts mass attacks using proven signature analysis and heuristic detection technologies. The Advanced level is designed to prevent complex targeted attacks using behavioral analysis and machine learning technologies.

Control components reduce the attack surface and ensure the application of corporate security policies. The Administration Agent acts as an intermediary between the local protection component and the cloud console, transmitting configuration changes and information about detected threats.

Mobile Device Security

The system supports mobile device management through various mechanisms depending on the operating system. For iOS devices, Mobile Device Management technology is used through a special XML file containing the server address and security certificate. After installing this profile, the device is placed under centralized management.

Android devices are protected through a single application, Kaspersky Security for Mobile, which combines protection and cloud server communication functions. This approach provides comprehensive security for an organization’s mobile infrastructure with minimal impact on the user experience.

Threat Detection and Analysis Methods

Signature analysis as a basis for detection

Signature analysis remains a fundamental method for detecting known threats in modern antivirus systems. This method is based on searching for specific strings or patterns in scanned files, as well as analyzing hash sums of entire files. Kaspersky Security Cloud uses an extensive antivirus database that is regularly updated to provide protection against the latest threats.

The advantages of signature analysis include high detection speed, minimal false positives, and low requirements for the computing resources of the protected device. However, this method has limitations when working with polymorphic malware and new variants of existing threats.

To overcome these limitations, the system uses structural heuristic signatures and SmartHash technology, which are capable of detecting unknown and polymorphic malware by analyzing the structural features of files.

Heuristic analysis and emulation

Heuristic analysis significantly expands detection capabilities by analyzing the behavior of objects in a controlled environment. The system creates a safe artificial environment in which it emulates the execution of suspicious files or scripts. If suspicious activity is detected during emulation, the object is classified as potentially malicious.

The emulator recreates a functional execution environment, including system functions and various subsystems of the target operating system, without involving real system components. This approach allows safe analysis of the behavior of suspicious objects without the risk of infecting the real system.

Heuristic analysis is particularly effective against new and previously unknown threats because it analyzes the program’s actions rather than its signature. The system can detect malicious behavior even if the specific malware variant has not yet been entered into signature databases.

SmartHash Technology and Intelligent Hashing

SmartHash is a patented algorithm for constructing intelligent hashes that take into account file localization. This technology allows grouping files by functional similarity, even if they differ at the binary code level.

Different files can have the same SmartHash value when they function in a similar way. A specific SmartHash value identifies a whole cluster of similar files, which allows for effective detection of unknown malware based on known families.

SmartHash technology uses multiple levels of precision, ensuring detection of even highly polymorphic malware while minimizing false positives. The online component of SmartHash compares client-side calculated values ​​with billions of known clean files in the database via the global Kaspersky Security Network.

Application of Machine Learning in Security Systems

Supervised and unsupervised learning methods

Kaspersky Endpoint Security Cloud actively applies machine learning methods at all stages of the threat detection process. The system uses both supervised and unsupervised learning methods for various security analysis tasks.

Supervised learning analyzes a set of object properties and corresponding classification labels to create a model that can correctly determine the status of previously unknown objects. Properties can include file statistics, a list of API functions used, and other characteristics, while classifications range from a simple “benign” or “malicious” classification to a more detailed categorization of threat types.

Unsupervised learning methods are used to discover hidden patterns in data, detect groups of similar objects, and identify interrelated properties. This approach is especially useful for identifying new types of threats that do not fit into existing classification categories.

Static and dynamic analysis

The system implements two main approaches to object analysis based on machine learning: static analysis without executing the object and dynamic analysis of behavior during execution.

Static analysis processes information about an object without executing it, possessing high generalization ability and productivity. The detector works in two stages: first, a flexible hash is calculated to check whether the object belongs to a "dirty" area, then detailed analysis is applied if necessary.

Dynamic analysis examines the behavior of an object during execution, including system calls, network activity, file system and registry changes, and data generated as a result of execution. A memory dump provides access to the original code and allows you to detect data indicating malicious intent.

Automated model training

The system uses an automated threat intelligence center that continuously processes large collections of malicious and clean files. The center extracts basic behavioral features and trains models that are then converted into behavioral scenarios and delivered to the detector via incremental updates.

Robots process sandbox logs line by line, studying execution records of new malicious samples using machine learning to find new detection indicators. The indicators found enrich the mathematical models of detection methods and heuristic behavioral records created by experts.

Behavioural analysis and activity monitoring

Multi-level monitoring of system events

Behavioral analysis in Kaspersky Endpoint Security Cloud analyzes the activity of all components within the trusted environment of the protected device. The system distinguishes several levels of analysis, starting with monitoring key system events.

The first level includes tracking process creation, changes to key registry values, file modifications, and other critical system operations. All received events are normalized — brought to a common form for subsequent processing by various analytical modules.

The next stage adds additional information to some events: the system determines whether the modified file is executable, analyzes access rights, checks digital signatures, and performs other checks of the event context.

Filtering and aggregation of behavioral patterns

At the filtering, aggregation and scenario extraction stages, the system identifies significant combinations and sequences of events that form specific behavior scenarios. The library of malicious scenarios is generated by an automated center and is regularly updated based on the analysis of new threats.

Behavioural analysis has the advantage of actually observing the actions of programs, as opposed to the assumed pattern of actions analyzed during the intrusion prevention stage. The system can detect complex multi-stage attacks that use legitimate system tools to achieve malicious goals.

The detector makes a decision on the maliciousness of objects by identifying malicious behavioral scenarios, which allows blocking complex threats, including zero-day vulnerability exploits and fileless attacks.

Cloud-based threat intelligence technologies

Kaspersky Cloud Sandbox and virtual analysis environment

Kaspersky Cloud Sandbox is an advanced automated malware analysis system, developed based on more than two decades of threat research experience. The system uses a hybrid approach that combines threat research based on petabytes of statistical data with behavioral analysis.

The sandbox includes robust anti-circumvention and human behavior modeling technologies such as autoclicker, document scrolling, and dummy processes. These technologies enable malware to be activated that attempts to detect the virtual environment and evade analysis.

The system provides the highest level of detection, identifying thousands of new malicious files daily. This advantage allows it to detect complex targeted threats and sophisticated attacks that bypass traditional antivirus solutions.

Detailed analysis of file behavior

Kaspersky Cloud Sandbox provides detailed information about the actions and behavior of executable files. The system monitors the loading and launch of DLL libraries, the creation of mutual exclusions, the modification and creation of registry sections, external connections with domain names and IP addresses.

The analysis includes monitoring HTTP and DNS requests, creating processes via executable files, creating, modifying and deleting files. The system provides contextual recommendations for each type of detected activity, helping analysts understand the nature of the threat and take appropriate action.

The user-friendly interface makes it easy to interpret the analysis results, and the ability to export to JSON, STIX, and CSV formats ensures integration with existing security analysis systems. REST API support allows you to automate analysis processes and integrate the sandbox into your organization’s workflows.

Incident Detection and Response Functions

Integration of EDR technologies

Kaspersky Security Center Cloud Console can integrate threat detection and response (EDR) capabilities to protect against advanced cyber threats. The solution’s functionality combines automatic threat detection with response capabilities to protect against sophisticated attacks, including new exploits, ransomware, and fileless attacks.

When a threat is detected by the Endpoint Protection Platform application, the system adds an alert to the notification list. The alert contains detailed information about the detected threat and allows you to analyze and investigate its characteristics. Administrators can visualize threats by creating a threat chain graph that describes the stages of an attack’s development over time.

The system offers a set of predefined response actions: isolating an untrusted object, isolating a compromised device from the network, creating execution prevention rules for suspicious objects, and other response measures.

Managed detection and response

Kaspersky Endpoint Security Cloud supports integration with managed detection and response (MDR) services. After a threat is detected, the system creates a new incident in the incident list with detailed information about the threat.

Security Operations Center analysts investigate incidents and recommend remediation actions. Organizations can manually accept or reject suggested actions, or enable automatic acceptance of all recommendations to speed up the response process.

This approach provides organizations with access to the expertise and experience of security professionals without the need to establish their own security operations center.

Protecting virtual and cloud environments

Specialized solutions for virtualization

Modern organizations actively use virtual and cloud technologies, which require specialized approaches to security. Kaspersky Security for Virtual and Cloud Environments protects virtual machines, public clouds, and servers running Windows and Linux.

The system provides next-generation protection against modern cyber threats, enhancing the protection of corporate servers and reducing the risk of successful attacks. The multi-level system includes functions for increasing reliability, protecting against exploits, monitoring file integrity and blocking network attacks.

The solution integrates with popular cloud platforms, including AWS, Microsoft Azure, Google Cloud and Yandex.Cloud, providing unified protection for an organization’s hybrid infrastructure.

SharedCache technology and resource optimization

For virtual desktop infrastructure (VDI), the system supports rapid machine provisioning through linked and full clone technologies. Pre-installation of a lightweight agent allows you to create new virtual machines by simply cloning a template.

Once the cloning is complete, the new machine is automatically protected by a centralized virtual security appliance. This approach simplifies VDI management and eliminates the need to constantly update security products in the virtual desktop image.

SharedCache technology optimizes resource usage in a virtual environment, ensuring efficient operation of the protection system without affecting the performance of virtual machines.

Centralized management and administration

Cloud Management Console

Kaspersky Endpoint Security Cloud gives administrators access to an always-on cloud console that lets them apply and change security features from any device connected to the Internet. This approach is especially convenient for organizations without on-site system administrators.

The console’s cloud architecture eliminates the need to purchase and maintain additional hardware, and initial setup is performed as quickly as possible. All security functions are configured and deployed from a single console on all types of devices: Windows workstations, laptops, file servers, and mobile devices.

A simple and user-friendly interface allows you to quickly configure policies and apply them to all workstations in the organization. Pre-installed security policies developed by experts simplify the initial configuration of the system.

Security Profiles and Policies

The system uses the concept of security profiles to manage protection settings for different groups of devices. Administrators can create unified security profiles for all types of devices and operating systems, using presets from the manufacturer’s experts.

The security profiles section contains a list of configured configurations, each of which defines the parameters for detecting various types of objects. The system allows you to configure the detection of viruses, worms, Trojans, malicious utilities, and also expand the list to include control of advertising programs and legal applications that can be used by intruders.

The flexibility of policy settings allows you to adapt the security system to the specific requirements of the organization, balancing between the level of security and the ease of use of corporate resources.