What is herdProtect?
herdProtect is a second line of defense malware scanning platform powered by 68 anti-malware engines
in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection. As a second line of defense anti-malware solution, herdProtect is designed to run with any existing anti-virus program already installed on a user's PC.
How does it work?
The herdProtect scanning engine works by monitoring the active objects (processes, modules, drivers, etc.) on a user's PC as well as the hundreds of auto-start execution points (ASEPs). As new objects such as processes become active in the system, herdProtect will use a secured network tunnel to scan the object for malware against the engines of the top 68 anti-malware scanners. By scanning in the cloud all processor intensive activities are performed independent of the user's PC. Depending on the aggregate results of the scan, the user can then take the appropriate actions and keep their PC free from any known malware threats.
Why do I need it?
One anti-virus product is just not enough these days. The top 10 anti-virus engines only detect around 90% (see knowledgeBase
) of known and zero-day threats which leaves your PC open to numerous viruses, worms, trojans, rootkits, dialers and spyware that many anti-virus programs might not detect. The problem is that running more than one anti-virus platform on your PC is usually detrimental to your PC's overall performance due to the fact that these products might fight for resources essentially deadlocking your PC. With over 100,000 new threats discovered daily, it would be impossible for any single product to provide guaranteed protection 100% of the time. However, herdProtect is different, it uses the collective wisdom of the top 68 anti-malware scanners (known as multi-scanning) to make sure that a known threat does not go undetected. When new threats emerge, only one of those engines needs to detect the malware for your system to be protected. In addition, because its scanning is performed in the cloud, your PC's performance is not effected and herdProtect is designed to co-exist with any existing anti-virus platform already running on your PC.
herdProtect scanning methodology
The concept of herdProtect scanning is quite simple in fact. It is designed to target active threats, those that are currently running on a PC or have the ability to run through an ASEP (auto-starting execution point). herdProtect works by doing active scanning of these critical sections and testing each file through a multi-step process against the 68 anti-malware platforms utilized.
First, herdProtect simply looks at the various hashes of the image on disk and compares them to all the known hash signatures. Hashes include both the full file hash such as SHA-1 as well as CTPH hashes, import hashes (IMPHash), PE hashes, and a number of our own proprietary hashes for known variations.
Second, if no direct match is made, herdProtect will extract vital pieces of static and behavioral information about the active process, module, etc. and compare them against a gigantic database of known behaviors and attempt to make a determination.
Lastly, if needed, it will analyze the file in a sandbox environment remotely with all 68 engines to see if a detection is made. It does this in real-time by sending a snapshot of the file and context in question and reports back its findings (if you agree to this step in the Terms of Service of course).
In addition to hash scanning (for adware, malware, viruses) herdProtect uses standard industry and proprietary scanning techniques for detecting offline and runtime binary patched files as well as rootkits.
In any of these cases, if a match is made, herdProtect will determine the validity of the detection utilizing a number of algorithms that rule out any false positives. If a detection is not made, herdProtect will flag the file to be watched and will periodically re-scan it when any signatures of the 68 scanners are updated to see if anything new arises.
Some basic FAQs
Can I upload a file? Currently we do not support one-off or even batch uploads of files for analysis. There is a very good reason for this... herdProtect is designed to study files within their natural environments. This is very important to our analysis process as the dynamic interactions of a file are as important as standard static scanning. This dynamic analysis includes how it behaves, how it starts up, how it runs, where it comes from, who it talks to, what it is actually doing, and so forth.
How is herdProtect free? We plan on keeping all versions of herdProtect completely free. In order to operate and maintain our platform we run very limited ads throughout this web site (we do not provide any ads in the software). In addition we accept donations via if you would like to support us even more!
Does herdProtect provide support? Currently we are able to provide limited support (email@example.com) due to our small manned infrastructure, however we plan on greatly expanding this in the near future. In addition we plan on launching a community of herdProtect expert peers that will provide user support very shortly.
Who's behind it?
herdProtect is a Reason Software Company project, powered by Andrew Newman. With nearly 20 years of experience behind him, Andrew is a seasoned developer and entrepreneur in the anti-malware industry and was the co-founder and chief software architect for GIANT Company Software, acquired by Microsoft Corporation. GIANT Company was a leader in the anti-spyware and anti-spam industry pioneering many innovations that used machine learning and behavior analysis over distributed networks to rapidly combat malware. This network later became known as SpyNet and still serves as the backbone to Microsoft’s secure computing initiatives. Andrew served as Lead Security Program Manager at Microsoft, and lead in the development and release of Microsoft Anti-Spyware and Windows Defender, now a part of the Windows Operating System. Andrew also holds a number of patents around distributed computing, data aggregation and information discovery. By leveraging his skill set within the AV industry and his passion for statistical analytics and data sciences, herdProtect was born.