Cyberhawk - zero day threat detection review

Cyberhawk

Reviewed by: Howard Carson, May 2007
Published by: Novatix
Requires: Windows 2000 through Vista
MSRP: Basic version is free

Novatix, the company that reinvents itself every so often, has come up with yet another useful utility product. This time, Novatix is into security software and as usual the effort is worthwhile. The software is called Cyberhawk. It arrives at a time when virus attacks and concerns about zero-day protection for personal and business computers is at an all-time high. Cyberhawk is a antivirus/antitrojan product designed to detect zero-day infections, which by definition occur before your antivirus software has been updated by its vendor. If your initial reaction so far is "So what?!" then a little more explanation is in order.

A zero-day event or zero-day virus or zero-day infection, in computer and Internet terminology, is essentially a virus or some other malicious code in the wild (installed on malicious web sites, circulating as an email attachment, and so on) which is so new that the antivirus and antispyware software makers haven't yet come up with a defense and may not have even detected its existence. Once again, the expression "in the wild" simply means that the virus or malicious code is actively spreading throughout the Internet from computer to computer through email attachments or some other form of file exchange, as opposed to being confined to the virus creator's computer or a lab somewhere. Although all of the major antivirus and antispyware software makers maintain active (and exceedingly busy) researchers and programmers who are daily looking out for evidence of new viruses and spyware, damaging zero-day infections of one sort or another are an increasingly aggravating headache. Simply put, virus and spyware programmers are getting smarter and craftier at the exact same rate as antivirus and antispyware programmers.

Novatix has produced some top-notch products in recent years including the delightfully useful SendPhotos, a terrific email plug-in for laying out/titling/sending photos, and Explorer Plus, an excellent file manager. However, it appears that SendPhotos and Explorer Plus seem to have been sold off to other companies while Novatix concentrates its development efforts in the security arena. Cyberhawk is certainly an interesting development.

There are a couple of different approaches to developing software which is supposed to detect things that haven't yet been devised. In fact, there are dozens of theories about how to do this, but only a couple have risen to the top of the list. Cyberhawk has been developed around technology called ActiveDefense. It's supposed to detect certain kinds of software behavior, essentially assessing the mathematical appearance of all the services, programs and applications which your computer is running at any given time. During the course of assessing all of that behavior, Cyberhawk detects the appearance of something which is not following the rules which most programs ideally follow when launched and run on your PC. The difference in behavior alerts Cyberhawk to the potential for a problem, so that it can either shut down known infectors or ask your permission to allow the new program or service to run. Theoretically, the whole approach is very crafty and very smart. Implementing such an approach is exceedingly difficult though, not in the least because so many new programs and web applications are being developed which push the boundaries of conventional software behavior into areas which, for all intents and purposes, look unacceptably different to something like Cyberhawk.

The product installs and runs in the background, uses very little RAM and imposes no significant load on the PC. We encountered a number of program incompatibilities, several of which prevented the programs from launching. The problem with incompatibilities, as opposed to something that Cyberhawk has a chance to detect and present to you for notification and authorization, is that you never get the chance to authorize the programs to run. They just stop dead. Uninstalling Cyberhawk allowed Joost and several other low level system utilities to run. If Cyberhawk is going to present this sort of problem to exotic programs and web applications, or alternatively if applications like Joost aren't designed to be compatible with useful products such as Cyberhawk, we've got a problem. We sent a bug report to Joost and also notified Novatix that Cyberhawk appears to cause a problem for Joost.

Use Cyberhawk alongside your regular antivirus and antispyware utilities. It's not a replacement for those products but rather an extra measure of detection and protection which is supposed to fill a small gap through which viruses and spyware can sneak. In the absence of a highly advanced test bed, we instead re-wrote some basic viruses to emulate zero-day threats. The main problem we encountered using this approach was simply that our installation of AVG antivirus kept detecting and killing our mods to existing viruses before Cyberhawk. It wasn't until we completely rewrote an existing virus that Cyberhawk spread its wings and actually nailed the threat. We then disabled Cyberhawk, reloaded the virus and managed to fool AVG, Norton, Trend, Panda and eScan (based on the Kaspersky antivirus engine). So Cyberhawk worked as designed and advertised. We also encountered a number of false positives and warnings about existing, benign programs, all unfortunately without any significant explanation about the potential threat and how to deal with it. Technically advanced users will have a comparatively easy time dealing with these warnings, but we think typical PC users will not fare so well.

Cons: Some software, including the still-in-beta version of Joost (v0.10 as of this writing), exhibited conflicts with Cyberhawk and would not run. Apparently, the kind of advanced web tunneling performed by products like Joost can resemble non-standard activity to an observation and analysis product like Cyberhawk. The problem is mainly that the whole complex weave and entanglement of streaming multimedia, data tunneling, some stunningly brilliant (if misdirected) zero-day malware programming, web browser programming and online interactivity, by definition prevents the establishment of standard or consistently predictable behavior by developers of legitimate software. The whole thing is a vast and in our opinion very hard to hit set of moving targets. While Cyberhawk is a serious effort at plugging the gap between the appearance of an infector and the appearance of the relevant 'cure' from antivirus and antispyware vendors, we still think that Novatix has more work to do with respect to comprehensive Cyberhawk compatibility with the vast and possibly insurmountable stack of legitimate software products in use today. Toward the end of the review period (April 15 through May 20, 2007) the Novatix web site was operating as though it was at the other end of a 28.8 modem — glacially slow and unimpressive due to the length of time the site server was apparently left either unrepaired or uncompleted.

Pros: Cyberhawk works for the most part. The proprietary ActiveDefense technology developed by Novatix seems to be up to the task of detecting zero-day events of various types. Careful study of alerts and acquiring some knowledge about how Cyberhawk works helps users understand how to best use the product. Once you've become familiar with how and why Cyberhawk works, it can be a very useful utility indeed, and an excellent extra layer of defense working alongside your existing antivirus and antispyware products. Cyberhawk is a functional work in progress and we'll be very interested to see how much smarter it gets as time and ongoing product development have their positive effects. For now, it's recommended with reservations.