Tencent Ma jinsong anti virus laboratory AV relevant dates

Everyone was forced to accept certain facts. For example our world cannot eradicate crime, such as cyberspace cannot be extinct virus. It is, therefore, we need Permanent Mission of AV systems. Don’t get me wrong, AV is the Anti-Virus (anti-virus software) for short.

Anti-virus as fierce, popular, is to rely on the most-wanted pictures (virus), find the criminals disguise (viruses and variants). Tencent Butler that was widely installed software, anti-virus engines which are equipped with a Tencent TAV. This engine, from the hand of Tencent’s anti-virus lab.

Antivirus engine is like a car engine, you cannot look to judge its performance. Want to know how much it must personally stepping on the accelerator is not available. Every time you click on when killing the virus, virtually every security experts and laboratory “dialogue”, but in reality, users it is difficult to have the opportunity to talk to them face to face.

Lei feng to Tencent network interview Ma jinsong, head of the anti-virus lab, he tells the story of Tencent antivirus engine from scratch.

“Ma jinsong”

Battle of the address bar virtual reality iPhone case

As a technical descent “virus killer” Ma jinsong talk calm, there is an old style of Interpol.

Antivirus technology is the essence of confrontation, and that is why he has been the focused area. Ma jinsong can still clearly remember ten years ago when I first came to Tencent’s “special mission”.

Search engine was still at the stage of Lake melee, Tencent’s Soso, 3721, Baidu, Google, Yahoo, CNNIC. Users in the IE address bar, when you enter a keyword search, IE will automatically based on the sequence Specifies a search engine query. In order to win first in line, several search engines have been up to my ears in the background. Liu Guize and I both took the confrontational task.

Search engine traffic determines the scale of advertising revenue. Popular terms, it’s like a kindergarten teacher let children form a line, number one can get small red flowers, so before children start in the race of the “bitter war”.

Clearly, every time we pushed a new version of advertising revenues will be significantly improved, but competitive technical team to do the same against, today we are ranked first, tomorrow is the opponent first. So we must continually study the opponent’s program, improve its own procedures. virtual reality VR case

This upgrade began in weeks, the gradual heating up to days after as a unit. Ma jinsong was proud to be against later issued as long as dozens of bytes configured upgrade file, you can ensure a search interface to the search team. Sometimes, he can develop a “larger version”, allow two or three days didn’t crack.

Although competitive today, but all search firms are subject to the same Lake rules, that is: all of the fight only in the background, not pop, not crash, unable to make users feel.

Because of this, in the eyes of Ma jinsong, ten years ago, this battle is more like a technology race, rather than cut-throat war.

Software against a enemy tactics in the impossible, if you have such measures, will escalate the war. As a result things would unbalance, there will be more trouble in the back.

This philosophy later became company antivirus engine.

Hand polished one antivirus engine

In 2010, the world does not exist yet on the name of a “Tencent antivirus engine” stuff. But fate always so unexpected, 3Q war broke out.

Severe situation that lies ahead, we must have an antivirus engine. However, due to time constraints, developed from scratch before so I was responsible for contacts and some international manufacturers, buying an OEM (custom) engine.

However, given the volume, users of Tencent and, of course, have their antivirus engine requires urgency, some manufacturers have developed a strict Protocol, to a high sky price tag. Ma jinsong said the price “people dismayed.” He was very angry, and make money.

However, the engine of the Bentley price only provides charade engine performance. “Once ran, immediately 200M of memory, card even open Word. “After six years, MA jinsong still could not help but ridicule. “And during use, viruses do not see customer response, clear off. We have reflected to the manufacturer, their attitude was very good, 24 hour response. Just receiving the feedback we heard, a few months are not upgraded. “This is a common failing of traditional antivirus software vendors.

In 2011, the intolerable Ma jinsong outraged decided Tencent own antivirus engine.

Because before I came to the company in the domestic well-known traditional anti-virus software manufacturers, so I have confidence in their technology. But because it is starting from zero, an engine for research and development of virtual execution, shell Pack with these basic skills still need a certain amount of time. “Until six months later, Tencent anti-virus engines TAV was basically taken shape, the team decided to put the engine on the test platform test.

Online test I think it should be not too bad, but received the first report of the test, I was very excited, because our engine virus detection rates indexes a row in upper-medium location of all the competing products.

However, no proud capital of the TAV engine, because Ma jinsong built engines, bought resources takes up even more than the OEM engine. He understood to some extent the competitive difficulties, but he did not want to compromise. “To ensure the detection rate, but also to ensure the detection speed, this is a carefully balanced. ”

To this end, the Ma jinsong led the brothers to do the following things:

File before entering the engine, it is necessary to first filter filter. Some files in the whitelist certainly is not a virus, so you can take advantage of certain conditions, selectively allowing suspected file into the virtual implementation of resource-intensive processes.

Detected file security on time, not necessarily the file system checks, but according to subdivide scenes, when the system is idle, or copies of files when files are checked.

Virus definitions for streamlining, the team of security researchers repeated the experiment, extract a virus’s best feature, short and low false positive rate.

Improved engine, using machine learning to help extract the characteristics of the virus.

From the middle of 2012, TAV resource consumption gradually achieve the ideal state of Ma jinsong, in his words, “this is the antivirus engine to Internet companies.” He told nets of Lei feng, now computer Butler of TAV engine, including total volume of signatures in less than 10M.

Since then, using TAV computer Butler VB100, AVC, AV-Test and other international official evaluation of antivirus software has remained in the first echelon, in the PC field catching Kaspersky Anti-virus, Avira, superb antivirus engine. 

“In 2016, TAV will take part in the evaluation of the various agencies,” calendar “”

Have their own antivirus engine, MA jinsong was unprecedented fun: “all these years we occasionally encounter problematic treatment of special samples of the virus. Macro viruses that have a strong ability to copy before, we have reflected to the OEM engine for two or three months, has not been addressed; team included key module development and our own time, is only a week or so to complete killing. ”

Ma jinsong told Lei Feng network, anti-virus engine evolution process, clouds credit alternatives. Some old virus sample amount can be placed in the cloud, and the current epidemic of the highly contagious virus in the local, also became the current standard of each antivirus engine.

Hubble’s creation

virtual reality iPhone case

A complete anti-virus system, not only should have “photos catching the killer” front of the Avira engine, there should also be “judging who the murderer is” the back-end system. In the initial stages, TAV is the main part of the source of virus samples collected through various channels. TAV continuously improve the process, MA jinsong found for these samples, their engines have to cope with.

Hubble’s systems on their plans. Simply put, the Hubble is through complete analysis of all files over the network, and then file a new virus is detected the system. Popular, the ability to capture very strong “police” to start enhance their detection capabilities.

Now Hubble’s systems every day tens of all new files can be analyzed by building a virtual environment, together with a variety of integrated rules to determine whether a file is safe.

Tell Hubble how to judge whether a file virus, this matter is far more complicated than imagined, because Ma jinsong and team, is a living behind the virus hackers.

Against many viruses and anti-virus software, such as judging yourself by the surrounding conditions in a virtual machine is not running antivirus software;

There are a lot of theft, Trojans, they would be testing DNS service is not, QQ detection system is running. Since we can’t really installed QQ on a virtual machine, so we need to use the code to simulate the features of software.

There are some viruses, it attacks takes a special trigger conditions, such as after they have been downloaded, wait 30 seconds before they started to attack. Or does not do anything when run for the first time, restart and then attack. The virus we will skip in front wait for the code, directly behind the check code.

There are also complex viruses, can encrypt their own, deformation. This particular virus, can only rely on real implementation, let it run during their decrypted plaintext code. But this has very high demands on the virtual machine, if the virtual machine is written is not sophisticated enough, was to be decrypted anymore after running half.

Ma jinsong told Lei Feng network, due to the very large data analysis, Hubble can also produce high quality of threat information.

“In these samples, we can extract the IP addresses, URL addresses, E-mail address, cell phone, short signals. These are very valuable information. For example you can E-mail queries to the registrant’s information, also can query the registration information through the Web site, this information can be made available to internal and partner Tencent, attacks on specific targets in the whole network. ”

“The winter of 2015, MA jinsong and colleagues in the Office waiting for the test results”

The hardest is the last step

In June 2015, MA jinsong and anti-virus lab received a difficult task, that is, carry “cell phone virus” burden. Although a team of experts on mobile phone viruses have studied before, but the main direction has been a PC-side.

Mobile phone and PC viruses the same principle, but the file format, the proportion of black and white list structure, the features of harmful behavior is not the same. These details are still very time to eat.

Ma jinsong said he tries not to let the brothers worked overtime, calm and orderly completion of this major project. He told nets of Lei Feng (search for “Lei feng’s network” public concerned) an impressive scene:

By November, when our mobile engine first AV-Test assessment. We know that the results will be announced in two days, so we have several people in every company. Because Germany is sometimes poor, so we wait until 11 o’clock at night. But did not wait for two or three days in a row, last winter was very cold and we went home at midnight cold enough.

But 11:30 on the last day, we finally got the message. The detection rate of our 98% to get full marks. At that moment, suddenly was hungry, I would like to invite everyone out to eat a big meal at night.

While detection rates than 98% is found to be out, but the “98%” data let Ma jinsong was harsh, because this means two percentage points from 100%. But the 2% distance, but it cannot be easily filled. Strange thing is, when it comes to how to fill these two points, MA jinsong see no unique stunts. “There I did something, suddenly raised these points one by one. We actually took over all the details again, optimize the logic of all think there is room for improvement. Kung Fu, attitude, bad 98% to 100% distance. ”

March 2016, the TAV in mobile phone virus got 100% for the first time in the test results.

“The evaluation report AV-Test March 2016 mobile antivirus, Tencent and other companies tied for first place (parallel order according to alphabetical order)”

“From that point on, I could no longer see the competitor’s students show their evaluation scores. “Ma jinsong is very proud.

Said year development purpose of TAV, MA jinsong regrets:

Because the permissions are system-level anti-virus software, in the core position; just like the firewall at the boundary of defense systems. On core competencies are subject to foreign countries, it is possible to be left back, upping the controlled by others. We do not have any methods.

Story confirms the “old COP” judgments, in 2014, the State issuing rules to ban purchasing foreign State-owned enterprises anti-virus software.

Ma jinsong, TAV station network in China’s borderland on the selves.