herdProtect is a promising cloud-based malware scanner for Windows
Ever since cloud became a buzzword many security companies started to make use of it in their products. This usually meant doing some of the scanning and verification remotely and not on the user computer.
While that has certain advantages, like an always up to date database and software, it also meant that users had to have an Internet connection at their disposal to make use of the feature. And some users did not like the privacy implications that went along with the move.
The new program herdProtect is a cloud-based scanner, which may keep some users from giving it a try. Unlike most other programs that rely on a single engine to test against malware, herdProtect uses 68 of them.
The engines are not listed as text on the website of the project unfortunately, but you may be able to identify some by looking at company logos placed on it. Among them are many heavyweights such as Kaspersky, Bitdefender, Avg, Eset, or Avira to name a few.
The current installment of herdProtect scans the PC for objects in critical locations, e.g. running processes but also desktop files, and scans those in the cloud.
While there is no confirmation of this on the project website, it appears that it is using a signature-based approach for that. This means that it generates a hash of each file and checks it against the project database hosted in the cloud. A found hash means that an identical file has already be scanned and the result is transferred back to the user PC.
If a file hash is not found, it needs to be uploaded to be scanned remotely.
The scan itself should not take longer than a couple of minutes. In the end, a scan result page is displayed listing all files that at least one of the supported engines marked as malicious or problematic.
The results are sorted into different groups like adware or inconclusive detection. In those groups, the files with the most hits are always displayed from top to bottom.
You can click on any result to display the engines that identified the file as malicious or problematic. The program itself displays a suggestion as to what you should do with the program, for instance to remove it if it is not needed on the PC.
A click on view opens the Windows Explorer folder of the file while details the results page on the heardProtect website. Here you find additional file details, the file's digital signature, its worldwide distribution, known variants, and other related information.
Note that all of the scan results are automatically moved to the cloud and from there to the company website where they are publicly accessible. There is no option to disable that, but the information that are posted there do not contain any identifiable information from what I can tell. The only possibility in this regard is that the file name may contain information.
The program does not offer any removal of its own at this point in time. That's a serious problem, considering that your resident anti-malware program may not even identify the detected files as such.
The company plans to release updates to the program which will improve it significantly. Plans are to integrate the removal of malware in the first quarter of 2014, and to add real-time protection of the system in the second quarter of the same year.
For now, it is an alternative to the popular Virustotal service and programs such as Virustotal Uploader.Advertisement
It isn’t true. You can extract the program from the installer (with 7zip for example) and use the software herdProtect as portable.
Thanks Ghacks for the discovery of herdProtect. I only known HitmanPro.
No you can’t.
I had try myself. So, I didn’t understand your reply…
Here, it is the complete List of Engines:
Good news, perhaps. Won’t having 68 scanning engines increase the probability of false positives?
Will it rank “positive findings” as to probability that it is malware? If so, how will it do that? What standard will a “true positive” have to fulfill to make it a “true positive” (malware) or a “true negative” (safe)?
Thank you (as usual) for interesting and thought provoking articles, Martin.
Yes, the more engines you have, the more likely it is that you will get false positives. It is usually easy enough to spot those, especially if one of the lesser engines reported a hit while all others did not.
Files Scanned – 2116
Processes Scanned – 86 (844 modules)
Startups Scanned – 464
Inclusive Detections found were 11 and all were false positives, took about 1/2hr to scan, yikes!
some competition for HitmanPro, eh? ;)
I have been using Herd Protect for a few weeks now. When I downloaded it it didnt have any removal facilities for viruses found . I got an email from the company saying that the new version had removal facilities and down loaded it. To me it works just fine as a secondary check for viruses and the company expresses the same comment. It is smooth to operate with no adware etc hidden away. On my Win 7 Prof 3770K chip it only takes a few minutes to go through the process. I have judged that if there are over 4 virus programmes showing it as a virus then it should be checked out. The company dont claim that it should be used in place of your paid for virus programme only used alongside although I hear that it will be providing real -time detection in the future. I did try others particularly trend micro house call. Sadly it contained adware so I removed it.I like this programme it is light on my system doesnt contain nasties and blends in nicely with my system. Some people criticise it -not me. It does what is says on the box.