Rolo

Level 18
Verified
a failure is a failure wherever it comes from
No it isn't. If a pilot doesn't pull up when the plane tells him "pull up pull up pull up" is isn't Lockheed Martin's fault.
we can prevent and virtualize a whole system or browser (Shadow Defender and Sandboxie), why AVs companies do not focus on that way ?
- Virtualizing isn't the silver-bullet you think it is; it is bypassable and not 100% (the same reason you're faulting AV)
- Virtualizing breaks more than it prevents and it isn't always clear what's going on; do you think John Q. Public knows what the heck 'Virtualization' is? (How many would say "Oh, those goggles, yes."?)
- AVs do use virtualization now; browsers use virtualization, java uses virtualization--stop dinging AVs from 10 years ago--Comodo, Sandboxie, Shadow Defender don't have a monopoly on virtualization

You're thinking like a security person, not a software developer who sells software to users. You can't sell a tank to a person who just wants a car for his daily commute. 95% solution = optimum, for the remaining 5% requires too many tradeoffs that make a computer unusable to most and all that will do is drive the user to uninstall it and run with no security (which is why we have Windows Defender).
 
  • Like
Reactions: Cats-4_Owners-2

Cats-4_Owners-2

Level 37
Verified
Trusted
@Umbra @Rolo

This is most excellent jousting tournament I have seen on MT... :D
Yes, I've just made a batch of popcorn & refilled my soda!:):)
Now, I'm positioning my protective 3-D 'Goggles' :cool: because it's Godzilla with body armor versus Virtual Godzilla & ...oh, oh. Don't look now, but they have a :eek:nuclear device!!! Time for us to get into the bunker, but first I'm going to get a hot dog!:p :D:D:D
 
  • Like
Reactions: Deleted member 178

Rolo

Level 18
Verified
hehe.

Putting the FUN in FUNdamentalis--oh, wait, wrong group, that's church.

....ummm...putting the FUN in Malwa--oh wait, hrmm..

....Putting the MAL in Malwa..no...hrmmph.

....Putting the WAR in MalWAReTips! No, wait....
 

Cats-4_Owners-2

Level 37
Verified
Trusted
hehe.

Putting the FUN in FUNdamentalis--oh, wait, wrong group, that's church.

....ummm...putting the FUN in Malwa--oh wait, hrmm..

....Putting the MAL in Malwa..no...hrmmph.

....Putting the WAR in MalWAReTips! No, wait....
Hahaha hahahaha!!!!:D:D:D:D:D
 
  • Like
Reactions: Rolo
D

Deleted member 2913

With Rollback Rx installed I have noticed boot time for security software increases i.e boot time is different for security software with/without Rollback Rx installed.

Previously I had tested BIS 2015 with Rollback installed. Now I have installed BIS 2015 without Rollback & to give a fair chance to BIS 2015 on my system, after uninstalling Avast AV Pro I ran Avast uninstall utility & also Bitdefender free uninstall utility as previous AV was Bd free. Also cleaned the system with disc cleanup.

Now the review of BIS 2015 on my laptop Windows 7 64 with 4GB RAM.

Boot time was good but during boot the famous black screen was there (disabling "early boot scan" under AV custom settings solved the black screen issue i.e no black screen now)

By default BIS 2015 action for threats is "take proper action". I guess by default BIS 2015 will quarantine or delete the threats on the basis of malware. I came to know from BIS 2015 forum that threats quarantined/deleted can be restored/recovered i.e quarantined malware can be restored from quarantine & deleted malware can be restored from events i.e "Antivirus Events". Currently I am running full scan. After completion I will test the deleted file restoration from events with harmless sample. I guess events will work for ondemand/context menu scan too & will test this too & confirm here in my next post.

Programs opening, browsing speed, etc... I will let you know after full scan completion (Currently full scan is at 62% & programs opening, browsing speed, etc... is good)

After full scan completion I will restart the system & post the info for BIS 2015 in the next post.
 
  • Like
Reactions: Cats-4_Owners-2
D

Deleted member 2913

Ok, it seems "take proper action" tries to disinfect the files & if cannot be disinfected either quarantines or deletes the files. Deleted files can be recovered/restored from events (atleast the 2 harmless samples tried was restored successfully).

For now things seems fine. Boot, programs opening, browsing speed, etc... is good.
vsserv.exe process of BIS is on high side. Task Manager shows around 230,000 K (is this something bad for the laptop)? Dont know it will settle down or not?

Is Safepay browser based on Firefox?
 
  • Like
Reactions: Cats-4_Owners-2

Cats-4_Owners-2

Level 37
Verified
Trusted
Ok, it seems "take proper action" tries to disinfect the files & if cannot be disinfected either quarantines or deletes the files. Deleted files can be recovered/restored from events (atleast the 2 harmless samples tried was restored successfully).

For now things seems fine. Boot, programs opening, browsing speed, etc... is good.
vsserv.exe process of BIS is on high side. Task Manager shows around 230,000 K (is this something bad for the laptop)? Dont know it will settle down or not?

Is Safepay browser based on Firefox?
Hello @yesnoo. I've not used Safeplay, but here's an excerpt of it's description.
  • "The browser is based on Chromium, the open source project that serves as the base for Google Chrome. This means that it has most of Chrome’s security features, including its anti-exploitation sandbox mechanism, and some additional features added in by Bitdefender."
Source: http://shiriskumar.blogspot.com/2014/11/highly-secure-browser-bitdefender.html?_escaped_fragment_=#!
 
D

Deleted member 2913

Hello @yesnoo. I've not used Safeplay, but here's an excerpt of it's description.
  • "The browser is based on Chromium, the open source project that serves as the base for Google Chrome. This means that it has most of Chrome’s security features, including its anti-exploitation sandbox mechanism, and some additional features added in by Bitdefender."
Source: http://shiriskumar.blogspot.com/2014/11/highly-secure-browser-bitdefender.html?_escaped_fragment_=#!
I asked coz SafePlay browser advanced settings mention Flash Plugin not installed & gave the option to download. When I clicked on download it took me to Adobe Flash Player for Firefox & I installed it & worked fine & SafePlay Advanced Settings too mentioned Flash uptodate.
 
  • Like
Reactions: Cats-4_Owners-2

Cats-4_Owners-2

Level 37
Verified
Trusted
I asked coz SafePlay browser advanced settings mention Flash Plugin not installed & gave the option to download. When I clicked on download it took me to Adobe Flash Player for Firefox & I installed it & worked fine & SafePlay Advanced Settings too mentioned Flash uptodate.
I'm glad it worked fine.:)
Since Safeplay is sandboxed I was concerned whether Flash player updates would remain in lieu of the sandbox. I think the actual update must take place outside virtualization.;)
 

Rolo

Level 18
Verified
So where does the non-Chrome browser stand security-wise when Chrome has been updated multiple times and the non-Chrome browser hasn't caught up? Seems antithetical to me.
 
  • Like
Reactions: Cats-4_Owners-2

Cats-4_Owners-2

Level 37
Verified
Trusted
So where does the non-Chrome browser stand security-wise when Chrome has been updated multiple times and the non-Chrome browser hasn't caught up? Seems antithetical to me.
Even when security is dependent on being sandboxed...

an·ti·thet·i·cal (ăn′tĭ-thĕt′ĭ-kəl) also an·ti·thet·ic (-ĭk) adj. 1. Being in diametrical opposition: a viewpoint that was antithetical to conventional wisdom.
Source: thefreedictionary.com/antithetical

..antithetical is such a cool word!!:cool:
 
  • Like
Reactions: Rolo
D

Deleted member 2913

I'm glad it worked fine.:)
Since Safeplay is sandboxed I was concerned whether Flash player updates would remain in lieu of the sandbox. I think the actual update must take place outside virtualization.;)
The install took place outside safeplay i.e after download of flash player inside safeplay it asked to install & mentioned safeplay will be closed automatically.
 
  • Like
Reactions: Cats-4_Owners-2
D

Deleted member 178

No it isn't. If a pilot doesn't pull up when the plane tells him "pull up pull up pull up" is isn't Lockheed Martin's fault.
In your example , it is voluntary suicide from a trained pilot. :D

- Virtualizing isn't the silver-bullet you think it is; it is bypassable and not 100% (the same reason you're faulting AV)
find me a malware that bypass Shadow defender, the last ones known where rootkits and at that time SD didn't protect the MBR


- Virtualizing breaks more than it prevents and it isn't always clear what's going on; do you think John Q. Public knows what the heck 'Virtualization' is? (How many would say "Oh, those goggles, yes."?)
because Average Joe still eat the AV detection superiority blabla.


- AVs do use virtualization now; browsers use virtualization, java uses virtualization--stop dinging AVs from 10 years ago--Comodo, Sandboxie, Shadow Defender don't have a monopoly on virtualization
most corporate servers are virtualized too, but home users are left behind , because system wide virtualization is not a good investment for AV companies and don't need yearly subscription...

You're thinking like a security person, not a software developer who sells software to users.
exactly , i don't gain any profit in the business so i can say the truth :D ;)


You can't sell a tank to a person who just wants a car for his daily commute. 95% solution = optimum, for the remaining 5% requires too many tradeoffs that make a computer unusable to most and all that will do is drive the user to uninstall it and run with no security (which is why we have Windows Defender).
virtualization softwares are even simpler to use that some security suites. i just put SD on a customer computer , teached him how to use it, never heard him since :D
 

Rolo

Level 18
Verified
find me a malware that bypass Shadow defender
The Adobe font vulnerability escaped sandboxes. FONTS, man! FONTS! gotta appreciate the genius of it...

most corporate servers are virtualized too,
Not for security, though, only to maximise hardware utilization/reduce hardware costs.

virtualization softwares are even simpler to use that some security suites.
Not for users who:
- Don't know that windows overlap and that the window behind the current one is still there
- Don't know that Facebook is on the Internet
- Click on everything that tells them to

Really, security software is less about protecting the PC from the bad guys but protecting it from it's user. You do believe in the user, don't you?
 
D

Deleted member 178

Not for security, though, only to maximise hardware utilization/reduce hardware costs.
that is also true ^^


Not for users who:
- Don't know that windows overlap and that the window behind the current one is still there
- Don't know that Facebook is on the Internet
- Click on everything that tells them to
Those are victims , not users :D

Really, security software is less about protecting the PC from the bad guys but protecting it from it's user. You do believe in the user, don't you?
never trust the user :D
 

Cch123

Level 7
Verified
I really like the nice debate here :D Here are my opinions:

1. Signature AV is still very much important. Sure, it might detect a lower number of threats and have a comparatively long response time, but its true merits shine in incident response. If things are just based on behavior and heuristics, you can't really tell what exactly hit you. Having a generic name " Heur.Malware" is definitely not very helpful for damage control as compared to say "Win32.EquationDrug". With the latter, you can immediately tell that you have been hit by an APT and your documents may very well have been stolen. While with the former, how do you know it is not some random low impact adware? In a massive organisation which might register hundreds of such malware alerts per hour, the latter names could allow incident responders to prioritise accordingly. You can't do the same with the generic behaviour detections. Oh, and you can't just set the security to auto-quarantine. If it was really a false positive (which it very well might), you could possibly cause millions in damage when systems start getting bricked. Of course, experts might turn to sandboxes and static analysis to figure out the malware activities, but not everyone can interpret and conduct these analysis accurately. Hence, many will still fall back to signatures despite all the complains.

2. Virtualisation and application whitelisting are not magic bullets. Yes, I am a fan of whitelisting and it forms the backbone of my security configuration. They are extremely useful to prevent most conventional attacks. However, we are seeing an uptick of everyday attacks that bypass these measures. Angler Exploit kit+Poweliks combo is pretty hot nowadays, bypassing some anti executables. However, when APTs enter the field, these are very trivially bypassed. Don't forget that nothing can save you when kernel exploit strike. Governments can obtain these easily, with all the early warning programs by software makers. Yep, software makers supply governments with details on unpatched flaws to allow them to shield/defend their own systems before a patch is even available to the public. Isn't it tempting to squirrel some of these flaws for offensive purposes? (On a side note, is there a demand from members here for me to post my new updated config?)

Okay, this is a wall of text. But I hope people will gain insights and new knowledge from it :)
 

Rolo

Level 18
Verified
how do you know it is not some random low impact adware?
I don't want any adware, low-impact or otherwise. I don't even want rumours of adware, so a HEUR detection will get me to investigate further--which is far better than running said exe and trusting HIPS/BB to catch it after some damage may have been done.

Corporate environments are completely different than plebian ones. Corporate environments should be using Group Policy to only allow whitelisted executables, deny downloading, copying, even thinking about user-installed executables, for they are the fruit of the tree of knowledge of good and evil!