If one cannot detect how it can protect/prevent?

[Gnosis]

I want only to discuss about how an av which cannot detect malicious item can block it to infect machine.

I am guessing after you run said AV's on-demand scan? There is no other way if it misses it altogether and said malicious item gets on your machine. If I had to rely on a AV's miss being cleaned up by its own scanner after the fact, I will say that Kaspersky is as capable as any at removing what its web shields/malicious URL blockers ,might have missed.

If one cannot detect how it can protect/prevent?

Blacklist? I don't know. I would say that something has to be detected to be removed or blocked. Wouldn't you? Such as malicious url's, .exe's, etc.

 

[Spirit]

I want only to discuss about how an av which cannot detect malicious item can block it to infect machine.

I am guessing after you run an the AV's on-demand scan? There is no other way if it misses it altogether and said malicious item gets on your machine. If I had to rely on a AV's miss being cleaned up by its own scanner after the fact, I will say that Kaspersky is as capable as any at removing what web shields/malicious URL blockers missed.

Again Zoui I know sandboxie protects and I know as well Kaspersky on demand will detect what missed in real time,
The original question about how it is possible -- av who have poor detection still claim they can prevent

Blacklist? I don't know. I would say that something has to be detected to be removed or blocked. Wouldn't you? Such as malicious url's, .exe's, etc.

Yes this is the main point

 

[Gnosis]

If it cannot detect, how is it aware of what is there that might need to be prevented or blocked? It is as simple as that, to me.

BB do neither, while it may suspend any action it fails to protect

Earth said that. Earth needs to watch these two reviews:

http://malwaretips.com/Thread-ThreatFire-v4-7-0-53-Level-5-Custom-Test-biozfear14

http://malwaretips.com/Thread-Threat-Fire-2011-Custom-Settings-Prevention-Test-MrITReviews

Notice that very little was missed for MBAM or HitMan Pro to clean up. Also, a run of CCleaner just before scanning with HitMan Pro, on the review in which MBAM came up empty at the end, might well have proven that TF prevented everything thrown at it in that particular review. The so-called "remnants" that HitMan Pro scans for could be harmless most of the time and CCleaner might get enough temp/cache fragments out of there to keep disarmed malware from showing up on a HitMan scan.

 

[Spirit]

If it cannot detect, how is it aware of what is there that might need to be prevented or blocked? It is as simple as that, to me.

That what i mean but they say their product work in Different Style

I want to know about that style and I think few members who test product can throw some light too

Thanks

 

[Gnosis]

Even with a behavior blocker or HIPS, SOMETHING has to be detected to be blocked or prevented, even if it is only a tiny little bit of harmless activity from a legit source. It isn't a magic trick.

I want to know more pertinent to the following: "Different Style"

Is blocking via a quasi blacklist considered detecting? That is the question.
Is "detecting" part of that "blocking" process??? I wonder.

detection = awareness
It must.
Can you block something if you are not aware of its existence?

There are many processes being manipulated in the human body that are involuntary actions, yet they are detected actions, and many detections led to their existence that will further be detected.

OK. Now I am rambling. :O=

 

[Littlebits]

I only asking that people who claim av with less detection can protect your machine from threat,please explain how its possible.

I'm still not quite such what you are asking but it all depends on the how the user responds to the threat when exposed to it.

For example, I have customers that just use MSE and Windows Firewall with a few browser extensions like WOT, Webutation, etc. that have very good downloading skills and never get infections. But other customers with poor downloading skills get infections like crazy.

I have some customers that no matter what security setup they use, still get infections like crazy because of their poor downloading skills.

All of the AV detection tests are based up on the assumption that the user must have bad downloading skills because they expect the AV to detect most of the samples. However in the real world many users would never download the samples used in the tests because they are obviously not from a trusted source. If you look at most of the tests, the user downloads a suspicious file, ignores Windows File Signature warning and then ignores UAC and runs the file anyway almost all of the Youtube video reviews are like that. You really can not apply those results to all users and say this AV will not protect you not knowing how those users would respond when exposed to those samples.

Most users who do use an AV which has not as good detection rate according to tests as other AV's and still never get infections have good downloading skills, they can spot the malware and choose not to download it.
Therefore the AV with the less detection rate according to tests still protects them along with their good downloading skills.

I hope that is what you are wanting.

 

[Spirit]

Hips:This ask questions and questions and if its me who have to know & decide everything than what is the work of protection there.
I am not saying hips is a bad option but an av should handle most of the thing individually and than look after hips and last the User decision.A good example of this protection module is Eset.

I don't want to criticize any product but few years back a company which offered a huge amount of money if you get infected while using their product.They can make this offer easily as they know that they don't have to pay single penny to anyone as no one will get to be infected by using their product by failure of heir product.

The reason is not because their product was excellent but because their product ask question for each and everything you want to do on your machine.If some one get infected they will simply say that its user fault as their product warned them of the change.

Its not about a general user don't have knowledge about various actions and they allow it but skilled people sometimes ignore and allow because a user already get frustrated by this alerts and question and sometime click "yes" without noticing much.Believe me one get fainted by this pop up alerts

I have discuss about 2 products above but one product which neither take decision nor alert user are the point of discussion here

Thanks

 

[Spirit]

I only asking that people who claim av with less detection can protect your machine from threat,please explain how its possible.

I'm still not quite such what you are asking but it all depends on the how the user responds to the threat when exposed to it.

For example, I have customers that just use MSE and Windows Firewall with a few browser extensions like WOT, Webutation, etc. that have very good downloading skills and never get infections. But other customers with poor downloading skills get infections like crazy.

I have some customers that no matter what security setup they use, still get infections like crazy because of their poor downloading skills.

All of the AV detection tests are based up on the assumption that the user must have bad downloading skills because they expect the AV to detect most of the samples. However in the real world many users would never download the samples used in the tests because they are obviously not from a trusted source. If you look at most of the tests, the user downloads a suspicious file, ignores Windows File Signature warning and then ignores UAC and runs the file anyway almost all of the Youtube video reviews are like that. You really can not apply those results to all users and say this AV will not protect you not knowing how those users would respond when exposed to those samples.

Most users who do use an AV which has not as good detection rate according to tests as other AV's and still never get infections have good downloading skills, they can spot the malware and choose not to download it.
Therefore the AV with the less detection rate according to tests still protects them along with their good downloading skills.

I hope that is what you are wanting.

Thanks for explaining,I know that 95% of infection take place by user fault and i know that too by good surfing habit you are safe even without av but I think I am unable to clarify my point here,I just want to know the av which don't detect infection can how protect its user from that infection

Thanks

 

[Littlebits]

I only asking that people who claim av with less detection can protect your machine from threat,please explain how its possible.

I'm still not quite such what you are asking but it all depends on the how the user responds to the threat when exposed to it.

For example, I have customers that just use MSE and Windows Firewall with a few browser extensions like WOT, Webutation, etc. that have very good downloading skills and never get infections. But other customers with poor downloading skills get infections like crazy.

I have some customers that no matter what security setup they use, still get infections like crazy because of their poor downloading skills.

All of the AV detection tests are based up on the assumption that the user must have bad downloading skills because they expect the AV to detect most of the samples. However in the real world many users would never download the samples used in the tests because they are obviously not from a trusted source. If you look at most of the tests, the user downloads a suspicious file, ignores Windows File Signature warning and then ignores UAC and runs the file anyway almost all of the Youtube video reviews are like that. You really can not apply those results to all users and say this AV will not protect you not knowing how those users would respond when exposed to those samples.

Most users who do use an AV which has not as good detection rate according to tests as other AV's and still never get infections have good downloading skills, they can spot the malware and choose not to download it.
Therefore the AV with the less detection rate according to tests still protects them along with their good downloading skills.

I hope that is what you are wanting.

Thanks for explaining,I know that 95% of infection take place by user fault and i know that too by good surfing habit you are safe even without av but I think I am unable to clarify my point here,I just want to know the av which don't detect infection can how protect its user from that infection

Thanks

Some AV's have what they call "generic signatures" which can protect against malware that they can not detect. Other AV's might have Behavior detection, when a file or program behaves like malware, they can block it. Some also use cloud technology to detect malware not detected by other means. Of coarse some use HIPS, IDS or IPS (all are about the same but applied differently).

Sometimes a combination of all are used. The download side is sometimes user response is necessary and can lead to false positives.

Thanks.

 

[Spirit]

Some AV's have what they call "generic signatures" which can protect against malware that they can not detect. Other AV's might have Behavior detection, when a file or program behaves like malware, they can block it. Some also use cloud technology to detect malware not detected by other means. Of coarse some use HIPS, IDS or IPS (all are about the same but applied differently).

Sometimes a combination of all are used. The download side is sometimes user response is necessary and can lead to false positives.

By all this features av will detect threat when on demand scan is run (the last step) may be it fails to detect in real time but what if it not detect threat even in on demand scan as in case of webroot
Does that mean the product is false claiming about the product

 

[Littlebits]

Some AV's have what they call "generic signatures" which can protect against malware that they can not detect. Other AV's might have Behavior detection, when a file or program behaves like malware, they can block it. Some also use cloud technology to detect malware not detected by other means. Of coarse some use HIPS, IDS or IPS (all are about the same but applied differently).

Sometimes a combination of all are used. The download side is sometimes user response is necessary and can lead to false positives.

By all this features av will detect threat when on demand scan is run (the last step) may be it fails to detect in real time but what if it not detect threat even in on demand scan as in case of webroot
Does that mean the product is false claiming about the product

These features apply to real-time protection only, sometimes on-demand scans and removal will not detect the malware. I believe all security vendors will make exaggerated claims about their products especially the ones that don't offer any free products. Many paid vendors will go to the extreme to get users to buy their products. I have seen fake user reviews on download sites, false malware reports, paid testing reviews to make their products look better than what they really are and the list goes on. Since paid vendors have lost so many sales due to free security products, they will try their best to make them look bad however they can.

Thanks.

 

[Deleted member 178]

also you have to consider between "sitting" and "active" malware.

Some AVs will not detect sitting malwares until they are executed because they consider them not harmful to the system at that moment.

 

[Ink]

My point is How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system.

No need to agree with my own views on this topic.

By using technology that claim to prevent zero-day threats, by where it isn't yet blacklisted (ie. no definition, no detection by AV). I read that Heuristics are based of past experience (correct me if wrong), so not very effective to detect new unknown malware.

Then we have the following:

Both HIPS and Behaviour Blockers may be able to detect changes, but it cannot protect or prevent - GOOD (ie. suspicious) or BAD (ie. malicious) - both are flagged, in comparison to an Antivirus detecting a malicious file.

To protect, it must prevent.
To prevent, it must block (or disallow).

Both HIPS and BB do neither, while it may suspend any action it fails to protect

A sandbox is dependant on how it's configured. It can protect, even if cannot prevent, but it also can prevent. But a sandbox doesn't know what's allowed or disallowed.

So to answer Stranger's Q: while an AV can detect, HIPS and BB cannot protect or prevent, but they are used to where blacklisting falls short.

Please correct me, if I'm wrong.

OT: An AV provides a false sense of security. HIPS/BB/SBox are user controlled.

I accidentally deleted my post, saved by Google WebCache to restore post. (I lost my mind).

 

[Deleted member 178]

Earth in the clouds?!

Interesting scene

ok i leave ^^

 

[Gnosis]

An AV provides a false sense of security. HIPS/BB/SBox are user controlled.

Yes. More wisdom. I like that.

As you use your HIPS, as tedious as it may be, it is also training you, as you train it, to be a good watchman. You are evolving with the security software when you learn to be interactive. As Earth implied, in so many words, that is REAL security, not supposed security.
Personally, I like to know exactly what is going on, on my system, not what some AV tells me, or doesn't tell me, is going on. That is my primary goal in my quest for sound PC security in conjunction with being well informed pertinent to what I download.

 

[Deleted member 178]

as annoying as they can, HIPS teach you a lot. everytime a popup appeared, i googled the alert so later i react accordingly.

 

[jlock734]

Well, Mr. Stranger, I would like to say that there is no computer on this planet that is 100% safe and clean. If u'r computer is connected to the internet, i hope u do realize that the entire globe has access to u'r system. So, Whether u knw it or not, u'r system might already be infected. Just because u'r AV says SYSTEM CLEAN, it doesn't mean it is. Today's tech is just unreal...we are not even aware of these things. Classic example is STUXNET...So there is no point in thinking tht which AV has higher protection or removal rate etc. The different claims the AV companys' make are just to earn money..They don't care about u'r system and privacy. They just wanna earn money...thts it. So these HIPS,BB,Sandbox are just more ways to make money but still no AV or tech can keep u'r computer 100% safe.

 

[Gnosis]

as annoying as they can, HIPS teach you a lot. everytime a popup appeared, i googled the alert so later i react accordingly.

As I allow things I like to have Killswitch or Process Hacker running so I can see what is happening. The most recurrent popups I get are when I utilize USB ports and Windows Update connects. There seems to be no permanent rule for those, as far as stopping recurrent popups relative to them.
It only happens once or twice a day though, and I know exactly what it is right away.

The different claims the AV companys' make are just to earn money..They don't care about u'r system and privacy. They just wanna earn money...thts it. So these HIPS,BB,Sandbox are just more ways to make money but still no AV or tech can keep u'r computer 100% safe.

That is exactly why I use freeware. Some AV companies have employees that go to the internet cafe and release nasties online so they are the FIRST to have signatures for 'em. Don't think for a second that does not go on. I am sure it is a don't ask, don't tell kind of scenario. Plausible deniability is all they care to preserve.

 

[InternetChicken]

Ok then I see this thread is going well
""the entire globe has access to u'r system. ""
""AV companies have employees that go to the internet cafe and release nasties online ""

This is a Security Discussion not a meeting of conspiracy theory's groupies

I agreee with Littlebits statement here

""Many paid vendors will go to the extreme to get users to buy their products. I have seen fake user reviews on download sites, false malware reports, paid testing reviews to make their products look better than what they really are and the list goes on. Since paid vendors have lost so many sales due to free security products, they will try their best to make them look bad however they can. ""

+ 1

 

[Gnosis]

This is a Security Discussion not a meeting of conspiracy theory's groupies

Oh. Ok. Thanks for reminding me.