If one cannot detect how it can protect/prevent?

[Spirit]

Please note this thread not resemble to any specific product but the name of product given are only for examples.


The debate on detection rate of antivirus is going every where on all most every tech forum but I cannot understand the conclusion come out of this debate.

The function of Antivirus Software are:
1..Prevention
2..Detection
3..Removal.

The various av testing labs test the products and give the result on basis of detection rate and usability.

I read many forum members and the person(company staff,moderator other) related to the product which generally get poor result explain that their product mainly care about prevention and one will be safe with their product.

My point is How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system.

As for example:
Avast may have not good removal capability and it detect a threat on my system but it cannot remove it I can at least Trust Avast as it warn me about infection and I can take help of other software to remove the infection.

But in the case I use av which cannot detect the threat say Webroot,I will think my system is safe and I will not take any steps to remove the threat as early as possible.

Webroot claims that the av will detect threat in few days and system will be back to clean state but in the mean time if I use some sensitive data on my system will they be safe?

My question is again the same,Product whose detection rate is not as excellent as others,how can prevent an infected file/process/software to stop infect one system.

Thanks

 

[InternetChicken]

@ Stranger I strongly think the same, Prevention and detection is far better and removal
Its not good to have a AV detect a infection that has been sitting on a system for a week or more
from my point of view the first aim of any AV should always be Prevention, detected at the download stage, and Prevented form installing on the system,

As for Webroot I never used it and have on real time for it, to my thinking there are better products out there ,

 

[Spirit]

Internetchicken: Yes that what I think too,and my question is not about a specific product like webroot or other but it is all about all av products.

Thanks

 

[Plexx]

There are different approaches for prevention.

Some use HIPS and others BB.

BB for example, a vendor might not be able to detect an infection but the BB monitors certain behavior resembling an infection so it alerts the user by blocking etc.

HIPS: no need to go into it as we all know how it works.

HIDS: I am not sure exactly if there are many vendors using such prevention technique.

Then you have other features such as webroot for example, rollback feature upon detection of an infection (refer to this video or here.)

There are vendors where their strong point is detection and up to a certain point clean up capability.

Then you have others which have strong removable capabilities and prevention whilst detection aint the best.

Also taking into consideration that normal user would not bump him/herself into tons of zeroday within 2 hours unless they are really searching for it, average solutions out there work just fine even if you do not have prevention and only have detection and clean up.

 

[zorror]

My point is How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system.

I totally agree with your point here.
I don't think that this point needs to be debated it is almost like a universal truth.
How can an AV protect you from something it can't detect

Webroot claims that the av will detect threat in few days and system will be back to clean state but in the mean time if I use some sensitive data on my system will they be safe?

Webroot's claim is totally false , how can it repair my stolen,passwords,deleted files,system errors and boot time problems.
An infected system almost never gets cleaned perfectly.

 

[Plexx]

I totally agree with your point here.
I don't think that this point needs to be debated it is almost like a universal truth.
How can an AV protect you from something it can't detect

There are prevention modules available that do exactly what it says on the tin: BB (Behavior Blocker): monitors the behavior of the application and will alert the user or block (depending on the vendor's settings): Found in Emsisoft Anti-Malware, Emsisoft Mamutu and AVG Antivirus Free 2012 for example.

SANDBOX method: avast! and COMODO for example (though avast! sandbox is still a bit questionable but they have come a long way).

HIPS: COMODO, KASPERSKY, ESET etc: Alerts the user of applications wanting to do something to your system (can alert, can block, can be automated, depending on the user's settings).

Webroot's claim is totally false , how can it repair my stolen,passwords,deleted files,system errors and boot time problems.
An infected system almost never gets cleaned perfectly.

Have a look at the video i posted on the post above yours

It will answer your question.

 

[Prorootect]

'How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system.' -It can not.
'If one cannot detect how it can protect/prevent?' - It can not, period. Listen to reason. Don't maintain the false impression of safety, do not lie to yourself.

So forget all AV and other HIPS, like me ..

Windows TRUE security - this involves to reduce the area of a possible attack, and not to heal wounds. It is wiser, no?

.. and you have slow computer.

So delete unnecessary processes and services - and startup items. Reduce the area of an attack.

Examples to delete and to forget:

Java JRE: I don't remember its weight, sorry
Avira Free Antivirus: 109.7 MB (or other AV.. ..)
Adobe Reader:........ 657 MB
iTunes:................. 145.7 MB
.NET Framework 4:.. 38.8 MB
QuickTime:............ 73.7 MB
Silverlight:............. 100.2 MB
Skype.exe (in Task Manager): 54 MB .. .. ..

.. and some tweaks here and there, backup your Windows .. sandbox your browser .. defend your privacy ..
That way you feel lighter, happier. More and more.

 

[Plexx]

'How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system.' -It can not.

Sandbox and Behavior Blockers are the answer, so yes it can.

So delete unnecessary processes and services - and startup items. Reduce the area of an attack.

It is more advisable to Disable, not Delete. Also, you won't gain much performance by tweaking windows 7 services.

Out of the list there of software, you can simply replace with Foxit Reader, Foobar/winamp or even Windows Media Player for example.

An AV is still recommended regardless. Unless you simply do not download anything, only browse specific sites and do not put anything on your system from friends USB etc. However the amount of users that fit in that category are a minority.

Windows TRUE security - this involves to reduce the area of a possible attack, and not to heal wounds. It is wiser, no?

If that is the case, then why you still running XP SP2 as opposed to SP3?

 

[Prorootect]

'It is more advisable to Disable, not Delete' .. 'An AV is still recommended' ..
- no more wicked thoughts, please .. CHANGE.
'why you still running XP SP2' - my choice, sorry.
'only browse specific sites' - yes, no naughty sites here .. Begone, Satan.

 

[Plexx]

'It is more advisable to Disable, not Delete' .. 'An AV is still recommended' ..
- no more wicked thoughts, please .. CHANGE.
'why you still running XP SP2' - my choice, sorry.
'only browse specific sites' - yes, no naughty sites here .. Begone, Satan.

So you recommend going AVless?

Although I can and have been AVless, it is because I know what I am doing but majority of the users don't.

An AV solution is still one line of defense one should have. You can't just recommend users to ditch one main layer of security.

2nd one is having windows fully updated, which running SP2 as opposed to SP3 is not recommended but that has been discussed on your config thread already.

When I refer to specific sites, I am not referring to "naughty" sites.

 

[Prorootect]

'So you recommend going AVless?' - YES, Sir.

'When I refer to specific sites, I am not referring to "naughty" sites.' - yes, I understood correctly, but it was my perverted way of saying more ..

CHANGE.

 

[Gnosis]

I use HIPS and a Behavior Blocker, but they are not for the faint of heart, especially HIPS.

If you want the ultimate in prevention, use SANDBOXIE when you are surfing at random on sites you are not familiar with via a search engine.

 

[Deleted member 178]

what is detection, prevention, removal:

Detection:

a basic policeman ( aka AV) with the picture or physical description ( aka signature) of a criminal ( aka malware) seeing him in a bank ( aka the system) and arrest him and report to his chief (aka the user)

Prevention:

Behavior Blocker : an experienced policeman that oberserve a guy in the bank acting in a suspect way, call (aka the popup) his chief that order him to arrest the guy.

HIPS: the security guard of the bank that have order to block or allow the entrance of a specific kind of visitor depending of the list given by his boss or call (aka the popup) him to confirm.

Sandbox : a fake bank

Removal:

Quarantine: put the criminal in jail
Cleaning: kill the criminal without hurt the hostage (aka a file)
deleting: kill the criminal and the hostage.

 

[Gnosis]

REMOVAL: HitMan Pro; Malwarebytes AM; MBAR; Dr. Web Cureit, Dr. Web Live CD; KBRD; GMER (be careful); XueTr (be careful); Kaspersky TDSS Killer; Rogue Killer by Tigzy.

 

[Deleted member 178]

REMOVAL: HitMan Pro; Malwarebytes AM; MBAR; Dr. Web Cureit, Dr. Web Live CD; KBRD; GMER (be careful); XueTr (be careful); Kaspersky TDSS Killer; Rogue Killer by Tigzy.

aka the SWAT

 

[Gnosis]

aka the SWAT

No doubt.

 

[Deleted member 178]

To protect, it must prevent.
To prevent, it must block (or disallow).

Both HIPS and BB do neither, while it may suspend any action it fails to protect

for 0-days i agree, unless they rely on cloud feature/blacklist/user setting

 

[Littlebits]

About 99% of all zero-day malware has to be manually downloaded and executed by the user in order to be successful with infecting your system.

With the advancement in browsers, drive by download no longer exists.
If you sill believe they do, then please give me a link to a drive by because I have not seen one in over 5 years. Unless you are using an out-dated browser, flash player or Java, you should never see them either.

So if you always use good downloading skills and don't depend on your security software to do all the work you will be basically safe.

There is really no need to tweak your security software to maximum settings or add a bunch of additional software protection.

Watch what you download and you should be safe.

Thanks.

 

[Gnosis]

Watch what you download and you should be safe.

and use Sandboxie.

That is all you really need to do if you want to keep it simple. Keep around a couple of wicked on-demand scanners (MBAR and HitMan Pro) in case you forget to run sandboxed or download something malicious.

It can really be that simple.
When you become as skilled as some of us have at not clicking the wrong stuff, security software becomes more of a hobby than actual security, though it helps the latter, obviously.

So if you always use good downloading skills and don't depend on your security software to do all the work you will be basically safe.

I really like that statement. It's the gist.

 

[Spirit]

The Topic is going in Wrong direction.

The Thread started here is not about suggestion for me from members about which software I should use.

I want only to discuss about how an av which cannot detect malicious item can block it to infect machine.

I again mention I am not asking for suggestion for layer of protection like hips and sandbox


I only asking that people who claim av with less detection can protect your machine from threat,please explain how its possible.


Umbra & Biozfear : I want to ask a question about webroot from you as you have tested and defended its low detection in earlier threads.

If I get infected and webroot cannot detect infection for 3-4 days and after 3-4 days it will back my system into clean stage ( of course when weroot signature able to caught infection and clean it) but what happen to my sensitive data in the period of these 3-4 days.
Am I safe when I do online banking in this period?
I will use everything including my sensitive info as I am unaware of I am already infected.

Thanks.