Now with the countless hackers, I think it's safe to say signature protection is dead. IMO security suites should stop focusing on signatures, and work on making an amazing behavior blocking anti-virus. This way it is one solution that protects you from all malware at once, and you don't have to constantly update your signatures and worry about 0-day malware. Comodo is going the right way by focusing on their firewall and HIPS while having amazing features such as auto-sandbox. Do you agree with me? If not let me know why.
 
5

509322

Now with the countless hackers, I think it's safe to say signature protection is dead. IMO security suites should stop focusing on signatures, and work on making an amazing behavior blocking anti-virus. This way it is one solution that protects you from all malware at once, and you don't have to constantly update your signatures and worry about 0-day malware. Comodo is going the right way by focusing on their firewall and HIPS while having amazing features such as auto-sandbox. Do you agree with me? If not let me know why.
Layman, IT professionals and researchers have been saying AV\signature protection is dead for decades. It's a catchy phrase, but essentially meaningless to the realities of IT security.

AV\signature detection is not going to be replaced any time soon - probably not within any of our lifetimes - because default-allow is the established norm. Money is involved and where money is involved, it prevails. There are huge infrastructure and systemic investments in the signature\default-allow protection model. Lastly, signature\default-allow protection meets the needs of unknowledgeable typical users. There's a whole lot more to it than that, but this covers a few of the more prominent reasons why signature protection will be around for a long time.

There's a big picture with forces at-work that aren't readily apparent.

That being said, AV\signature protection can be viewed similarly to leaded gasoline - usable, but not the best idea for a lot of good reasons. It took about 50 years for leaded gasoline to be mostly removed from the market. It will take much longer for AV\signature protection to be phased-out.
 
Last edited by a moderator:

tim one

Level 21
Verified
Trusted
Malware Hunter
Security is made by layers.
Signatures are the first layer: AV can detect malware in static way by detecting it in safe mode without it has to be launched.
If the signatures do not detect malware, then the behavioral technologies analyze the behavior.
But in the second case, the malware has already passed the first layer, and behavioural technologies work in dynamic mode when you execute malware and the risk exists: if the second protection layer does not work, you are infected.
 
5

509322

Security is made by layers.
Signatures are the first layer: AV can detect malware in static way by detecting it in safe mode without it has to be launched.
If the signatures do not detect malware, then the behavioral technologies analyze the behavior.
But in the second case, the malware has already passed the first layer, and behavioural technologies work in dynamic mode when you execute malware and the risk exists: if the second protection layer does not work, you are infected.
What you are describing is precisely the default-allow protection model. The end result of the scenario you describe using default-allow = infected !
 

roger_m

Level 24
Verified
Content Creator
In my case, I prefer signature based detection to behaviour blocking. I like only receiving notifications when a known threat is detected or when my antivirus picks up a really suspicious behavior. That's why I have UAC set the minimum level, and only use an antivirus for realtime protection.

I regularly install new software, and really like to be able to do that without receiving alerts, or things being blocked. I just don't want the usability of my systems to be reduced in order to gain better protection, and as such I have no interest in trying to harden my systems, and tweak them to provide the maximum security. In the rare case my systems do happen to get infected, I'll clean the infections with software or manually, and as an absolute last resort, I can restore from backups.

While I agree that in general behaviour blocking provides a better solution, it is not the best solution for me personally.
 
5

509322

In my case, I prefer signature based detection to behaviour blocking. I like only receiving notifications when a known threat is detected or when my antivirus picks up a really suspicious behavior. That's why I have UAC set the minimum level, and only use an antivirus for realtime protection.

I regularly install new software, and really like to be able to do that without receiving alerts, or things being blocked. I just don't want the usability of my systems to be reduced in order to gain better protection, and as such I have no interest in trying to harden my systems, and tweak them to provide the maximum security. In the rare case my systems do happen to get infected, I'll clean the infections with software or manually, and as an absolute last resort, I can restore from backups.

While I agree that in general behaviour blocking provides a better solution, it is not the best solution for me personally.
A man that is true to himself...
 

RejZoR

Level 11
Verified
It's so funny how people scream how antiviruses are dead and how signatures are useless. Reality is nowhere near that.

Take a look at avast!'s technology, since it nicely showcases it on their tech site:
Avast Technology

People still think signature detection is crude static pattern matching. Where in reality (I can only speak for avast! because I know it in depth, but I know others use this as well). The so called "signatures" are rarely a static thing these days. In most cases they are algorithm based detections. And since everything is automatic on the backend, with data collection and feeding it back in form of protection through cloud feature, baddies are now limited to timeframes of 10-15 minutes before they get discovered and cure distributed between users protected by given product. Sure, there is bunch of stuff still floating around, but baddies are having a very hard time writing things and making them effective. They can't even test malware if it goes undetected, because if they don't use the cloud in AV's, they can't be sure if their brand new malware is already being detected from get go. And as soon as it touches the cloud backend, they will know, but then the race against time begins. The longer they wait, the less time they'll have to spread malware and profit from it.

Not to mention it's not file scanning anymore. Protection stages, in case of avast! goes like this (from top to bottom in order of entry):
- HTTP/HTTPS URL blocking of fast morphing web polymorphic threats (Web Shield)
- HTTP/HTTPS file scanning (Web Shield)
- File scanning (signature, algorithm, emulation and heuristics) (File System Shield)
- DeepScreen (local sandbox behavior analysis)
- CyberCapture (server side static and behavior analysis)
- Behavior Shield (local live host behavior analysis)

Pretty much all of these technologies are aided by the cloud backend, either in terms of whitelist to eliminate false positives or in terms of aiding individual modules making better decisions or just feeding straight detections straight from the cloud.

As for the "Default Deny" which Comodo likes to push so much, it's load of BS if you don't have spectacular whitelist. Which is also clearly presented by Comodo. Sure, product throws everything unknown into Sandbox. Which in theory sounds awesome. In reality, 99% of stuff dropped into sandbox doesn't function properly or it ends there because their whitelist is rubbish. And we all know users want to use stuff. They will just allow/unblock whatever it was "default denied" and you basically negate the whole purpose of it. I know how infuriating Comodo can be with its stupid "Default Deny" because of their less than great whitelist and how all the burden of decision falls on user's shoulders. I could see Default Deny approach used by Comodo working with avast!'s whitelist. Anyone who has every used Hardened Mode (Aggressive) knows what I'm talking about. It's just that avast! doesn't use sandbox. Either due to patents held by others or for some other reasons. But the core idea is the same, with far better whitelist which allows nearly problem free use of system with neraly 100% perfect protection. I've been running sister's computers in password protected Hardened Mode in Aggressive mode. She never called me to unblock something. Granted, she isn't a heavy program downloader and user. Which also means she doesn't know much about computers. Which is exactly why Hardened Mode is perfect. It just works and it has phenomenal protection for casual users.
 
5

509322

I've been running sister's computers in password protected Hardened Mode in Aggressive mode. She never called me to unblock something. Granted, she isn't a heavy program downloader and user. Which also means she doesn't know much about computers. Which is exactly why Hardened Mode is perfect. It just works and it has phenomenal protection for casual users.
What you describe above is precisely Avasts' version of default-deny. Hardened Mode is default-deny - more or less. I say "more or less" because what it actually is, is highly restricted default-allow based upon file reputation (whitelist). True default-deny utilizes strict blocking which means it blocks everything without regard to file source, reputation, digital signature, etc.

You give a perfect example of a user working with default-deny, locked-out of the ability to modify the system with anything that is not specifically whitelisted - all without any problems.

Good for you and very good for your sister.
 
5

509322

@roger_m
@tonibalas

But you guys aren't the norm. What I mean by that - if your AV of choice fails you, then you accept the failure and fix the issue - or at least that is what @roger_m clearly states, and since @tonibalas expressly agreed with what @roger_m posted, I assume he feels\thinks the same.

Typical users will scream "Foul... foul !, this security soft is crap !! I paid good money for it !" The next thing they'll do is uninstall that security soft...
 

XhenEd

Level 27
Verified
Trusted
Content Creator
Signature-based blacklisting has its own uses. For instance, it gives you insight that the file is malicious. Without file insight, you might just end up getting infected more easily.

I like this model more:
Anything known to be malicious? Block.
Anything known to be safe? Allow, and monitor.
Anything known to be PUP/PUA? Block/Allow.
Anything unknown? Block/Sandbox.