The death of Antivirus signature protection?

[HarborFront]

You manually configure a program to always launch inside the sandbox = "automatically."

I thought auto sand box means if you download a file and runs it it'll be sandboxed if it's suspicious. Whereas manual sandbox implies 'drag-and-drop' a program to run in the sandbox. CFW is an example utilizing both auto/manual sandbox. Similarly, auto sandboxing for BD AV free (B-HAVE) and Norton in its security products. Qihoo 360 TSE AV uses a manual sandbox.

 

[HarborFront]

avast! does auto-sandbox stuff, but only for the short period of time it's doing analysis. Then, if nothing suspicious found, executes the stuff outisde of it. So, it's not exactly the same as for example Comodo's auto-sandbox...

That's good enough for me in auto sandboxing.....an analysis of the file automatically

 

[509322]

I thought auto sand box means if you download a file and runs it it'll be sandboxed if it's suspicious. Whereas manual sandbox implies 'drag-and-drop' a program to run in the sandbox. CFW is an example utilizing both auto/manual sandbox. Similarly, for BD AV free and Norton's SONAR in its security products. Qihoo 360 TSE uses a manual sandbox.

No. Avast does a 15 second file analysis in its sandbox (file check). It does utilize the COMODO-style sandboxing.

 

[509322]

Signature-based blacklisting has its own uses. For instance, it gives you insight that the file is malicious. Without file insight, you might just end up getting infected more easily.

I like this model more:
Anything known to be malicious? Block.
Anything known to be safe? Allow, and monitor.
Anything known to be PUP/PUA? Block/Allow.
Anything unknown? Block/Sandbox.

Then you should be using Emsisoft instead of Kaspersky - because that is exactly what Emsisoft can do. You just need to set the BB to Quarantine unknown files. Their database is extremely thorough.

 

[tonibalas]

if your AV of choice fails you, then you accept the failure and fix the issue

You are correct

Typical users will scream "Foul... foul !

Hahahahaha you just made my day

 

[Ink]

I thought Avast's paid products like its AV Pro and IS use sandbox?

Manual Sandbox is different to the AutoSandbox. Manual Sandbox isn't really effective, because half the time it doesn't work as intended. Or not very well advertised on how to use it.

There's little benefit to using Avast Pro Antivirus only for Manual Sandbox, so either Internet Security or Premier for more Features and toggle for Avast Promo Ads.

I use Avast Premier but there's not much that makes it an exciting suite to use.

 

[HarborFront]

No. Avast does a 15 second file analysis in its sandbox (file check). It does utilize the COMODO-style sandboxing.

Yup. That's what I meant and also what I want. I should re-phrase by saying ".....if you download a file and if it's being run it'll be sandboxed if it's suspicious" would sound better

 

[SHvFl]

In my case, I prefer signature based detection to behaviour blocking. I like only receiving notifications when a known threat is detected or when my antivirus picks up a really suspicious behavior. That's why I have UAC set the minimum level, and only use an antivirus for realtime protection.

I regularly install new software, and really like to be able to do that without receiving alerts, or things being blocked. I just don't want the usability of my systems to be reduced in order to gain better protection, and as such I have no interest in trying to harden my systems, and tweak them to provide the maximum security. In the rare case my systems do happen to get infected, I'll clean the infections with software or manually, and as an absolute last resort, I can restore from backups.

While I agree that in general behaviour blocking provides a better solution, it is not the best solution for me personally.

This is good and all until you get a keylogger and you have no idea it's there. Then in a day or 2 they have all your passwords and restoring from backup will not change that.

 

[509322]

That's good enough for me in auto sandboxing.....an analysis of the file automatically

There's two kinds of sandboxing - one for file analysis and the other for running programs continuously in the sandbox. The term "auto-sandboxing" has become generically applied to COMODO's use of sandboxing - which is specifically auto-sandboxing.

 

[HarborFront]

There's two kinds of sandboxing - one for file analysis and the other for running programs continuously in the sandbox. The term "auto-sandboxing" has become generically applied to COMODO's use of sandboxing - which is specifically auto-sandboxing.

Yes. File checking(analysis) is Comodo-style auto sandboxing. I believe SBIE, SD and Shade are the latter type of sandbox

 

[roger_m]

This is good and all until you get a keylogger and you have no idea it's there. Then in a day or 2 they have all your passwords and restoring from backup will not change that.

That's true, but up to this point in time, I've never been infected with a keylogger. Also, I don't depend on antivirus software to protect me. My first line of defese is keeping Windows and the software I use up to date, and being careful about what I run. Instead of launching unknown files, and hoping my antivirus will detect them if they are malicious, I don't launch them in the first place.

 

[SHvFl]

That's true, but up to this point in time, I've never been infected with a keylogger. Also, I don't depend on antivirus software to protect me. My first line of defese is keeping Windows and the software I use up to date, and being careful about what I run. Instead of launching unknown files, and hoping my antivirus will detect them if they are malicious, I don't launch them in the first place.

At least use something like WFC or Tinywall to not let anything connect online that you didn't allow. It might help a bit. Sure you get a few alerts or you have to allow a few stuff but it will improve your chance of a keylogger messing with you.

 

[509322]

Yes. File checking(analysis) is Comodo-style auto sandboxing. I believe SBIE, SD and Shade are the latter type of sandbox

COMODO's auto-sandboxing is not file analysis. File analysis inside a sandbox is something completely different. It is automated malware analysis or other file action\attribute checking. COMODO performs a file check locally and in the cloud to establish that a file is known or unknown - as opposed to running a file inside a sandbox to determine if the file is malicious. If the file is unknown, then it is run inside the sandbox = auto-sandboxing.

The unknown file is uploaded to the cloud for analysis in the sandbox. Then various testing algorithms are applied - like heuristics, etc - and a verdict is returned. This is where the extensive file analysis occurs. Sometimes the testing rapidly determines the file is malicious within minutes and returns a malicious verdict, if the testing can't make that determination it takes a long time to get a final verdict.

 

[XhenEd]

Then you should be using Emsisoft instead of Kaspersky - because that is exactly what Emsisoft can do. You just need to set the BB to Quarantine unknown files. Their database is extremely thorough.

I would still use Kaspersky for this model because of TAM. I forgot to mention my kind of model is default-deny (block what is not explicitly allowed).

Emsisoft is still default-allow. It allows things by default, then monitors.

What I mean by "known to be safe" is whitelist, scrutinized and is given a green flag. I don't mean things allowed by default.

 

[roger_m]

At least use something like WFC or Tinywall to not let anything connect online that you didn't allow. It might help a bit. Sure you get a few alerts but it will improve your chance of a keylogger messing with you.

I just had a look at the webpages of both of them. I don't like the default deny approach of TinyWall. Does WFC have the option to prompt you when an unknown program tries to connect to the internet, or do you need to manually configure it?

 

[509322]

Emsisoft is still default-allow. It allows things by default, then monitors.

A setting to quarantine any unknown files was implemented. With the file sitting in quarantine you can further investigate and make a determination as to what you want to do with it. It's basically default-deny.

 

[SHvFl]

I just had a look at the webpages of both of them. I don't like the default deny approach of TinyWall. Does WFC have the option to prompt you when an unknown program tries to connect to the internet, or do you need to manually configure it?

The premium version does but it cost 10$ for a lifetime license that can be used on all your home devices. I just didn't mention it because you might not want to spend money.

Become a registered user

 

[509322]

Does WFC have the option to prompt you when an unknown program tries to connect to the internet, or do you need to manually configure it?

Yes. No need to manually configure it. Plus, you can lock-down the Windows Firewall rules if you so wish. I use it. Know it inside-out, upside-down.

 

[509322]

Instead of launching unknown files, and hoping my antivirus will detect them if they are malicious, I don't launch them in the first place.

You have reached Neo status... and have no need of AV.

 

[tim one]

Talking about a "general" security context the common antivirus is dead for at least 10 years. And at the same time, It is difficult how to explain to people that their understanding of things is not exactly "the state of the art".

The old way to protect against attacks relying only on the antivirus engines that uses a database of signatures to detect known malware and the scan engines have started to lose their effectiveness when the malware is polymorphic so that means that the antivirus industry has started to look towards new solutions.

The problem with the scanning engines is that the attacker can easily set up test environments with all antivirus products commonly used and test new malware until this is in contrast to the antivirus scanner. And since the attackers basically have a lot of time, it is certain that they will find the way to change the malware code to not be detected. So, yes, the old way of relying only on antivirus database and the scanning engines is dead. Although some products use scanning engines as a last line of defense and cleaning, we cannot rely only scan engines to provide comprehensive protection.

The basic idea of the protection is to understand how malcoder works. And instead of going to the hunting exploits of the day and the malware of the day after, you have to focus on resources that the attackers need to do their job by denying access to those resources.

Currently, the most effective method is to limit the attack surface. In particular, for example it is necessary to identify the exploit kit or other types of attack through traffic patterns, or simply denying access to Java, Flash, and other elements that are potentially dangerous.
This means that in the majority of cases the attack has no place, because the attacker is not able to send the code that contains the exploits with which he would attack the victim. If the prevention of the contact fails, you have to use methods that detect generically exploits or detect changes in their behavior in applications that are affected by the exploit.
The end is the same, to prevent the attack.