Great explanation, thanks for this Do you know how the avast! sandbox technology works? Is it a true sandbox (as in emulated file system, registry hive, monitoring API calls etc) or is it a virtual machine system (emulating machine code instructions)?I will try to explain how avast! Hardened works and why it behaves differently.
By default, avast! checks suspicious files which are not yet known by putting them in a sandbox environment to see how they behave (DeepScreen). If the antivirus finds nothing suspicious in files' behaviour, it automatically starts the application after analysis. The Hardened mode works a bit differently.........
As I said in a post before describing how antivirus works in general, I think the way forward is with data mining techniques. If you think about it, there is a finite number of machine code instructions for any given processor (somewhere from 1500-2000 for x86 I believe), and there are specific combinations of these instructions which are useful to programmers of malware.
For example, there will be a series of instructions which allows a file to be created, a series of instructions for downloading a file, a series of instructions for setting up encryption, for anti-debugging etc. If you analyse these instruction combinations in malware and in goodware, you'll find that certain combinations of instructions will crop up time and time again in both categories, and indeed these techniques have been used with great success in academic studies (with upwards of 95% detection rates) and in fact in commercial products too (Cylance Infinity for example).
Of course alongside all of this, the "system restore" type technologies or "after the event" protection is becoming increasingly popular, Webroot's SecureAnywhere for example. Whilst having these restore features is a good idea, I believe it should be a secondary tool rather than a primary approach to antivirus.
I do struggle to understand why antivirus companies have not yet begun to use a more component based approach with specialised and dedicated components to deal with individual and popular threats. It would be fairly simple to implement a simple file monitor for example that would record changes in files on the users computer, perform a simple entropy check after the modification which would easily detect if that file had been encrypted (in this age with ransomware a big threat), the original file could then be restored and the process which modified the file could be frozen, as opposed to waiting for the process to do something unusual in memory etc. The approach being detecting a process doing damage to the PC rather than detecting the process by unusual or "suspicious" behaviour
Just some food for thought anyway