Why Avast "Hardened mode" is faulty!

Cowpipe · Jul 1, 2014

avast! Protection said:
I will try to explain how avast! Hardened works and why it behaves differently.

By default, avast! checks suspicious files which are not yet known by putting them in a sandbox environment to see how they behave (DeepScreen). If the antivirus finds nothing suspicious in files' behaviour, it automatically starts the application after analysis. The Hardened mode works a bit differently.........

Great explanation, thanks for this

Do you know how the avast! sandbox technology works? Is it a true sandbox (as in emulated file system, registry hive, monitoring API calls etc) or is it a virtual machine system (emulating machine code instructions)?

As I said in a post before describing how antivirus works in general, I think the way forward is with data mining techniques. If you think about it, there is a finite number of machine code instructions for any given processor (somewhere from 1500-2000 for x86 I believe), and there are specific combinations of these instructions which are useful to programmers of malware.

For example, there will be a series of instructions which allows a file to be created, a series of instructions for downloading a file, a series of instructions for setting up encryption, for anti-debugging etc. If you analyse these instruction combinations in malware and in goodware, you'll find that certain combinations of instructions will crop up time and time again in both categories, and indeed these techniques have been used with great success in academic studies (with upwards of 95% detection rates) and in fact in commercial products too (Cylance Infinity for example).

Of course alongside all of this, the "system restore" type technologies or "after the event" protection is becoming increasingly popular, Webroot's SecureAnywhere for example. Whilst having these restore features is a good idea, I believe it should be a secondary tool rather than a primary approach to antivirus.

I do struggle to understand why antivirus companies have not yet begun to use a more component based approach with specialised and dedicated components to deal with individual and popular threats. It would be fairly simple to implement a simple file monitor for example that would record changes in files on the users computer, perform a simple entropy check after the modification which would easily detect if that file had been encrypted (in this age with ransomware a big threat), the original file could then be restored and the process which modified the file could be frozen, as opposed to waiting for the process to do something unusual in memory etc. The approach being detecting a process doing damage to the PC rather than detecting the process by unusual or "suspicious" behaviour

Just some food for thought anyway

avast! Protection · Jul 1, 2014

Oh, I am not fully aware how the Sandbox runs. All I know in this direction is that it creates a protected folder on the system, but I am not sure what exactly it replicates.

I completely agree with the "after the event" approach and developers should really put some efforts onto this direction. Although it's efficiency depends mostly on the type of compromised information, especially if it's a financial one. It will be like the old saying "After death the doctor."

As for your last statement, we could only guess. Maybe it's up to what the OS offers to the developers.

Cowpipe · Jul 1, 2014

avast! Protection said:
Oh, I am not fully aware how the Sandbox runs. All I know in this direction is that it creates a protected folder on the system, but I am not sure what exactly it replicates.

I completely agree with the "after the event" approach and developers should really put some efforts onto this direction. Although it's efficiency depends mostly on the type of compromised information, especially if it's a financial one. It will be like the old saying "After death the doctor."

As for your last statement, we could only guess. Maybe it's up to what the OS offers to the developers.

I might have to do some research in that direction then

Definitely, the problem with the rollback approach is if your information has already been stolen, your passwords sent out, the damage is done but it's a really good idea in terms of for example, the user installs some software which is loaded with PUPs, once they realise this it's literally a one click solution to roll everything back to how it was. Much like how everybody reaches for system restore in times of crisis.

It's more that the developers would have to re-think the entire architecture of the engine in order to implement this kind of approach, anything is possible where the operating system is concerned, if the operating system kernel is compromised for example you can talk directly to the hardware with machine instructions

The main problem being that if you have a series of specialised tools for your real-time protection it can be difficult to manage and coordinate, I think that's the main fear. Currently most real time protection consists of one module or process and maybe a system driver that communicate with each-other. With the approach I'm suggesting you'd have to adapt to a master-slave approach. So one of the specialist "alarms" if you like would trigger if the users documents were suddenly deleted or modified randomly (you could use machine learning to detect and identify what would constitute "unusual behaviour"), that alarm or slave module sends this information back to the master module which may present a dialog to the user saying "Avast! RealTime Protection has detected the following process modifying your documents. Would you like to allow it to continue? Or roll back this change?" And from that response the command would be passed back to the slave module to carry out.

More security at the expense of a larger memory footprint. It's a system I'd love to develop but unfortunately I just don't have the time, so for now at least it's just an idea

Deleted member 178 · Jul 1, 2014

Cowpipe said:
I do struggle to understand why antivirus companies have not yet begun to use a more component based approach with specialised and dedicated components to deal with individual and popular threats.

when they will protect fully the world, they will not have anymore business

war needs weapon makers, weapon makers needs war to develop the weapons... never ending (business) cycle.

avast! Protection · Jul 1, 2014

@Cowpipe, I completely support your opinion and I really wish you will succeed in that direction!

@Umbra Polaris, hahah, yeah, you're absolutely correct!

Deleted member 21043 · Jul 1, 2014

Cowpipe said:
Great explanation, thanks for this Do you know how the avast! sandbox technology works? Is it a true sandbox (as in emulated file system, registry hive, monitoring API calls etc) or is it a virtual machine system (emulating machine code instructions)?

As I said in a post before describing how antivirus works in general, I think the way forward is with data mining techniques. If you think about it, there is a finite number of machine code instructions for any given processor (somewhere from 1500-2000 for x86 I believe), and there are specific combinations of these instructions which are useful to programmers of malware.

For example, there will be a series of instructions which allows a file to be created, a series of instructions for downloading a file, a series of instructions for setting up encryption, for anti-debugging etc. If you analyse these instruction combinations in malware and in goodware, you'll find that certain combinations of instructions will crop up time and time again in both categories, and indeed these techniques have been used with great success in academic studies (with upwards of 95% detection rates) and in fact in commercial products too (Cylance Infinity for example).

Of course alongside all of this, the "system restore" type technologies or "after the event" protection is becoming increasingly popular, Webroot's SecureAnywhere for example. Whilst having these restore features is a good idea, I believe it should be a secondary tool rather than a primary approach to antivirus.

I do struggle to understand why antivirus companies have not yet begun to use a more component based approach with specialised and dedicated components to deal with individual and popular threats. It would be fairly simple to implement a simple file monitor for example that would record changes in files on the users computer, perform a simple entropy check after the modification which would easily detect if that file had been encrypted (in this age with ransomware a big threat), the original file could then be restored and the process which modified the file could be frozen, as opposed to waiting for the process to do something unusual in memory etc. The approach being detecting a process doing damage to the PC rather than detecting the process by unusual or "suspicious" behaviour

Just some food for thought anyway

Was it you who wrote that, or was it Lucy?

Cowpipe · Jul 1, 2014

kram7750 said:
Was it you who wrote that, or was it Lucy?

"Daddy wrote it of course, he's the cleverest dad in the world"

(slips Lucy packet of sweets and a wad of cash)...

WinXPert · Jul 1, 2014

Umbra Polaris said:
when they will protect fully the world, they will not have anymore business

war needs weapon makers, weapon makers needs war to develop the weapons... never ending (business) cycle.

amen to that.

I'm not really a fan of hardened mode so it's disabled for me. same with deepscreen

Search

Why Avast "Hardened mode" is faulty!

Cowpipe

Level 16

avast! Protection

Level 2

Cowpipe

Level 16

Deleted member 178

avast! Protection

Level 2

Deleted member 21043

Cowpipe

Level 16

WinXPert

Level 25

Similar threads