Cowpipe

New Member
I will try to explain how avast! Hardened works and why it behaves differently.

By default, avast! checks suspicious files which are not yet known by putting them in a sandbox environment to see how they behave (DeepScreen). If the antivirus finds nothing suspicious in files' behaviour, it automatically starts the application after analysis. The Hardened mode works a bit differently.........
Great explanation, thanks for this :D Do you know how the avast! sandbox technology works? Is it a true sandbox (as in emulated file system, registry hive, monitoring API calls etc) or is it a virtual machine system (emulating machine code instructions)?

As I said in a post before describing how antivirus works in general, I think the way forward is with data mining techniques. If you think about it, there is a finite number of machine code instructions for any given processor (somewhere from 1500-2000 for x86 I believe), and there are specific combinations of these instructions which are useful to programmers of malware.

For example, there will be a series of instructions which allows a file to be created, a series of instructions for downloading a file, a series of instructions for setting up encryption, for anti-debugging etc. If you analyse these instruction combinations in malware and in goodware, you'll find that certain combinations of instructions will crop up time and time again in both categories, and indeed these techniques have been used with great success in academic studies (with upwards of 95% detection rates) and in fact in commercial products too (Cylance Infinity for example).

Of course alongside all of this, the "system restore" type technologies or "after the event" protection is becoming increasingly popular, Webroot's SecureAnywhere for example. Whilst having these restore features is a good idea, I believe it should be a secondary tool rather than a primary approach to antivirus.

I do struggle to understand why antivirus companies have not yet begun to use a more component based approach with specialised and dedicated components to deal with individual and popular threats. It would be fairly simple to implement a simple file monitor for example that would record changes in files on the users computer, perform a simple entropy check after the modification which would easily detect if that file had been encrypted (in this age with ransomware a big threat), the original file could then be restored and the process which modified the file could be frozen, as opposed to waiting for the process to do something unusual in memory etc. The approach being detecting a process doing damage to the PC rather than detecting the process by unusual or "suspicious" behaviour ;)

Just some food for thought anyway :)
 

avast! Protection

New Member
Oh, I am not fully aware how the Sandbox runs. All I know in this direction is that it creates a protected folder on the system, but I am not sure what exactly it replicates. :)

I completely agree with the "after the event" approach and developers should really put some efforts onto this direction. Although it's efficiency depends mostly on the type of compromised information, especially if it's a financial one. It will be like the old saying "After death the doctor." :)

As for your last statement, we could only guess. Maybe it's up to what the OS offers to the developers. :)
 
  • Like
Reactions: Svoll and Cowpipe

Cowpipe

New Member
Oh, I am not fully aware how the Sandbox runs. All I know in this direction is that it creates a protected folder on the system, but I am not sure what exactly it replicates. :)

I completely agree with the "after the event" approach and developers should really put some efforts onto this direction. Although it's efficiency depends mostly on the type of compromised information, especially if it's a financial one. It will be like the old saying "After death the doctor." :)

As for your last statement, we could only guess. Maybe it's up to what the OS offers to the developers. :)
I might have to do some research in that direction then :)

Definitely, the problem with the rollback approach is if your information has already been stolen, your passwords sent out, the damage is done but it's a really good idea in terms of for example, the user installs some software which is loaded with PUPs, once they realise this it's literally a one click solution to roll everything back to how it was. Much like how everybody reaches for system restore in times of crisis.

It's more that the developers would have to re-think the entire architecture of the engine in order to implement this kind of approach, anything is possible where the operating system is concerned, if the operating system kernel is compromised for example you can talk directly to the hardware with machine instructions ;)

The main problem being that if you have a series of specialised tools for your real-time protection it can be difficult to manage and coordinate, I think that's the main fear. Currently most real time protection consists of one module or process and maybe a system driver that communicate with each-other. With the approach I'm suggesting you'd have to adapt to a master-slave approach. So one of the specialist "alarms" if you like would trigger if the users documents were suddenly deleted or modified randomly (you could use machine learning to detect and identify what would constitute "unusual behaviour"), that alarm or slave module sends this information back to the master module which may present a dialog to the user saying "Avast! RealTime Protection has detected the following process modifying your documents. Would you like to allow it to continue? Or roll back this change?" And from that response the command would be passed back to the slave module to carry out.

More security at the expense of a larger memory footprint. It's a system I'd love to develop but unfortunately I just don't have the time, so for now at least it's just an idea :)
 
D

Deleted member 178

I do struggle to understand why antivirus companies have not yet begun to use a more component based approach with specialised and dedicated components to deal with individual and popular threats.
when they will protect fully the world, they will not have anymore business

war needs weapon makers, weapon makers needs war to develop the weapons... never ending (business) cycle.
 
D

Deleted member 21043

Great explanation, thanks for this :D Do you know how the avast! sandbox technology works? Is it a true sandbox (as in emulated file system, registry hive, monitoring API calls etc) or is it a virtual machine system (emulating machine code instructions)?

As I said in a post before describing how antivirus works in general, I think the way forward is with data mining techniques. If you think about it, there is a finite number of machine code instructions for any given processor (somewhere from 1500-2000 for x86 I believe), and there are specific combinations of these instructions which are useful to programmers of malware.

For example, there will be a series of instructions which allows a file to be created, a series of instructions for downloading a file, a series of instructions for setting up encryption, for anti-debugging etc. If you analyse these instruction combinations in malware and in goodware, you'll find that certain combinations of instructions will crop up time and time again in both categories, and indeed these techniques have been used with great success in academic studies (with upwards of 95% detection rates) and in fact in commercial products too (Cylance Infinity for example).

Of course alongside all of this, the "system restore" type technologies or "after the event" protection is becoming increasingly popular, Webroot's SecureAnywhere for example. Whilst having these restore features is a good idea, I believe it should be a secondary tool rather than a primary approach to antivirus.

I do struggle to understand why antivirus companies have not yet begun to use a more component based approach with specialised and dedicated components to deal with individual and popular threats. It would be fairly simple to implement a simple file monitor for example that would record changes in files on the users computer, perform a simple entropy check after the modification which would easily detect if that file had been encrypted (in this age with ransomware a big threat), the original file could then be restored and the process which modified the file could be frozen, as opposed to waiting for the process to do something unusual in memory etc. The approach being detecting a process doing damage to the PC rather than detecting the process by unusual or "suspicious" behaviour ;)

Just some food for thought anyway :)
Was it you who wrote that, or was it Lucy? :)
 

WinXPert

Level 24
Verified
Trusted
Malware Hunter
when they will protect fully the world, they will not have anymore business

war needs weapon makers, weapon makers needs war to develop the weapons... never ending (business) cycle.
amen to that.

I'm not really a fan of hardened mode so it's disabled for me. same with deepscreen