Ok I have bitten my tongue for long enough now.

All signature based AV's are crap!

NO SIGNATURE=NO PROTECTION!!!

Kav and Nod32 ncluded!!!

-{ Quote: "
Kav and Nod32 ncluded!!!" }-
Then may I ask, what do you use Frankin?

Sandboxie and Defensewall for browsing.

E-trust vet and Ewido for on demand which never find a thing after emtying the sandbox.

And have deliberately gone to compromising sites such as freeware.Like I said.No SIGGYS to worry about.

Fred Flinstone used AV's.

-{ Quote: "Ok I have bitten my tongue for long enough now.

All signature based AV's are crap!

NO SIGNATURE=NO PROTECTION!!!

Kav and Nod32 ncluded!!!" }-

You're wrong here. Pretty much the same as all realworld "prevention" medications. They are mostly placebo or very small rate of effectiveness. While medications after you get that virus are much more effective because they are meant for very specific treatment.
Same with AVs. It's still easier to provide fast reactive aproach (fast responses) than delivering ultra powerful heuristics that give acceptable results.
Ask anyone at ESET or Kaspersky Lab about this and you'll get the same answer.
And you gave exact two pioneers which are both best in each category.
Kaspersky for signatures and ESET for heuristics.

@Franklin.

So can i ask, A few years ago i went to a crack site and had absolutely no security protection on my machine whatsoever (i.e like you no antivirus).

On there i got a virus of some sort which immediately crashed my computer. Then i found the swine had somehow physically broke my hard drive and motherboard.

What would happen with your setup if you went to a site with this unknown virus on it, and you do not have a antivirus running?.

-{ Quote: "Ok I have bitten my tongue for long enough now.

All signature based AV's are crap!

NO SIGNATURE=NO PROTECTION!!!

Kav and Nod32 ncluded!!!" }-
I would say it with other words, but I understand your feelings towards AV's.
That's why I'm waiting for something else ... maybe the first Whitelist Scanner in stead of all these Blacklist Scanners.
I leave it up to the professional security analysts/experts. I can't defend my ideas without being one.

Ask anyone at eset or Kas?What reply do I expect.

I don't need to ask any of them as I consider myself more protected than either of them can provide.

-{ Quote: "@Franklin.

So can i ask, A few years ago i went to a crack site and had absolutely no security protection on my machine whatsoever (i.e like you no antivirus).

On there i got a virus of some sort which immediately crashed my computer. Then i found the swine had somehow physically broke my hard drive and motherboard.

What would happen with your setup if you went to a site with this unknown virus on it, and you do not have a antivirus running?." }-

Exactly what I mean.Your running Fred Flinstone security.

How exactly?

If i went there today. Firstly i would get a popup from either OA or Kaspersky saying virus on this page do not download.

And thus i am now safe.

What i am getting at is i think yours (sanboxie) is a roll back method isnt it? (just guessing!)

but if you have acquired a virus which immediately crashes your machine and then brakes your hard drive what roll back options do you have?.

If you aquire any virii with those capabilities and they are zero day you are stuffed.

Any AV without siggys or heuristics capable to detect such an attack leaves you stuffed again!

Such a small program with minimal resource usage as Sandboxie should protect you and if you throw in the big gun,Defensewall,I would say you can laugh at any attack.

But nothing is 100% secure but IMHO Sanboxie and or Defensewall offer far better security than any signature based security software.Even better than the kings of AVs.Kas and Nod!!!

No the're not totally crap ! Some are much better than others for different reasons, i'll grant you that. I've been both careful and what some would call lucky.

Others i know are not so fortunate for all sorts of reasons, including the fact that it's they who are actually crap in the main. They havn't secured their systems as much as possible, if they know how to, and they surf to unsafe sites etc.

Do our AV's etc sometimes let us down, of course they do, including some of the top names. Just look at jottis and see how some of the so called lesser ones fare better often.

But without any AV etc a lot of people out there really would be stuffed, and a hell of a lot more often then they deserve to be getting away with like they do. So it's definately a very worthwhile safety net to have. If you also have other measures in place so much the better, and why not !

Sandboxes etc are a great solution i agree, but they are not for everybody. Imagine a family household with even just the kids wanting to P2P/UL/DL music/pictures/emails etc etc and save them like they do. It would be impossible to realistically achieve a sensible simple happy solution for all concerned.

As a single user PC, for those who feel inclined, then it might be fine for them if that's what they want, otherwise it's too limiting for most people i think, including me. So yes some people will continue to get caught out, and some more than others, and more often. But you would expect that they might learn, but many don't ?

So there is no perfect answer or solution, except to keep your wits about you and hope the zero days don't happen while your on the PC. The chances are pretty slim, but it could happen, but if you have solid backup, then what's the problem.


StevieO

What about a Whitelist Scanner (WS) ? You need only one in stead of 15.
During the installation the WS loads all the objects (registry, files, ...) of your OS and legitimate application softwares in its Whitelist Database. Any later installed legitimate software is also added to the Whitelist Database.

Each time you scan, the WS removes everything, that doesn't exist in the Whitelist Database.
OK. I put it a bit too simple, but you can add additional validations in the WS as well. After all Blacklist Scanners aren't simple either, they have more than just a definition (blacklist) database.

Franklin, there is no zero day attacks.
There are just worms and bunch of dumb people that click every ~snip~ damn thing they get into inbox. Sorry if i insulted anyone but thats how i see it.
Every AV vendor or expert can confirm this, i'm very sure about that.

The infection vector through mail is so high because payload is PUSHED to you (its active), while browsing pages and downloading stuff is very passive stuff.
You have to first visit that page (very unlikely), download very specific content and in the end execute it. I don't say it's impossible because it isn't.
But before anyone actually gets to that page it may take time and AV vendors already get the sample and issue a signature detection.
You don't have that luxury for mail born malwares. They are pushed to thousands of users in matter of hours, and obviously all of them are dumb enough to extend the process (by executing it) to few ten to hundred thousand samples which just multiply same way as realworld parasitic infections.

So drawing a line here i can say signatures are very important.
The true "zero day" detection is not really importent for people like me that use bulletproof mail services (that refuse all exe,pif,com,scr,zip files regardless if they are legit or not). Sure they are annoying at first but when you get to know it you'll be happy you don't have to deal with stupid mass spammed infected mails ever again. The more important thing for detecting new malware with completely standalone algorithm is detecting malware on existing signatures (modifications of existing stuff).
These are always much more probable than 1 or two really unique samples that are made from scratch here and there.

I'm using just one AV, which is most of the time some free one like avast! or AntiVir. Common sense is what keeps me from malware for years and where i'm kinda expert already. There is almost no file that i can't inspect it just with my eyesight. File placements, process list, startup section, icon+extension, filesize and lots of other factors can identify almost any malware in matter of seconds. But problem is that people simply DON'T THINK AT ALL :wacko:. Thats a fact that i cannot deny.

Hi Franklin . Your point is well taken . Although , you need to understand that they are still good . They can still save you . Because you use a different setup does not mean everyone else is unsafe . I agree that what you are doing is safe . But , AV proggies are good to have also . Just another layer . That is all . Av programs are not the most advanced things , true . But , they still add a good layer of protection . Stick with what you have and you will be safe MOST of the time . AV programs will help others who choose to use them . Stoneage ? Maybe . But , NOT useless .

So Franklin, firstly, you're absolutely 100% sure that there is no trojan out there that can bypass your defenses and secrete itself into your system rootkit style and secondly, how could you tell??

-{ Quote: "So Franklin, firstly, you're absolutely 100% sure that there is no trojan out there that can bypass your defenses and secrete itself into your system rootkit style and secondly, how could you tell??" }-
Franklin never said that :
-{ Quote: "But nothing is 100% secure but IMHO Sanboxie and or Defensewall offer far better security than any signature based security software.Even better than the kings of AVs.Kas and Nod!!!" }-

-{ Quote: "So Franklin, firstly, you're absolutely 100% sure that there is no trojan out there that can bypass your defenses and secrete itself into your system rootkit style and secondly, how could you tell??" }-
Icesword shows me that I'm safe from rootkits and for emails using outlook express I use Palmail to check and delete any unwanted emails at the servers end.Actually quite a nifty little app.
http://www.mirwoj.opus.chelm.pl/winfreeware/palmail.html

The question for me is - whats the best value for money when it comes to the combination of paid security software together with which freebies?

The paid AVs has proven that they fail sometimes - dont want to pay for that, so I stick to the virtual surfing sandbox-technique until it fails me - if it does. This technique is not the complement to sign/heur AV - its the AVs that are the complement to sandboxed-surfing - so I dont pay for the complements.

In the future it might well be that all these are included in the next generation of OSs? Lets hope for the owners of NOD and Kaspersky and all the others that they have sold out in due time?

Best Regards

Whitelist scanners won't work. Have a look at Prevx's insight webpage to see why :

http://research.prevx.com/default.asp?d=212

They recorded something in the vicinity of 10,000 new programs today...that would be a horrendous job to update a whitelist scanner effectively...and if your program is unrecognised - what would you do while you waited for the whitelist scanner company to update their whitelist signatures?

Given Prevx1 isn't an old program...but insight has been up and running for at least a couple of months now.

Sandboxes are fine, but they have their problems. Some programs won't work with them, virtualisation programs don't always function well with other virtualisation programs, they tend to have their inconveniences (eg starting Sandboxie to run IE in, or rebooting SU to make changes to your computer), and many aren't automated (so if many people use the comp, this can create a problem), etc etc. Personally I think they Sandboxes are going in the right direction, and they will only get better and better.

That said, I've nothing against AV's. I run one with SU.

Franklin, do the following:

- make a complete backup of your PC (Ghost, TrueImage etc.)
- download malware from some website with your browser marked as untrusted in DW
- execute Windows Explorer
- execute the malware with Windows Explorer

Ooops... No protection from DW... How about format c: ? ;-)
And try to add Explorer.exe to the untrusted list of applications and reboot your computer...

DW did not propperly protect from the WMF exploit - the exploit will activate if you have a WMF file in the view pane of Explorer. So if you download a WMF exploit file into a directory, DW will block the exploit being run from the browser but totally fails to notice that the exploit also executed from Explorer.exe... Looks like a basic design flaw to me... Also, DW requires that the user adds every program to the untrusted list that has internet connectivity. If the user forgets Winamp for example, her/his system is already badly compromised.

Beside that I was able to disable/bypass DW easily in less than 5 minutes from an untrusted application. Seems someone did not analyse enough malware to find every possible entry vector...

And why is DW called a virtualization program? It simply blocks certain API calls when they are executed from untrusted application combined with trust inheritance/management. It does not create a virtual environment, it does not have the ability to undo any action like for example VMware when you restore back to a snapshot.

-{ Quote: "Franklin never said that :" }-

"Such a small program with minimal resource usage as Sandboxie should protect you and if you throw in the big gun,Defensewall,I would say you can laugh at any attack."

That is pants. Again, how can he be absolutely sure that he isn't infected in some, as yet, unknown way?
The main thrust of his post was- if you don't have a signature then you're stuffed as your AV wont be able to detect it.
But with his set up what if there is an, as yet, unknown way around it?

If you dont have IE under untrusted in DW you are not using DW properly. I suppose the same goes for winamp.

If you dont download updates to your AV or dont set it to start at startup you will be dissapointed if you get a virus - but its not fair to the software.

I dont put myself in the backseat of my car and tell it to drive me to work.

If you have bypassed DW with DW set up as intended I will thank you for your contribution because it will either make me change my use of software or it will improve DW to an even better product - in which case I will continue to use it.

The WMF exploit issue when it comes to DW seems to be a discussion whether or not DW protected the exploit from entering any part of my PC or whether or not DW protected my PC from suffering any damage. I am pleased as long as my PC does not suffer damage.

The also interesting follow up question is which AV protected from day-zero?

Best Regards

-{ Quote: "
- make a complete backup of your PC (Ghost, TrueImage etc.)
- download malware from some website with your browser marked as untrusted in DW
- execute Windows Explorer
- execute the malware with Windows Explorer" }-

Yes, DefenseWall doesn't mark within the rules all the downloaded files as untrusted. That is why if you run downloaded file from the trusted process it will be trusted.
It is your who deside how to run downloaded file.

-{ Quote: "
Ooops... No protection from DW... How about format c: ? ;-)
And try to add Explorer.exe to the untrusted list of applications and reboot your computer... " }-

Is it impossible to add Explorer.exe (and all the system processes) as untrusted. There is a special check for it.

-{ Quote: "
DW did not propperly protect from the WMF exploit - the exploit will activate if you have a WMF file in the view pane of Explorer. So if you download a WMF exploit file into a directory, DW will block the exploit being run from the browser but totally fails to notice that the exploit also executed from Explorer.exe... Looks like a basic design flaw to me... " }-

It is the same thing for all the sandbox HIPS. It is one of the it's class limitations. Nobody's perfect....

-{ Quote: "
Also, DW requires that the user adds every program to the untrusted list that has internet connectivity. If the user forgets Winamp for example, her/his system is already badly compromised." }-

Yes, that is right. But it depends- I don't have my WinAmp connected to the Internet. And what is the point? Why it is so bad? WinAmp doesn't work as untrusted? Mine one works perfectly....

-{ Quote: "
Beside that I was able to disable/bypass DW easily in less than 5 minutes from an untrusted application. Seems someone did not analyse enough malware to find every possible entry vector..." }-

Well, it is very hard words. Do you have any PoC?

-{ Quote: "
And why is DW called a virtualization program? It simply blocks certain API calls when they are executed from untrusted application combined with trust inheritance/management. It does not create a virtual environment, it does not have the ability to undo any action like for example VMware when you restore back to a snapshot." }-

First of all- it creates virtual "untrusted process" environment, separated from the trusted one. Then- there will be some file/registry rollback features, but in time. As you understand, it is just v1.xx of the program. My todo list is groing constantly. I do my best, but I'm not all-the-mighty!

Not the quoting again...:o

-{ Quote: "Yes, DefenseWall doesn't mark within the rules all the downloaded files as untrusted. That is why if you run downloaded file from the trusted process it will be trusted.
It is your who deside how to run downloaded file." }-

plus

-{ Quote: "Is it impossible to add Explorer.exe (and all the system processes) as untrusted. There is a special check for it." }-

And this is why DW is almost useless for a standard user. Every non-poweruser I watched while (s)he operates the computer is using Explorer to launch programs. They download programs with the browser and then launch the apps with Explorer. DW will not protect the system in any way then, how you want to enforce the user to launch the downloads from within the browser? How does DW protect from malware that is not transfered into the system over the internet? Not at all.

-{ Quote: "Yes, that is right. But it depends- I don't have my WinAmp connected to the Internet. And what is the point? Why it is so bad? WinAmp doesn't work as untrusted? Mine one works perfectly...." }-

That comment alone shows you have not much experience with malware & exploits. And you call yourself an security expert claiming that all other solutions other than yours are flawed? Interesting...


-{ Quote: "Well, it is very hard words. Do you have any PoC? " }-

I only say Explorer.exe, it took me just a minute to get untrusted applications launched as "trusted" again. As soon you manage that, the protection is bypassed. Again, how many malware samples did you analyse *by yourself*?
All I needed to find is to execute processes in a way that is not monitored by DW. And I am not going to make the homework for you. With your long years of experience with malware you should be able to reproduce this easily...


-{ Quote: "First of all- it creates virtual "untrusted process" environment" }-

All I see is that dangerous API calls from applications marked as untrustd are blocked. There is no virtual environment at all. The original system kernel and applications are executed, there is no virtualization at all. As I said, it's a simple API blocker with trust management, interesting tool but it will be bypassed by the standard user download behaviour. If I would install DW on some friends computer, they will get infected within less than a week anyway.

If I download a malware - lets say together with a program - I can choose to install that program (+ malware) from the download window and it will be untrusted. If I go via Explorer and install by doubleclick it will be trusted or I can rightclick and choose to install as untrusted.

Thats user behavior.

What about malware-behavior - malware downloaded with IE untrusted can they execute themselves from the untrusted zone in a way so that they can influence anything outside the untrusted. Sofar I believe - no they cant.

So - I am protected from the malwares behaviour - but not from my own eventual less careful behaviour?

Every new program I download that is not wellknown and from the official site I install as untrusted to se what it executes. If it seems to behave normal I will choose to install it as trusted. DW gives me the choise to do so and I want to have that choise.

So far you have proved DW is not user-poor-behavior-proof. But is it malware-proof? Need something better on that one.

But thats me - I also sit in the left front seat when I drive my car to work.

Best Regards

Go Stefan!

I'm sick of all those crazy claims by people who think they have all the answers to all security woes by just using one security application.

Whether it is those who believe in DW, Shadowuser, Sandboxie

-{ Quote: "
And this is why DW is almost useless for a standard user. Every non-poweruser I watched while (s)he operates the computer is using Explorer to launch programs. They download programs with the browser and then launch the apps with Explorer. DW will not protect the system in any way then, how you want to enforce the user to launch the downloads from within the browser? How does DW protect from malware that is not transfered into the system over the internet? Not at all." }-

Well, first of all, I've just implemented the feature you are so in need :). Now, under the regular mode work all the executable files created by the untrusted processes will be stored within the "untrusted applications" list. Under the "expert mode" the DefenseWAll's behaviour is the same that now. I just thought that I need to implement online update feature first, but if you are so insists..... It was easy. Well, and that is all?

-{ Quote: "
That comment alone shows you have not much experience with malware & exploits. " }-

I'm sorry, but you are wrong.

-{ Quote: "
And you call yourself an security expert claiming that all other solutions other than yours are flawed? Interesting..." }-

I'm sorry, but I've never called myself "security expert". That is you are who claim it. You are wrong one more time.

-{ Quote: "
I only say Explorer.exe, it took me just a minute to get untrusted applications launched as "trusted" again. As soon you manage that, the protection is bypassed. Again, how many malware samples did you analyse *by yourself*?" }-

And how many serious kernel-mode security applications have you written? I'm a system programmer, I'm not an AV analytic. Or, maybe, you think that Process Guard is written by the AV analitic? :) :)

-{ Quote: "
All I needed to find is to execute processes in a way that is not monitored by DW. " }-

OK. Just find it....

-{ Quote: "
And I am not going to make the homework for you. " }-

In fact, it is not my homework.

-{ Quote: "
With your long years of experience with malware you should be able to reproduce this easily..." }-

To reproduce what?

-{ Quote: "
All I see is that dangerous API calls from applications marked as untrustd are blocked. There is no virtual environment at all. The original system kernel and applications are executed, there is no virtualization at all. " }-

There is no registry/file system virtualization, that is right. And so?

-{ Quote: "
As I said, it's a simple API blocker with trust management, interesting tool but it will be bypassed by the standard user download behaviour. If I would install DW on some friends computer, they will get infected within less than a week anyway." }-

Simple? Yes, it is simple in use. That was my aim. But you are still haven't proved that it is not strong in defense.

-{ Quote: "Whitelist scanners won't work. Have a look at Prevx's insight webpage to see why :

http://research.prevx.com/default.asp?d=212
They recorded something in the vicinity of 10,000 new programs today...that would be a horrendous job to update a whitelist scanner effectively...and if your program is unrecognised - what would you do while you waited for the whitelist scanner company to update their whitelist signatures?
" }-
That is not the same, you must have misunderstood my post.
Prevx collects white objects world-wide in its Whitelist Database and that must be an enormous database indeed.

My suggestion was to collect only the white objects, which have been installed by OS and legitimate application software on YOUR computer.
The Whitelist Scanner starts with an empty Whitelist Database, that is filled during the installation of the Whitelist Scanner.
An uninstaller can even use the Whitelist Database to uninstall the software completely.

Here is another idea :
Each legitimate application software could have its own security program,
- that checks its registry and its possible values.
- that checks its folder and its files
Anything that isn't correct can be fixed by this security program, by deleting bad objects, replace damaged objects, etc. ...

There are other possibilities, than just blacklist scanners, HIPS and virtual protection, if experts are willing to look hard enough for other solutions.
That is just a matter of using your imagination.

Erik, the whitelist scanner you are talking about sounds a lot like Anti-Executable that is a partner to DeepFreeze.

Of course, you have to disable AE to install anything, so I guess that's not exactly what you are talking about, and AE doesn't have an uninstall feature...so AE sounds similar, but a little less flexible that what you are suggesting (if I understand it right)

-{ Quote: "Erik, the whitelist scanner you are talking about sounds a lot like Anti-Executable that is a partner to DeepFreeze.

Of course, you have to disable AE to install anything, so I guess that's not exactly what you are talking about, and AE doesn't have an uninstall feature...so AE sounds similar, but a little less flexible that what you are suggesting (if I understand it right)" }-
I don't know anything about AE and DeepFreeze, at least not enough.
I'm just throwing some ideas in the arena and see what other members think about it.
It's no secret at Wilders, that I don't like the blacklist approach. :)

If I understand the persumed function of DW correctly - (also based on a thread at CastleCorps);

Lets say I get a virus into my DW-Sandbox while surfing or e-mailing. It can execute from the box and send itself on to other people in my adressbook as long as I dont hit "the Red Button" or reboot - right?.

After that Red Button or reboot the virus can do nothing - right?

During its "visit" to the DW-sandbox it cannot reach out of the box and touch my true C: - right? So my true C. is protected from damage - right?

(I cannot express myself technically because I am not computer-savvy)

It seems that for Stefan K thats not protection - or in some mysterious way not protection enough? No damage to the computer - and yet not good enough protection? Come on Stefan - what do you really mean - talk to us laymen and ordinary users in a way that we understand and dont hide behind all the high-tech - AV-expert image - sofar it doesnt seem to convince - at least not me - that you truly have a Proof of Concept when it comes to bypassing DW when its used as intended. What you said about starting from Explorer is like a user not updating his AV and than blame it on the AV if it doesnt protect. Its not a bypass PoC - even a laymen understand that. So, "Go Stefan" - dig deeper into your knowledge-base and come up with something better. We need your contribution. Saying "I will not do your homework" - sound like an escape so that you dont have to show us that you dont have any PoC.

The fact that whilst in the DW-sandbox the virus can spread is of course not good for my friends - therefor I use a free AV to give my friends some help with protection from the eventual knowns viruses that might "visit" my DW-sandbox.

For me its about which one security app to pay for.

A version of DW taking away the possibility to install progs as trusted from Explorer through the double-click seems OK - but it still means that I can - from Explorer - right-click and choose "run/install as trusted" - right?

Best Regards

-{ Quote: "That is not the same, you must have misunderstood my post.
Prevx collects white objects world-wide in its Whitelist Database and that must be an enormous database indeed.
" }-

Right. You don't want this.

-{ Quote: "
My suggestion was to collect only the white objects, which have been installed by OS and legitimate application software on YOUR computer.
" }-

Okay how? Who recognises what is legimate? The user? Prevx? If not, who else?

-{ Quote: "
The Whitelist Scanner starts with an empty Whitelist Database, that is filled during the installation of the Whitelist Scanner.
An uninstaller can even use the Whitelist Database to uninstall the software completely.
" }-

No idea what you mean here. Are you saying for example I'm the programmer of say firefox. So I make firefox itself tells the security program what is legimate?

-{ Quote: "
Here is another idea :
Each legitimate application software could have its own security program,
- that checks its registry and its possible values.
- that checks its folder and its files
Anything that isn't correct can be fixed by this security program, by deleting bad objects, replace damaged objects, etc. ...
" }-

So you want every program on the planet to do that? What if the program is evil and lies?

Actually something like that exists with coreforce, except, users themselves set up rules, then they put it online and share with others.

Ideally the programmer himself should set up the rules, but it's not really hard for someone who isnt the creator to figure out what accesses are needed and share the rules with others.

Of course, someone may still knowingly share bad rules but at least other people can spot them too.

-{ Quote: "
There are other possibilities, than just blacklist scanners, HIPS and virtual protection, if experts are willing to look hard enough for other solutions.
That is just a matter of using your imagination." }-

Sure, it's sad that everyone else in the security industry lacks imagination...
Care to give us a hand with your ideas?

-{ Quote: "Now, under the regular mode work all the executable files created by the untrusted processes will be stored within the "untrusted applications" list. Under the "expert mode" the DefenseWAll's behaviour is the same that now." }-

Nice attempt, but doesn't solve the problem. How about the user downloading a ZIP, RAR, 7zip archive, then unpacking it with Total Commander, WinRAR and so on and then launching the inside malware? DW won't block, again.
And how you want to detect "executables"? You know, there are more executables than just PE-EXE... How about all those containers that can have embedded malware?

-{ Quote: "
Quote:
Originally Posted by Stefan Kurtzhals
That comment alone shows you have not much experience with malware & exploits.

I'm sorry, but you are wrong." }-

Well, where is the proof? All comments you make here indicate your obvious low level of understanding of malware. So again, how many malware samples did you actually analyse on your own?

That is important, because:

-{ Quote: "And how many serious kernel-mode security applications have you written? I'm a system programmer, I'm not an AV analytic. Or, maybe, you think that Process Guard is written by the AV analitic? " }-

You completely miss the point again. So you are admitting that you have no idea about how malware works actually but you are able to write system programs. I bet your customers will be reliefed that you openly confess you have no idea about malware and write *security" programs basing on *theoretical* knowledge. So tell me, how does being a good system programmer but having very low knowledge about malware qualify you to write a security application?

And of course there are AV experts around that have in-depth system programming knowledge. How you actually want to understand the more complex malware without that? There are papers published by AV experts covering these topics if you would bother to search. Again you show your little understanding what AV actually is.


-{ Quote: "In fact, it is not my homework. " }-

Your customers will surely find it interesting that you are not interested in testing your own security application propperly.


-{ Quote: "There is no registry/file system virtualization, that is right. And so?" }-

Hmm, so you are wrongly advertising your product and intentionally missleading your potentional customers then:

"Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications."

There is no virtual zone being "allocated". The malware just executes, normally. No difference at all to regular execution.

"In the case of penetration by malicious software via one of the untrusted applications (web browsers etc), it cannot harm your system and may be closed with just one click!"

Tell me what happens if you execute a trojan that doesn't "install" itself but just corrupts every *.doc file on your computer, steals accounts and send them to a web page online? Does DW block that too?

Just for the record, Process Guard was written by AT analyisers as in TDS3.


StevieO