Its a bit old and may have been posted before, but i found it an interesting read.

http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html

thats why antivirus companies are having stuff like good heristics like nod32 and antivir.
and proactive modules like kaspersky 6.0
lodore

They still have to update the heuristics though.

Hi, folks: An interesting article, indeed. It reveals the worst-kept-confession in security community. He states"the enterprises invest and deply AV more out of a sense of FEAR than because they believe it is offering VALUE." It is obviously a gray area between an extortion and a protection, IMO. O man, what kind of world it has become? >:(

{QUOTE-> and proactive modules like kaspersky 6.0 <-QUOTE} :thumb:

Makes you wonder why they waited this long for such a new approach which is infinitely better than what we been having to rely on for years before.

HIPS and other behavioral program developers have certainly taken the initiative to push this innovation into a head-on clash with AV's and is why AV's are scrambling to integrate those better features into their own systems now.

also behavior blockers use less resource as well
lodore

{QUOTE-> They still have to update the heuristics though. <-QUOTE}

And they still have to update malware. So why should security vendors be restricted to non updatable software, while bad guys can update everything 48 times a day if they want?

The Slow Death of AV Technology

{QUOTE-> AV technology is gradually dying and being replaced by far more effective IT security technology based on whitelisting. You could view this as an inevitable development, given the horrible inadequacies of AV technology, or you might want to pin the credit on the AVID (AntiVirus Is Dead) campaign which has repeatedly drawn attention to the inadequacy of AV technology and championed whitelisting technology that actually works. Actually it doesn't matter much either way. It's happening. <-QUOTE}Article (http://www.it-analysis.com/blogs/Robin_Bloor/2007/6/the_slow_death_of_av_technology.html)

Voila, I was right from the beginning and my security is based on that.

Hello,
Anti-virus is going to live as long as people think of anything bad that happens on a PC as virus. It took 15 years to make a 70% transition from VCR to DVD, it will take at least 20 for software. We need a whole new generation to be born into a world before this will happen.
Mrk

{QUOTE-> thats why antivirus companies are having stuff like good heristics like nod32 and antivir.
and proactive modules like kaspersky 6.0
lodore <-QUOTE}
apparently, drweb v5 brings in a technology 'similar' to the pdm, but apparently different and better, so they say. :)

i await the beta......

http://blogs.authentium.com/virusblog/?p=176

The AV died here quite a while ago, even before the zero day attack of Jan 2006 where 200 variants wreaked havoc on many pc's with not a single av protecting completely.

Was using Sandboxie then and still using it now and have added Powershadow and Virtual PC recently.

Still want something to warn me if any malware is attempting to run though.

Tossing up between DSA, SSM and Cyberhawk which I have running in their own VMs with Sandboxie the only other security app.

All are quite good.

im still a firm believer in 'an antivirus only.....'

however, if you really feel the need for something else, just use an HIPS if it bothers you this much.

anything else... is just getting paranoid.

I wonder where this leaves Avast? It has the Web Shield, and Generic Detection I believe, but no Heuristics yet. Do they have enough money to stay alive? AVG with it's so so Heuristics I believe does have the money to stay alive, and yet from what I read in this forum probably isn't as good as Avast would be at preventing some unknown virus, which is what I think we're really talking about here.

actually avast scored an ADVANCED level in the latest proactive test, with 26% and low false alarms.

avg didnt even score the STANDARD rating

it is AVG that need to work on this, and not avast.

i still prefer avg anti-malware over avast, but avast definatly has the best free version for sure.

{QUOTE->
however, if you really feel the need for something else, just use an HIPS if it bothers you this much.
<-QUOTE}
The only thing that bothers me is boredom.

Things are just too quiet here.

Want something to show that some nasty is trying to run in the sandbox so I can laugh at it.:)

yeah, i totally understand boredom

sometimes even though im an 'antivirus only user', if bored.. i will try a HIPS and put it to its test *lol*

only to revert back to just my drweb, its a cycle that continues to go on.... with such betas that are available aswell.

I am a slow learner but I won't worry until the sky falls on me.

I am satisfied to keep a good AV plus a few other anti-malware applications. I tend to reduce the number as time goes by, but not the AV.

Jerry

your as safe as where you surf, I don't care what you run or don't run...

AV is dead for less than 1% people like those, who visit Wilders, but the rest need it.
Like my mom, I can not imagine, that she would have to run HIPS instead of AV. http://www.wilderssecurity.com/images/smilies/biggrin.gif

But this tech is geared to the enterprise, I wonder when we will get to see it in consumer based products. I also wonder how this whitelisting tech exactly works? Will everyone have to buy a certification or something, and if software is not certified it´s not allowed to run?

AV isnt dead to me and I wont be saying goodbye for some time...

Hi, folks: I constantly think this:If Prevx2 as effective as is now,can infuse more HIPS and behaviour blocking functions into its amazing concept--making most decisions for users- and then coupled with its already massive signature database, it can make tranditional AV to cease and desist before our naked eyes.
IMO, average joe/jane comprises more than 70% of entire pc user population, and these people(including myself) do not wish to fiddle w/ constant promts asking permission. Someone else like Prevx2's central command would step in and wear this shoe for them. Bingo, it just hits the very target--everyone's pocket. Hope this day will come very soon.

http://weblog.vircop.org/?p=25

{QUOTE-> http://weblog.vircop.org/?p=25 <-QUOTE}
Interestingly enough, this seems to be the method Comodo seems to be trying to take, though they apparently restrict themselves to executables, libraries and drivers, without taking into account documents like you mentioned.

Perhaps a Comodo representatives could comment on this, if there are any around? ;D

Interesting IC, also seems that opera doesn't like your blog, it's displayed wrong. :)

{QUOTE-> http://weblog.vircop.org/?p=25 <-QUOTE}Great article!

{QUOTE-> Whitelisting is probably a nice feature for ADVANCED computer users, but it will confuse the normal, ordinary home user FOR SURE. <-QUOTE}A poster with at least 5,859 posts that says he does not know anything about good/bad objects, has now been graduated to an ADVANCED computer user! ;)

{QUOTE-> Get real and don’t hype things you don’t even understand. It can be a nice addition to AV Software yes, but it is utter bullshit that it will replace AV.

Last question is: How will you manage exploits? For example in JPG files? Whitelisting every jpg picture?! <-QUOTE}
Mike

It is useful to bear in mind that any proclamation of the death of Technology X is typically no more than the birth announcement of Technology Y. At birth, we all have almost limitless potential, then reality starts to rear its ugly head.

At times, a reality-adjusted Y is sufficiently attractive to supplant X, but you really can't assess that until Y is out there in the real world facing actual field-use complexities. This situation is no different.

Blue

At DSLR my post simply got deleted. "deleted by moderator". Nice to know that they don't care about my opinion. Time to cancel my DSLR membership.

{QUOTE-> At DSLR my post simply got deleted. "deleted by moderator". Nice to know that they don't care about my opinion. Time to cancel my DSLR membership. <-QUOTE}Yikes, I am sure all us paranoid posters here at Wilder's care very much about your opinion!

Of course, thank the god of your choice for the super moderators here when things get a little out of hand. :o (I sure wish they had a kiss-axx smiley)

Mike

{QUOTE-> Have you thought about the fact that actually Millions of people creating DAILY millions of <-QUOTE}
So in effect one person is creating a couple of documents daily."Millions" adds more hype.
{QUOTE-> Get real and don’t hype things you don’t even understand. It can be a nice addition to AV Software yes, but it is utter bullshit that it will replace AV. <-QUOTE}
Sandboxing/Virtualisation has replaced an AV here!

Sandboxing doesn't really fix much. Even though your Firefox is running in sepaate space, it can still screw up your entire bookmarks base (for me, tis would be a major catastrophy) so you still need backups everywhere.
So in the end you haven't done much...

{QUOTE-> ...it can still screw up your entire bookmarks base... <-QUOTE}PoC? (Proof of Concept)

Mike

{QUOTE-> So in effect one person is creating a couple of documents daily."Millions" adds more hype.
<-QUOTE}

Nope, it doesn't. Guess how many people working world wide in an office and writing documents/sheets? Did you know that even *OPENING* a word document makes changes without having anything typed in? In case you didn't you know now.

You cannot expect from normal ordinary users (thats what we are speaking about) to work in a virtual environment. That simply doesn't work! Half of it doesn't even know what it means and even if they did they would not understand how to use it in a proper way without loosing all data what they really need.

And we are speaking about "stupid" whitelisting and not about virtual machines

{QUOTE-> Sandboxing/Virtualisation has replaced an AV here! <-QUOTE}

Good to kow! I tried that with my wife too since i got sick cleaning her machine every week. Guess what? She refuses now to use that machine and jumps for my laptop!

{QUOTE-> Nope, it doesn't. Guess how many people working world wide in an office and writing documents/sheets? Did you know that even *OPENING* a word document makes changes without having anything typed in? In case you didn't you know now.

You cannot expect from normal ordinary users (thats what we are speaking about) to work in a virtual environment. That simply doesn't work! Half of it doesn't even know what it means and even if they did they would not understand how to use it in a proper way without loosing all data what they really need.

And we are speaking about "stupid" whitelisting and not about virtual machines <-QUOTE}
Stupid question alert.

If it's about Office documents, wouldn't simply whitelisting the macros be enough?

{QUOTE-> Good to kow! I tried that with my wife too since i got sick cleaning her machine every week. Guess what? She refuses now to use that machine and jumps for my laptop! <-QUOTE}Any way to sneak PowerShadow as the default boot on her machine and your laptop so she does not see the difference? ;D

Mike

{QUOTE-> Stupid question alert.

If it's about Office documents, wouldn't simply whitelisting the macros be enough? <-QUOTE}

Macros yes, but how about exploits? ;) Besides, most of the (real) office documents containing macros. Even if it's only to automate office contact data and the like

Folks, u should keep in mind that not everyone is willing to learn additional things. For most of the users is the computer just a daily work equipment!
That they use internet for searching something doesn't mean that they spend hours in improving their computer software setup and learning how to use it!
Just walk out on the street and ask a few womans how many can fix a engine problem in their cars. You know the answer when they ask "What's an engine?"
Still they are driving cars. You don't need to be a mechanic to do so. You have the god given right ( i mean the "other god" ;) ) to use something without being an expert or even without having to learn more things than really needed. Because if it would be like this that everyone would know exactly what's going on we wouldn't even need a virtual system! Or AV Software or firewall - you name it.

{QUOTE-> Macros yes, but how about exploits? ;) Besides, most of the (real) office documents containing macros. Even if it's only to automate office contact data and the like <-QUOTE}
Exploits wouldn't require whitelisting, I think. Their end aim is to download and execute code, and whitelisting works against that very well.

Or am I missing something here?

{QUOTE-> Exploits wouldn't require whitelisting, I think. Their end aim is to download and execute code, and whitelisting works against that very well.

Or am I missing something here? <-QUOTE}

Yes you do. Because in that way you would have to whitelist *EVERY* document, regardingles if it contains macros or not! Remember: You do the opposite with whitelisting as what AV does: You have to state that a document is CLEAN. You can only do that if you KNOW the document and SAW it. AV states that something is infected BECAUSE WE SAW the virus and we KNOW it's in there.

{QUOTE-> Yes you do. Because in that way you would have to whitelist *EVERY* document, regardingles if it contains macros or not! Remember: You do the opposite with whitelisting as what AV does: You have to state that a document is CLEAN. You can only do that if you KNOW the document and SAW it. AV states that something is infected BECAUSE WE SAW the virus and we KNOW it's in there. <-QUOTE}
Another silly question.

Why would we need to whitelist macro-less documents? Is there some kind of hostile exploit in Office that does bad stuff even without macros? Obviously if something is going to do no harm, you leave it alone (plaintext documents come to mind...).

I've been an OpenOffice user for almost 2 years, so I'm pretty out of touch with MS Office.

{QUOTE-> Good to kow! I tried that with my wife too since i got sick cleaning her machine every week. Guess what? She refuses now to use that machine and jumps for my laptop! <-QUOTE}
Sandboxie and PS are on my three daughter's computers and yep, not a single infection in months.They did ring every now and then for some instructions at first.

The odd online AV scan confirms.

They love those apps and say they are the best.And guess what, I agree with them.;)

{QUOTE-> Another silly question.

Why would we need to whitelist macro-less documents? Is there some kind of hostile exploit in Office that does bad stuff even without macros? Obviously if something is going to do no harm, you leave it alone (plaintext documents come to mind...).

I've been an OpenOffice user for almost 2 years, so I'm pretty out of touch with MS Office. <-QUOTE}

We can also continue with JPG Pictures if you like.... Please tell me how the hell you will detect for example "jpg" exploits with only whitelisting? Or... maybe in 2 years a jpg2009 exploit? you have the following options:

Option 1: ALL JPG PICTURES (of course including porn pictures - i can imagine that would be a nice job profile, something like "Reverse Engineer Porn Pictures") would have to be whitelisted.

Option 2: You add something that detects the exploit itself - THEN YOU ARE ALREADY AN AV-"SOLUTION"! Since you're looking for "bad" code (blacklisted)

{QUOTE-> We can also continue with JPG Pictures if you like.... Please tell me how the hell you will detect for example "jpg" exploits with only whitelisting? Or... maybe in 2 years a jpg2009 exploit? you have the following options:

Option 1: ALL JPG PICTURES (of course including porn pictures - i can imagine that would be a nice job profile, something like "Reverse Engineer Porn Pictures") would have to be whitelisted.

Option 2: You add something that detects the exploit itself - THEN YOU ARE ALREADY AN AV-"SOLUTION"! Since you're looking for "bad" code (blacklisted) <-QUOTE}
Well...

The way I see it, you leave the jpgs alone, ignore them entirely, and focus on whacking dead whatever the jpgs try to download. Because in the end it's not the jpgs that are going to do anything bad to your system, it's what they download that will.

When a blacklist scanner is concerned obviously the better strategy is to try to kill the jpg. For whitelists I think the opposite applies.

{QUOTE-> Because in the end it's not the jpgs that are going to do anything bad to your system, it's what they download that will.
<-QUOTE}

Do you actually know what an exploit is? Seems not. You can basically do *EVERY* thing and not only downloading and executing files! For instance just crashing the system by previewing a picture. Would you call that "Nice"? At least i don't. Because you can lose all your work in the background.

I see. Thanks for the explanation.

To give a overview about the problems with only whitelisting:

* Much more stuff to whitelist than to blacklist (Remember: The problem for the av is the workload! How will they manage to whitelist even much more?!)

* The problem with "this files we can ignore": You have always to expect that a specific file format gets exploitable! What will you do then? Starting whitelisting when you have a problem?! Then you notice you'll have to whitelist millions of things?! (for instance pictures...) As AV you just have to make sure that you scan this fileformat and that you detect this maybe ONLY ONE(!) Exploit. That takes maybe 1 day and then you protect successful against this exploit. Guess how long it will take to whitelist all that you can tell that something doesn't contain the exploit? Years?

* The "already whitelisted" problem: When a problem occurs later that applies to already whitelisted things then what?! As AV we just add a detection and we don't care about "older versions of types" because we simply detect it then in it. As Whitelist you would have to verify again the whole archiv, searching for this "problem" (exploit comes into mind) I don't think users will be very happy with the response times...

Conclusion: As i said before it is a nice "addition" to existing AV software. But it NEVER EVER solves all problems without AV in a real world environment. (What you tell your investors as whitelist company is however another story...)

{QUOTE-> http://weblog.vircop.org/?p=25 <-QUOTE}
Thanks for the reading material. Quite informative.

Hello,

Entire two generations of people have been educated to work by default allow. And switching to default deny will be almost impossible. Because people are lazy and inert.

Whitelisting in software is not needed if you have whitelisting in your head. But that's the same as default deny education.

Inspector, I think people should have to pass a test to use computers. Just like cars. They don't know anything about engines, but they still must pass a theoretical and practical driving tests / exams...

Mrk

{QUOTE-> Inspector, I think people should have to pass a test to use computers. Just like cars. <-QUOTE}

That is indeed not a bad idea. HOWEVER. Without cheating my wife wouldn't pass this test. (And NO, she is NOT stupid. She simply doesn't care and doesn't see any need to learn something with computers! Believe me, i've tried that since years!) And i do need her email, because otherwise how should i know during work what dinner awaits me? :o

Just don't let her see your Wilders posts ... because you might end up with no dinner, or thalium-flavored roast pork cutlets.
Mrk

{QUOTE-> Just don't let her see your Wilders posts ... because you might end up with no dinner, or thalium-flavored roast pork cutlets.
Mrk <-QUOTE}

In case she does: I LOVE YOU ;D
But seriously, that is exactly the problem. She can use a browser, a email client and some yahoo chat. And that is according to her own words all she wants. And i do accept this. And i don't blame her for not knowing what a registry key is. And i think exactly this "profile" applies for MANY MANY other people, not only for my wife.

{QUOTE-> And i think exactly this "profile" applies for MANY MANY other people, not only for my wife. <-QUOTE}YES, be the IT support person for a spouse is like trying to walk a tight rope over the Grand Canyon! :wacko:

Mike

Hello,

The thing is: she does not need Windows then!

Computers today are made for a WHOLE range of things. And such, they require good knowledge to utilize effectively.

Just like you have cars that transport people, you have cars that transport heavy machines, cars that collect garbage etc.

Computers should also have categories:

- For newbs (running the basic of basic Linuxes)
- For moderate users (running some nice Linux or Mac)
- For advanced users (running Linux)

Joking aside, most computers, especially Windowsy ones, are made capable of everything. Which is exactly what most people do NOT need.

Why have ftp and telnet on a standard Windows machine? Most people do not use these. Why have command line? And so on.

In particular, Windows is made open to be as compatible as possible, but this is the real problem - not everyone needs or should need or be able to use all of the options, since they require skill and knowledge.

If computers had categories, you would not need anti-virus.

Imagine a machine that has no downloads available, only a tiny browser for games and a tiny browser-based email. Simple.

BUT ... if people are using fully capable tools, they should be fully capable too. That's why Windows users must know what registry is - because they can find it and tamper with it.

In cars, you are limited. You need tools to cause damage to your engine. You need quite a bit of effort to do stuff. And because it is expensive and can also be dangerous for users, they do not do it.

Computers, no physical pain, no physical effort, quite cheap, so they afford to mess around.

Imagine you get ticket for getting infected with virus, just like running red light? Not so many people would be so quick-handed on the double click, eh?

I can go on and on, but I have a basketball game to go to.

So ... The main idea is there, not phrases as well as I wanted, but I'm in a kind of a hurry ...

Cheers,
Mrk

{QUOTE-> Why have command line? <-QUOTE}Now you have done it, you sure do .iss me off! ::) ;D ;) :) :D :-*

Click on my "DOS user" link in my signature. ;)

Mike

{QUOTE-> http://weblog.vircop.org/?p=25

Whitelisting is probably a nice feature for ADVANCED computer users,
but it will confuse the normal, ordinary home user FOR SURE. <-QUOTE}The term WhiteListing has become a term that has lost its meaning without referring to specific situations.
Blanket statements such as the above are misleading to the uninformed.

For nothing could be further from the truth.

In its most basic application, White Listing is denying by default the execution of malicious code.
The initial setting up of a White List solution assumes a clean system. I have successfully used
such a solution on my own system and other home users' systems for many years.
It's essentially a Set-and-Forget solution.

Taking your examples:

{QUOTE-> Guess how many people working world wide in an office and writing documents/sheets? <-QUOTE}190713
_________________________________________________

190714
_________________________________________________

Many of my academic colleagues -- dealing weekly with dozens of other user's Office documents -- effectively protect
against the above type of exploit with a White List solution.
Students at college with a White List solution on their laptop are protected against this type of exploit.

{QUOTE-> We can also continue with JPG Pictures if you like....
Please tell me how the hell you will detect for example "jpg" exploits with only whitelisting? <-QUOTE}Someone may receive a photograph by email:

190715
_________________________________________________

190716
_________________________________________________

The effectiveness of such a solution becomes apparent in Zero-day attacks,
the .wmf exploit from 2005 being one of the most notorious and sensational:

190720
_________________________________________________

http://www.urs2.net/rsj/computing/imgs/scan_wmf.gif
_________________________________________________


Many users employ White List solutions exclusively. Many combine with an AV.
There is no single setup that works for everyone.

The important thing is for the user to develop a Strategy which takes into account her/his specific needs
and situations.

To completely dismiss any solution out of hand doesn't serve any purpose.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

We are speaking about whitelisting ONLY and the claim that "Antivirus is dead". Nothing more, nothing less. So your whole post above is obsolete. Because there is no question if whitelisting makes "sense". The question was if this ALONE can replace antivirus.

Edit: Just to add one more thing: What do you want to prove with your first screenshot? Netsky.Q is a BINARY executable malware. The fact that you rename it into .DOC doesn't prove that your application blocks word documents. Or whom did u try to fool with this? Not me ;-) Same for the 2nd screenshot. Renaming files has ABSOLUTELY nothing to do with that!

{QUOTE-> The term WhiteListing has become a term that has lost its meaning without referring to specific situations.
Blanket statements such as the above are misleading to the uninformed.

For nothing could be further from the truth. <-QUOTE}
I think you have misunderstood what Mike was trying to say in his blog. You see, there have been people predicting that at some point of time the malicious programs will become so numerous, that it will be easier to scan for known good programs instead of for known malicious ones - simply because the latter would be fewer.

However, at the AV testing workshop in Iceland, there was a presentation from some guy from Bit9. This company tries to build a database of all known good software. They noted that just sources like Microsoft, SourceForge and Netscape produce something like quarter a million new legitimate executables ever day each. Just the hash table used to access Bit9's database is currently 100 Gb and keeps increasing.

In other words, there is no hope scanning for that.

{QUOTE-> In its most basic application, White Listing is denying by default the execution of malicious code. <-QUOTE}
Mike's point is that it's too difficult to determine what exactly is malcious and what is not - so that you know whether to deny its execution or not.

{QUOTE-> The initial setting up of a White List solution assumes a clean system. <-QUOTE}
In my experience, most users resort to an AV product after they suspect that their system is already infected.8)

{QUOTE-> Many of my academic colleagues -- dealing weekly with dozens of other user's Office documents -- effectively protect
against the above type of exploit with a White List solution. <-QUOTE}
Either I don't understand what exactly you are doing, or you are deeply mistaken. The possible alternatives I see are the following:


You deny access to unknown documents. This would work - but it would make the system unusable.
You deny access to EXE files that have the DOC extension. This, of course, won't protect against real documents that contain an exploit.
You deny access to the executable that it usually dropped and executed by the exploit. This is fine, but some exploits might not drop anything and execute the malicious action in memory only.


{QUOTE-> Someone may receive a photograph by email: <-QUOTE}
This is the second alternative - it's actually an EXE file with a JPG extension. The example doesn't demonstrate that your system would protect from a real JPG file containing an unknown exploit.

{QUOTE-> The effectiveness of such a solution becomes apparent in Zero-day attacks,
the .wmf exploit from 2005 being one of the most notorious and sensational: <-QUOTE}
This is the third alternative - you deny the execution of the dropped executable but not of the shellcode in the exploit.

{QUOTE-> To completely dismiss any solution out of hand doesn't serve any purpose. <-QUOTE}
I don't think that this is what Mike was trying to do - although he was perhaps a bit sensationalistic in his message.:dry: I'm sure that there are advanced solutions that work reasonably well for some experienced users - integrity checking (whitelisting is a kind of integrity checking is one of them). However, the majority of users are far from competent enough to use such solutions.

That is why we're making scanners, folks - because this is what sells. Many companies have tried to market better solutions in the past - including ones based on integrity checking. For instance, Dr. Fred Cohen had a product he was calling "integrity shell" (essentially an on-access integrity checker), there was a product called Integrity Master, and many others. They all have failed. Without an insignificantly small number of exceptions, people simply don't buy them.

Regards,
Vesselin

{QUOTE-> Sandboxing/Virtualisation has replaced an AV here! <-QUOTE}The average Joe doesn't know anything about sandboxing or virtualisation. The point of IC's article is mainly aimed at that core of computer users. The best they can be protected is with some form of AV protection and a good dose of educating about safe computing practices.

What about other non-signature-based approaches, such as virtualization and behavior blocking?

I think products like SandboxIE, Cyberhawk and Micropoint have been an excellent example of how these "new-generation" technologies can be effectively put to use even by the most technically uninclined, so to speak. Do security vendors think it's a greater benefit to continue playing the catchup race against malware writers, or to invest in and educate users about these new technologies?

An additional point: Why is it that popular consensus that the public CANNOT use sandboxing/behavior blocking with any degree of success? Has there ever been any scientific studies carried out? Why do people continue to tout the blacklist scanner as THE solution for the average Joe, when it appears that average Joes continue to get infected anyway while using this very solution?

{QUOTE-> The average Joe doesn't know anything about sandboxing or virtualisation. The point of IC's article is mainly aimed at that core of computer users. The best they can be protected is with some form of AV protection and a good dose of educating about safe computing practices. <-QUOTE}


AMEN.

{QUOTE-> What about other non-signature-based approaches, such as virtualization and behavior blocking?

I think products like SandboxIE, Cyberhawk and Micropoint have been an excellent example of how these "new-generation" technologies can be effectively put to use even by the most technically uninclined, so to speak. Do security vendors think it's a greater benefit to continue playing the catchup race against malware writers, or to invest in and educate users about these new technologies? <-QUOTE}

Once again: A user want to know if something is bad. He wants to know that FOR SURE. And that is very difficult (if even possible) with such solutions to provide. Not everyone knows what the hooking of specific API calls means, or what a "hidden" file means etc. They want something that tells you straight away "That's bad, it has a name and is called trojan.whatever and i do delete it now for you". They don't want to research themselfs based on some "strange" report if something is now really malware or not. Before they do that they let pass *everything* including malware.

Unfortunately, it is also a common situation that the blacklist scanner does not so much as squeak, and lets the malware execute unchallenged.

Perhaps the desire of users for their systems to remain safe can overcome their desire of having a dumb software package (try to, with varying degrees of success) do everything for them. What say you?

{QUOTE-> Do security vendors think it's a greater benefit to continue playing the catchup race against malware writers, or to invest in and educate users about these new technologies? <-QUOTE}The frequency of delivering signatures has increased over the years. One time signatures were received monthly then weekly, and now daily in most cases. Some even deliver hourly now. I guess it depends if the AV company in question has the infrastructure, workforce and finances secured to allow for such rapid releases of virus definitions.

And for all those who still don't understand what i mean:

If you can read that here (or if you even replied here!) you're not an average computer user! 50% of average computer users don't even know what a forum is! They never visited one! You have to see this worldwide and not only based on your neighbors or people here in this forum! If you visit a security forums that shows that you CARE about your computer. Now please forgive me, but there starts already the problem: It even takes *TODAY* a drama to explain to some people why they should use at least a antivirus program! Let alone Virtual Systems or Behavior-Blocker. Congrats to all who are using them, but as i said you cannot force people to use it - no matter how big your marketing budget is. If it's to complicated (remember: it doesn't count if *YOU* think it's not) they simply don't want to use it. (See Vesselin Bontchev's Last part in his previous post)

you make it pretty clear to me IC,

calm down and have a drink :)

if people dont understand, who cares... its sunday 8)

{QUOTE-> Why do people continue to tout the blacklist scanner as THE solution for the average Joe, when it appears that average Joes continue to get infected anyway while using this very solution? <-QUOTE}I think it boils down to education. I remember reading once about a guy who phoned Tech. Support because he had a problem with his computer, which turned out to be virus-related. The thing is he had an anti-virus product on his machine, but he just hadn't updated it for years - he believed once installed, it did its job without understanding it needed to be constantly updated against newer threats.

Then there have been cases where people don't have the real-time monitor enabled, and they wonder why they get infected!

How we educate this group of computer users is a discussion all of its own.

{QUOTE-> Then there have been cases where people don't have the real-time monitor enabled, and they wonder why they get infected!
<-QUOTE}

Even that's nothing. I was witness of a support case when the guy on the other phone end couldn't find the Windows Start Button... Guess what? The Monitor wasn't connected to the computer but he was trying to find the windows start button!!!

{QUOTE->

How we educate this group of computer users is a discussion all of its own. <-QUOTE}


If user education was ever going to work, don't you think it would have worked by now? :o

{QUOTE->
Then there have been cases where people don't have the real-time monitor enabled, and they wonder why they get infected! <-QUOTE}A good example of this is shown in the Kaspersky article regarding Gpcode - http://www.viruslist.com/en/analysis?pubid=189678219 - where they say under the heading 'Protect your data':{QUOTE-> One of the most surprising aspects of the Gpcode story is that a large percentage of the victims who contacted Kaspersky Lab during the June attacks had Kaspersky Anti-Virus installed. It’s surprising because Kaspersky Anti-Virus blocks the attacks 3 times. First, the infected attachment is detected as Trojan-Dropper.MSWord.Tored.a. Next, the downloader that loaded Gpcode was detected as Trojan-Downloader.Win32.Small.crb. Finally, Gpcode itself was detected. Even users whose antivirus databases were not up to date should have been protected, as detection for most Gpcode modifications has been available since January 2006.

Obviously, the victims had either turned their antivirus solution off, or chose to ignore the warnings it showed. Kaspersky Lab virus analysts did issue decryption and disinfection along with antivirus database updates. We even created special tools for restoring mail databases which were damaged when mail clients were unable to recognize the format of encrypted files. However, some users did lose critical data. <-QUOTE}

I think the stories here have a very significant point to them. Namely: For those who are determined to not care about computer security, the blacklist scanner does nothing to help them. For the rest of us, non-signature-based solutions are beginning to look more and more like the better choice.

{QUOTE-> For the rest of us, non-signature-based solutions are beginning to look more and more like the better choice. <-QUOTE}

While that may be the case for advanced users, the idea that antivirus software will become obsolete due to *everyone* switching to whitelisting software, is ridiculous, IMHO. I would say more but IC and Bontchev's posts above sum it all up.

Londonbeat

Londonbeat,

I do not use whitelisting software.

Thank you.

Why do i have the feeling that this discussion will go off-topic soon?

To make it clear: We're discussing if whitelisting can FULLY replace a Antivirus Solution. That means you wouldn't have any antivirus. We're not discussing if it makes sense to add a whitelisting app to your existing av! Because *assuming you know how whitelist works* that indeed might make sense!

{QUOTE-> AV isnt dead to me and I wont be saying goodbye for some time... <-QUOTE}Same here.

However, I do believe that it will slowly become less of a need as other apps. become more advanced. They are walking all over each others security zones as it is now even today. This is in my view is a very positive development as pure signature based products would become so burdened by billions signatures. Just think what PC useage would become. :wacko: I beleive and I am no expert for sure, that behavior based when done well will be the best option. This is based only on observation and reading postings here at the Wilders and other places, again I am no expert.

{QUOTE-> I think the stories here have a very significant point to them. Namely: For those who are determined to not care about computer security, the blacklist scanner does nothing to help them. For the rest of us, non-signature-based solutions are beginning to look more and more like the better choice. <-QUOTE}
You are forgetting that there is a third group of users - and it's the majority. Those are people who are not competent enough to use generic protections like integrity checkers - but who do care about protection from malware for one reason or another (e.g., because their computer is already infected and doesn't work properly). These are precisely the people who buy and use scanners.

Face it, folks. It's a free market. The "death of signature-based scanners" was predicted two decades ago. Alternative, more secure kinds of protection have been available for all this time, too. Nobody is forcing the users what to use for virus protection. They use what they want. They vote with their wallets. All AV products that did not include any kind of virus scanner are no longer around - because the companies that used to make them went out of business. Scanners are still selling like hot cakes. What does that tell you?

If you can make a generic kind of protection work for you - great! I use several myself. I'd be the first to admit that known-malware scanners are the weakest kind of protection against malware. Yet this is what the vast majority of users understand and this is what they are going to use. Do not expect that to go away any time soon.

Regards,
Vesselin

{QUOTE-> Londonbeat,

I do not use whitelisting software.

Thank you. <-QUOTE}

I have edited my post, I did not read your prior post where you brought in question of the effectiveness of behavior blocking/sandboxing/virtualisation. Although IMO, these, along with whitelisting, are still not an effective solution for the average inexperienced user, and won't cause the 'death' of signature-based antivirus software.

{QUOTE-> Did you know that even *OPENING* a word document makes changes without having anything typed in? In case you didn't you know now. <-QUOTE}
Ah, no, in general this is not true for Word documents. (Unless, say, the document contains some self-updating fields - but even then Word will ask you whether to save the changed document.)

What you're thinking here of is Excel. That one changes the AUTHOR record in the Book/Workbook stream when you open a spreadsheet - even if you don't enter anything in it. And it doesn't tell you that anything has changed, either - it saves the change immediately without giving you a choice.

Regards,
Vesselin

{QUOTE-> Besides, most of the (real) office documents containing macros. <-QUOTE}
Again, this is not true. Most Office documents do not contain any macros. The most you can say is that Excel documents contain macros much too often to make "deny all macros" a comfortable policy.

Regards,
Vesselin

Then it's XLS ;D Doesn't really matter, but people using this too ;D

{QUOTE-> Exploits wouldn't require whitelisting, I think. Their end aim is to download and execute code, and whitelisting works against that very well.

Or am I missing something here? <-QUOTE}
Yes, you are. Indeed, this is what most exploits do - because it's easier to do it this way. But don't forget that before the executable is downloaded and executed, there is some other code (the shellcode) that runs - it is the code that does the downloading and executing of the main malicious executable. The shellcode runs only in memory. You can't stop it from running my preventing unknown EXE files from running. And although it's more difficult, it's entirely possible to do a lot of nasty things just with the shell code - without downloading and executing anything else.

Also, think about the CodeRed virus. This thing doesn't exist as a file at all! It spreads memory-to-memory between computers on the Internet. What are you going to whitelist/blacklist in order to stop that? TCP/IP packets?

Regards,
Vesselin

{QUOTE-> Is there some kind of hostile exploit in Office that does bad stuff even without macros? <-QUOTE}
Yes, several.

Regards,
Vesselin

Thank you for the explanations; they've been very helpful.

I agree, most helpful. And although those of us privaleged enough to have conditioned our systems customarily with many advances that make us less dependent on AV's, as noted above, there will always remain a great majority of global users who either don't have the luxury of specially configuring security or simply are new to the internet and MUST depend on the AV solutions to be safe.

Great replies and comparisons. :thumb:

{QUOTE-> At DSLR my post simply got deleted. "deleted by moderator". Nice to know that they don't care about my opinion. Time to cancel my DSLR membership. <-QUOTE}

You have got to be kidding Mike, did they give you a reason? Do they know who you are? How the hell could they just a delete a post from such a well respected and knowledgeable person??

Canceling mine as well. Thanks for letting us know. Sorry, some people are just beyond help.

With this thread (http://www.wilderssecurity.com/showthread.php?t=176969) in mind, I have to ask:
Is there a quick and reliable procedure to find executable code in a file? Because all exploits contain executable code, right?

No to both of your questions. There are also exploits that do not contain executable code, and it is not easy to find executable code in arbitrary files. It largely depends on the file type and on the morphology of the code. It could attempt to look like normal contents of a file or simply seem quite random with trash instructions which can be quite hard to spot in binary formats.

So, looking for the MZ header with a text editor is unreliable?
Another subscribed thread :thumb:

{QUOTE-> So, looking for the MZ header with a text editor is unreliable?
Another subscribed thread :thumb: <-QUOTE}

Yes. Because you can have shellcode in jpg pictures and they don't have a MZ Signature at the start.

Is there a way to find such shellcode in a given file?
Thanks.

My statement from previous post:

{QUOTE-> In its most basic application, White Listing is denying by default the execution of malicious code.
<-QUOTE}{QUOTE-> Mike's point is that it's too difficult to determine what exactly is malcious and what is not - so that you know whether to deny its execution or not. <-QUOTE}A better statement would have been: White Listing is denying by default the running of *any* executable not on the White List. It's sole purpose for me and those I help is to prevent the unexpected.

Every one of my examples is a real live exploit either received by email, or via drive-by download. Again, I realize that my examples address just certain types of exploits, yet these are the most common in the wild, and hence, of most concern to the home user.

bontchev - Your comment about not blocking the shell code of the .wmf file is a valid one. As you state, it could also apply to an MSWord exploit which ran shell code.

In fact, this was discussed in another forum during the period of the .wmf exploit, and someone crafted a .wmf file with shell code which, when allowed to run, launched calc.exe.

However, I am not aware that this technique ever surfaced in a real exploit. Everyone I saw reported, launched a trojan executable.

In practice, many of the faculty and students I referred to have both a White List solution which will prevent the dropping|extracting|launching of any executable code not already on the computer; and an AV which hopefully will take care of other situations.

My concern is with the home|education user, and I watch for real exploits that they might encounter. I realize that much of this discussion is about Enterprise situations, but s simple Default-Deny program is not beyond the capabilities of anyone. AV may be helpful. However, from my experience with the above -- especially with real drive-by downloads, I am not optimistic about their effectiveness.

As I conlcuded my previous post, the important thing in security is to develop a strategy. What products a user chooses is less important than the effectiveness of the solution according to the needs and situation of the user.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

{QUOTE-> Is there a way to find such shellcode in a given file?
Thanks. <-QUOTE}

That's not that easy to explain it in a "universal" usable manner.
The "easy" exploits you can "detect" if you find a few of 0x90 (NOP's)
Otherwise u have to search for encryption loops aka xor, rol, sub, add etc.
Basically you have to detect valid assembly code.

Can that be done with a simple text/hex editor (such as this one (http://www.mh-nexus.de/hxd/)) or a tool like FileAlyzer (http://www.safer-networking.org/en/filealyzer/index.html)?
Thanks again.

{QUOTE-> Can that be done with a simple text/hex editor (such as this one (http://www.mh-nexus.de/hxd/)) or a tool like FileAlyzer (http://www.safer-networking.org/en/filealyzer/index.html)?
Thanks again. <-QUOTE}

YES! If you can read (and understand) assembly directly out of hex bytes (including on-the-fly offset recalculations for addresses, EXX Register tracing) It's basically very easy to learn. Took me around 15 years.

Rmus, the problem is that for YOU, Yes it doens't seem confusing, complicated or stupid. For most of the people here, it doesn't seem overly complicated. However, for the MAJORITY of users, they don't want or NEED a frequent parade of pop-ups telling them that this action may be dangerous, they just want to mindlessly continue surfing, emailing, looking at porn or whatever it was that they would be doing when a pop-up jumps up at them. They will merely click "Yes" or "OK" just to go back to their blissfull life. Those are the people that need protection the most, simply because they do not posses the knowledge to protect themselves. It is those very people that the makers of AV/AS/Anti whatever else comes along, must provide protection for. Because, when those people get infected or hacked or whatever, they will email the Inspector (or his counterpart at their chosen AV) and whine about why their computer got infected and how do they get back to cruising porn or whatever they were doing when they got infected.

{QUOTE-> Rmus, the problem is that for YOU, Yes it doens't seem confusing, complicated or stupid. <-QUOTE}I would add that I've never encounted any difficulty in setting up on "average" user's systems what I described

I agree with the rest of your statement with the qualification that those who "do not posses the knowledge to protect themselves" can effectively be taught *how* to protect themselves, which is something I and my colleagues demonstrate regularly.

Just because the "majority" seem to be helpless does not mean that something can't be done to correct this situation. A daunting task, I realize, but sitting and doing nothing accomplishes nothing.


regards,

-rich

_____________________________________________________
Just because someone's shoes are too tight, why should my feet hurt?

Most "common" end-users (those without knowledge of Wilders or any other security-related forum) will need an AV solution, with M$ being the dominant end-user OS provider. Not to mention those same end-users who will disable/shut-down an AV if they think their surfing is being slowed down while going after that favorite recipe, trolling MySpace, or downloading/installing other apps ("always turn off that AV first!"), etc. It's never ceased to amaze me during my previous support years how many end-users were afflicted with PEBCAK issues when it came to what we here deem as common security practices... and I'm talking *really* bone-headed, Darwin Award in-the-making scenarios.

{QUOTE-> However, for the MAJORITY of users, they don't want or NEED a frequent parade of pop-ups telling them that this action may be dangerous, they just want to mindlessly continue surfing, emailing, looking at porn or whatever it was that they would be doing when a pop-up jumps up at them. <-QUOTE}
To complete Rmus reply, AE (from the screenshots) does not ask questions, it informs. I'm sure that you can turn that off too.

What i'd like to be expanded is what then does the Execution prevention fails to stop. What can be achieved without executing (what danger), and if HIPS like SSM detect and block such actions. I'd like a real life example, but i'm not as rigid as Rich :) , you can draw a scenario for me. But that's just me, i don't know that much.

No, the AV is not dead. A trojan found is a trojan found.

I agree that doing nothing is not helping either. But on the other side of the coin, the majority of computer users have other occupations, Doctors, nurses, cops, contractors, lawyers, sales people, raising children and maintaining a household , etc., the last thing most of them want to do is come home and have MORE to do, ie learning how to secure their computer, they just want to use it, so security solutions need to be as simple as possible for the masses. Or at least that's my opinion. I have neither the time nor the energy to delve into designing anti-malware/security programs for my computer. Do I realize the need for such things? Of course I do, or chances are I wouldn't be here.

My own view is that a whitelisting approach, while good in theory, is impractical in implementation, to accurately do it would require even more work than the current solutions already require. All that would be accomplished would be to say that the list was clean at the time of it's creation, there is no assurance that it is currently clean as a site may have become compromised and it's files are now infected, so bascially every document/picture/program or whatever would need to be checked and verified EVERYTIME the list would be put out, and it's veracity would not be assured for any long period of time.

{QUOTE->
.....Inspector, I think people should have to pass a test to use computers.... Mrk <-QUOTE}
Yes, and people that own televisions/monitors should have an oscilloscope, and be able to diagnose crt problems.
Homeowners should all be well versed in the plumbing, electrical, carpentry skills.
Own a car? You should be able to rebuild your transmission.
Please.
The computer is a tool, like a toaster oven or a coffee maker. Most users don't need/want to understand it's inner workings, they just want it to work (just as IC's wife).
I use my puter's programs in my business to make money.
Not ONE of my many security app.s has ever made me a cent.

(Apologies being OT here)

While we are still at least relating to the topic, we have drifted from a technical discussion to a more philosphical angle, I apologize for the distracting sideline.

{QUOTE-> Yes, and people that own televisions/monitors should have an oscilloscope, and be able to diagnose crt problems.
Homeowners should all be well versed in the plumbing, electrical, carpentry skills.
Own a car? You should be able to rebuild your transmission.
Please.
The computer is a tool, like a toaster oven or a coffee maker. Most users don't need/want to understand it's inner workings, they just want it to work (just as IC's wife).
I use my puter's programs in my business to make money.
Not ONE of my many security app.s has ever made me a cent.

(Apologies being OT here) <-QUOTE}
Mrkvonic's suggestion applied to using a computer not owning it.

To get a driver license, you need to pass a written and behind the wheel test. Similarly to get a "computer license" you should pass some test. It would probably deal with internet security not the hardware itself.

Yes, but the test for a driver's license relates to being able to operate a vehicle. What to do when it breaks or even how to maintain it is not covered. The rules of the road are all that is required. People are doing the same, just using/operating a computer, getting a driver's license does nothing to even educate you for the need to get an alarm system, how to change the oil or a tire. So to me, the comparison is weak at best.

A few comments

I like Blue's posting (reply # 29).

I agree with Mike (IC).

AV's are NOT dead !

Is white/black listing new? No.
For example in RegRun you can use it for a long time now (application database).
No, I am not saying it is perfect !

As Rich already mentioned elsewhere:
You might already use some white/black listing for quite some time in some way.
How?
Well, in your software firewall.
(Program X is allowed by you to have certain outbound traffic; program Y not; etc.).
(I'd better not start again about the importance of safe storing of MD5 checksums of those programs).

Vesselin mentioned integrity checkers.

Years ago the file-integrity-checker NISFileCheck was made by Albert based on ideas from Joseph. (Thanks again Paul for giving us here its (now archived) dedicated forum).
There are/were other file-integrity-checkers (ADinf32 comes to mind or FileChecker from Javacool, etc.).

Why do I mention your software firewall and file-integrity-checkers?
Somehow you might look at the way they work, as white/black listing.
But: the moment they warn you about any change (be it a changed file, new added file or deleted file) you have to take a closer look at that file.
We always have warned about that: it is you, the user, who has to decide whether such a change is legitimate or not.
And it is at that moment that AV's (and AT's etc) come into play. And if you are completely unsure about it, check that file as much as you can, etc.
Even Wayne agreed once here about ProcessGuard when I posted the analogy with file-integrity-checkers: it is you the user who has to decide about a change/warning.

myNetWatchman and Philip Sloss have made a few years ago SecCheck:
http://www.mynetwatchman.com/tools/sc/
At the early stage of their project both Joseph and me have warned that lots of details have to be considered (like for example: language versions of files, OS versions, etc etc).

Well, I know, lots of things I have said here might now be outdated; I do know that very well. And I know that it might be a little off topic. It was just only to give a little other look at the history here.

I don't consider AV's as dead.
Time will tell what the future will bring.

{QUOTE-> And for all those who still don't understand what i mean:

If you can read that here (or if you even replied here!) you're not an average computer user! 50% of average computer users don't even know what a forum is! They never visited one! You have to see this worldwide and not only based on your neighbors or people here in this forum! If you visit a security forums that shows that you CARE about your computer. Now please forgive me, but there starts already the problem: It even takes *TODAY* a drama to explain to some people why they should use at least a antivirus program! Let alone Virtual Systems or Behavior-Blocker. Congrats to all who are using them, but as i said you cannot force people to use it - no matter how big your marketing budget is. If it's to complicated (remember: it doesn't count if *YOU* think it's not) they simply don't want to use it. (See Vesselin Bontchev's Last part in his previous post) <-QUOTE}

I agree.
But whether I choose to learn about pc security or not, the programs that are sold need to be kept easy to use and set up. And even in their easiest to use mode, we should be able to maximize the level of protection.
As an example, my av comes out of the box with an 'acceptable' medium setting for the novice.
To get maximum protection requires fiddling around with a bunch of different settings.
I was able to do it. But it would have been better to be able to set it to max and then if I'm so inclined, fine tune everything.
I hope more companies look into this.
Regards.
Doc

Rmus,

The point Inspector Clouseau was trying to make: WAS THAT WHAT IF THOSE FILES WERE REAL GIF OR DOCUMENT FILES, not executable files with a fake extension.

How does whitelisting work against them?

While I have not seen what malicious actions such files may do other than downloading and executing code, whitelisting is clearly impractical in this case, against this type of file format if what they say is true. Would you mind explaining how do you expect to default-deny image files in this case?

{QUOTE-> It's basically very easy to learn. Took me around 15 years. <-QUOTE}
I give up ;D ;D
A quick recap:
- Most executables are identified by the MZ header, usually at the beginning of the file.
- Encrypted executables and files containing shellcode can not be identified without a Ph.D in assembler ;)

Spurs 2 - Cavaliers 0. Go Ginóbili and Oberto :D

Executable code or shell code in general does not have anything to do with MZ or PE Headers or any other file type for that matter. It's simply assembly instructions in binary form, which even in form of directly executable files may have some header data (EXE, ELF, etc...) or not (COM files....).

Shell Code is simply a blob of data that can be interpreted as valid instructions (or sometimes even undocumented invalid instructions that don't happen to crash the cpu), with all the issues that entails: encryption or trash code which can make it extra hard to spot, since even to the assembly-affine the bytecode may not look like valid code at first glance.

Rmus: you need to dig deeper into exploits if you want to understand the point bontchev and IC are trying to make. There is no need for a downloaded file, there is no need for an extra execution of any executable. The exploit can simply take over control within the exploited process, whether it's your Internet Explorer, your Winamp or your Office. They could do so by creating new threads, or simply by not returning control to the affected application. Your examples are something entirely different, an exploit had a downloader shellcode that happened to download a file with a executable file with a fake extension (GIF/JPG). That does have nothing whatsoever to do with a real JPG, PNG or GIF exploit.

Also keep in mind that shellcode doesn't have to be complicated to do real damage. The code to download a file is not less complex than what would be required to delete your My Documents Folder, or to search your PC for banking data and send it to a server. Or it doesn't download anything at all and simply uses already whitelisted standard applications to do all the dirty work, like FTPing your My Documents folder to some webserver on the net, or starting some distributed denial of service using multiple instances of the certainly whitelisted ping command.

{QUOTE-> Also keep in mind that shellcode doesn't have to be complicated to do real damage. <-QUOTE}Hello FRug,

I am aware of this, and I did make a statement about shell code in Word and wmf, and the example someone created to show how it could work. However, as I mentioned, no real-world exploits surfaced at that time.

I did mention that in my academic environment, both white list protection (for the exmples I gave) and black list (AV) are used. Whether any such exploit as you mention would be caught or not by AV would have to be proven when a real exploit surfaces. Regarding common exploits, I have shown that White List protection has blocked where AV did not.

Having said that: I have decided to wave the white flag in this discussion with the Inspector and bontchev.

White Listing encompasses many things, and they are looking at the bigger picture with all its complications, and so they are correct. I am focussing on a very narrow use of White List protection: Default-Deny of running unauthorized executables, which is very relevant to home|education evnironments, so I stand by my assertion of its effectiveness.

regards,

-rich

{QUOTE-> Would you mind explaining how do you expect to default-deny image files in this case? <-QUOTE}Hello, solcroft,

The product I use, Anti-Executable, analyzes code sample in a file. If it detects binary executable code, it blocks, if the file is not on the White List.

As I mentioned in a previous post, exploiting image files was discussed on another forum, and I never saw any real-world exploit using this technique.

If the image file contained binary code, AE would block it. If not, it wouldn't, and you would hope your AV catches it.

I will wait to see a real-world working example

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

{QUOTE-> Hello, solcroft,

The product I use, Anti-Executable, analyzes code sample in a file. If it detects binary executable code, it blocks, if the file is not on the White List.

As I mentioned in a previous post, exploiting image files was discussed on another forum, and I never saw any real-world exploit using this technique.

If the image file contained binary code, AE would block it. If not, it wouldn't, and you would hope your AV catches it.

Until seeing a working example, I cannot know any more than this.

regards,

-rich <-QUOTE}
Hello,

If the claims in this thread are true, then that means exploits that bypass AE certainly do exist. Perhaps you've been lucky enough to not run across them.

{QUOTE-> If the claims in this thread are true, then that means exploits that bypass AE certainly do exist. <-QUOTE}Well, of course they do! AE does not analyze scripts, for example. People concerned about that will employ other means.

I've done nothing more than show how AE using a White List effectively blocks attempts to download|install any file that has executable code. That is its sole purpose in life, nothing more. These comprise the majority of the exploits people are likely to encounter.

Those concerned about other types of exploits will use other preventative measures.

{QUOTE-> Perhaps you've been lucky enough to not run across them. <-QUOTE}Well, I've never had an infection, and I don't attribute it to luck.

regards,

-rich

Hi guys,
I don't want a whitelist of objects of any existing legitimate software, that is only possible in theory, not in practice.
I only want a whitelist of objects of legitimate softwares on MY computer and I mean ANY object : files, registry, ...

Once the whitelist is created, any unauthorized object is REFUSED IMMEDIATELY (not on reboot) and what is not installed, can't be executed and doesn't need to be removed either.
Faronics Anti-Executable already works that way, unfortunately only for unauthorized executable objects.
I want an Anti-Malware that blocks ANY unauthorized object immediately, not just executable objects.
Faronics' idea was brilliant, they just didn't think far enough.

Blocking objects doesn't mean you have to bombard the user with numerous popups, this can be done in absolute silence. If users want to see these popups, they only have to change a setting to see them.

Does that cover everything ? Probably not, so what ? When something doesn't cover everything, you create another security software that covers the rest. :)

Rmus,

What you have said so far is very well-understood by the rest of us already, no point reiterating what's already known. What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code.

{QUOTE-> Rmus,

What you have said so far is very well-understood by the rest of us already, no point reiterating what's already known. What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code. <-QUOTE}

Now just give this guy some peace. He raised already the white flag. I think he understood what we (Bontchev and me) were trying to explain him.

Bonjour, Inspector,

Yes, you were looking at White Listing as the sole solution, and I was considering just a specific use of the principle.

{QUOTE-> What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code. <-QUOTE}Speaking only for AE, which is my only White List software there is nothing to explain - I would not be concerned with that scenario because AE doesn't deal with it. White Listing would not be my solution for it.

When a real-world exploit shows up, then there will be something to consider: method of delivery, for example. Then, preventative measures can be taken.


regards,

-rich

{QUOTE-> Bonjour, Inspector,
<-QUOTE}

;D That reminds me to the part when Frank (Jason Stathem) in the movie TT2 said: "Oh no, he's not a friend, he's french." ;D

The real problem boils down to "user education". And that this would be possible (successfully) the users must be willing to understand and to do something. (I don't want to sound too pessimistic, but that's not gonna happen.)

Next problem is how exactly will you "perform" user education? In a classroom? Online via PHP Forms? In a forum? Via Email? In case you pick via email the next moron has the idea to create a real worm who will send itself as "Lesson Number 12: How to prevent Internet worms from spreading" BEFORE YOU REACH THAT CHAPTER in your lessons.

{QUOTE-> Rmus,
What you have said so far is very well-understood by the rest of us already, no point reiterating what's already known. What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code. <-QUOTE}
Does an AV need a sig to detect as such and are there Zero day exploits?

Would such a jpg exploit cause probs from within a sandbox?

{QUOTE-> Sep 15 2004
On September 14, 2004, Microsoft released details and patches for a newly discovered vulnerability involving JPG files, widely used for photographs and online images. The exploit can be engineered from a malicious website or via email.

The vulnerability revolves around a buffer overrun condition that occurs when processing deliberately malformed JPG files. A successful exploit would allow the attacker full control of the system, operating with the full privileges of the user currently logged in. <-QUOTE}

{QUOTE-> Bonjour, Inspector,
When a real-world exploit shows up, then there will be something to consider: method of delivery, for example. Then, preventative measures can be taken.
<-QUOTE}
AFAIK an exploit takes advantage of a legitimate executable to do its evil job. So there must be another evil object to make that possible and such evil object can be stopped also as an unauthorized object.
AE is limited to unauthorized EXECUTABLE objects, that's not good enough. AE should block any unauthorized object in the system partition (Windows + Applications).

{QUOTE-> On September 14, 2004, Microsoft released details and patches for a newly discovered vulnerability involving JPG files, <-QUOTE}I considered that a non-issue because

{QUOTE-> By default, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000, and Windows XP Service Pack 2 are not vulnerable to this issue. <-QUOTE}And I was not using any of the other affected MS software.



regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

{QUOTE-> AE should block any unauthorized object in the system partition (Windows + Applications). <-QUOTE}

That confirms you have also no idea how exploits are working. YOU DON'T NEED *ANY* Executable for a exploit!

The exploit "sleeps" for example in a JPG picture. Now if you display via preview this jpg picture in the windows dekstop (via open folder and windows creates a preview for example) the exploit already starts! And this exploit DOESN'T NEED TO LOAD ANY OTHER EXECUTABLES! It simply runs already in memory! It can just format your harddrive without that you have any chance to prevent this other than turning your machine of the nanosecond before it starts this.

{QUOTE-> The real problem boils down to "user education". And that this would be possible (successfully) the users must be willing to understand and to do something. (I don't want to sound too pessimistic, but that's not gonna happen.) <-QUOTE}Actually, I've found that many *are* willing. Often they are embarrassed to say anything about their computing problems, or just don't know what to ask.

{QUOTE-> Next problem is how exactly will you "perform" user education? <-QUOTE}There certainly are many possibilities.

The small group I work with prefer to go to people's home. We do this normally on weekends, and during the week by email. Granted, we find people we know through our own socializing, so it is a harmonious working environment.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

{QUOTE-> That confirms you have also no idea how exploits are working. YOU DON'T NEED *ANY* Executable for a exploit!

The exploit "sleeps" for example in a JPG picture. Now if you display via preview this jpg picture in the windows dekstop (via open folder and windows creates a preview for example) the exploit already starts! And this exploit DOESN'T NEED TO LOAD ANY OTHER EXECUTABLES! It simply runs already in memory! It can just format your harddrive without that you have any chance to prevent this other than turning your machine of the nanosecond before it starts this. <-QUOTE}
I admit I'm not an expert. If those exploits can't be stopped in any possible way you have to accept them until you find a way to stop them.
Are there so many existing exploits, that they are a constant problem or are we talking about a minority of infections ?

User education won't solve the problem either.

Just have a look at Zlob. The user is tricked into *wanting* to execute the file with social engineering. No whitelisting will stop her/him from doing that.

On an end user system, a whitelist solution will constantly pop up because there are so many unknown applications and users update/install new things every day. After getting > 5 warnings on a day, the user will simply disable the security program. Every "normal" user I know that is using Vista has disabled the UAC because it is too much hassle for them! And you really believe you can convince them to endure even more warnings AND let them propperly decide what to execute and what not? Sorry, but that is just plain naive.

Antivirus scanning puts the work and expertise on the side of the AV company. The user must do nothing, if a warning pops up (s)he just deletes/cleans the file and the user is happy.
White listing, (simple designed) behaviour blocking, sandboxing, anything that forces the user to make decissions if it's ok to execute the file or not puts the responsibility on the user side. Good idea, really... Just shift the blame. :)

It is beyond my understand why people come up all the time with 20 years old ideas that have been tried again and again AND AGAIN and never worked out - and claimed they found the holy grail and the solution to all security problems. Only thing missing is that they name their product "42".
Where did I hear that slogan "will protect you against all malware, past, present and future!" again?

However behavior blockers are imo the way to go right now. Sure they also popup warning on legit files from time (av's do that too with fp's) to time but in general they don't bother users unless something really bad is executed (takin Cyberhawk/KAV6 PDM as example). And have extremelly high detection rate with very low update requirements.

In practice that looks like that:

{QUOTE->
Just have a look at Zlob. The user is tricked into *wanting* to execute the file with social engineering. <-QUOTE}Herein lies the problem. I've seen emails from people I've never heard of with unusual subject headings, some quite enticing and in quite a few cases grammar can be poor, but commonsense tells me not to even bother with it. I even have the preview pane disabled in my email client so the mail cannot be viewed lest there be web bugs contained therein.

{QUOTE-> User education won't solve the problem either.

Just have a look at Zlob. The user is tricked into *wanting* to execute the file with social engineering. No whitelisting will stop her/him from doing that.

On an end user system, a whitelist solution will constantly pop up because there are so many unknown applications and users update/install new things every day. After getting > 5 warnings on a day, the user will simply disable the security program. Every "normal" user I know that is using Vista has disabled the UAC because it is too much hassle for them! And you really believe you can convince them to endure even more warnings AND let them propperly decide what to execute and what not? Sorry, but that is just plain naive.

Antivirus scanning puts the work and expertise on the side of the AV company. The user must do nothing, if a warning pops up (s)he just deletes/cleans the file and the user is happy.
White listing, (simple designed) behaviour blocking, sandboxing, anything that forces the user to make decissions if it's ok to execute the file or not puts the responsibility on the user side. Good idea, really... Just shift the blame. :)

It is beyond my understand why people come up all the time with 20 years old ideas that have been tried again and again AND AGAIN and never worked out - and claimed they found the holy grail and the solution to all security problems. Only thing missing is that they name their product "42".
Where did I hear that slogan "will protect you against all malware, past, present and future!" again? <-QUOTE}
Of course users are happy with a system that allows everything, because they don't want a strong security, while other users want such a security.
Scanners are a good way to keep users comfortable by giving them a fake message "Congrats, system is clean." Once they install another scanner, they find out their system was infected already during months, because their first scanner, didn't remove it, very good security. ::)
False/positives deleted by average users, who damage their own computer, very safe solution. ::)
It's obvious and logical, that an AV expert is pro AV-scanners.

I already told you what I want and what I want does NOT exist, because the security industry keeps on re-inventing new AV/AS/AT/AK/AR/...scanners, new HIPS, new sandboxes, ..., while the whitelist approach has been
neglected during all these years and that's why we have BAD whitelist softwares.
That's why I have to use softwares like FirstDefense-ISR and Anti-Executable, which are both NOT good enough, but there is nothing else out there.

Why is there always a test of AV's and nothing else than that. Is that a 20-year-old tradition or something ? I find these AV-tests pretty boring : always another winner and a bunch of losers.
I never saw a test of FirstDefense-ISR, DeepFreeze, ShadowUser, ... isn't that interesting enough for experts to try something else FOR A CHANGE, than repeating the same old tests over and over again, again and AGAIN ?

{QUOTE-> Of course users are happy with a system that allows everything, because they don't want a strong security, while other users want such a security. <-QUOTE}
What are their failings, specifically?

{QUOTE-> What are their failings, specifically? <-QUOTE}
What failings : users or scanners ?
Users fail all the time, they are the weakest link in security, because they can't control their curiosity.

{QUOTE-> http://weblog.vircop.org/?p=25 <-QUOTE}

Could you please consider using conventional black text on white background? Fx and nVidia don't like your black background and white text. I can't use auto scroll there as the screen flickers and the text becomes too tiny to read in addition to flickering in and out. Besides, I never use websites that have black backgrounds (except BlackViper) because it is so tiring for the eyes.

As for your getting your post deleted at dslr Security forum...I missed that because I was, out of the blue, banned for three days there. Ban was just lifted. I was given no reason for the ban other than that I somehow violated the TOS for the site. The offending post was not given to me but I suspect what angered Mary (WCB) was that I had posted in a thread there and mentioned that I was waiting to see if anyone would post the topic which I had posted here several days earlier when it was first news and that the discussion here was quite interesting contrary to the discussion at dslr which was juvenile. The implication that Wilders just might have the better membership now is a no-no that I had to be punished for. ::) Mary probably deleted your post because you represent a vendor and she doesn't want vendors posting there.

I find all the comments about how most users refuse to learn anything about security puzzling. When I got my first computer in 1999, I was older than most computer users. Yet, I knew one thing: an always updated antivirus was essential. I had an awful time trying to understand McAfee 4.2 that came on the computer...I read the definition for "heuristics" about a dozen times and it was like reading a foreign language that I had no knowledge of. But I persisted and learned as much as I could about Mcafee. I also don't understand how these average users get all these viruses or why people even need AVs. All one needs is to have good judgement and be practicing safe computing. One does need something like a software firewall or ProcessGuard...that is much more important than an AV. Everyone needs a program to control what calls out! That is the main reason I use PG.

I have only had one virus in all these years (and I got it on a blank, new store bought floppy that I didn't know could be infected so I didn't scan it). I've never had spyware. And I knew nothing about computers until 1998 when I went to a county sponsored program to teach folks 55+ about computers. We didn't learn a thing about security but some about privacy. So, when I got my own computer a year later, I knew nothing about how to use the computer except how to surf. But I learned and I just can't understand how anyone could get a computer and refuse to learn how to use it properly which includes how to use the AV, the firewall, and basics about the OS and the File System. I think everyone should have to be licensed to use a computer and should be required to take security courses prior to being allowed to purchase a computer. I think the courses should be sponsored (at least in the USA) by Microsoft and the US government.

I certainly don't think AV's are "dead" nor do I think a ridiculous solution like white listing is practical or even useful. Users who insist on surfing to any site, clicking on every thing in sight, deserve what they get. First thing I learned was to be very careful what sites I visited and to never read email in HTML, or use the preview pane or open attachments without first downloading to disk and scanning with my updated AV. I also learned to never open an email from any source I did not recognize and if in doubt to read it via properties where it was never opened. All of this was very simple, very easy to learn and abide by so I don't understand users who can't learn such simple precautions that would eliminate most risk. If you insist on visiting porn/gambling sites, downloading P2P stuff, accepting files from strangers via instant messaging, etc. then you deserve a wrecked computer. A computer is not a toaster and won't be for another generation. Users have to be realistic and if they don't want to be then they should not get computers. Since they seem to have no common sense, licensing is the only realistic answer with demonstrable proof of ability to properly use a computer.

That is a very good post Mele.:)

{QUOTE-> What failings : users or scanners ?
Users fail all the time, they are the weakest link in security, because they can't control their curiosity. <-QUOTE}
My apologies; I quoted the wrong part of your post by accident. To correct my previous question: what do you find insufficient with F-DISR and AE?

I think a lot of this comes down to the fact that individuals with substantial know-how regarding computer security tend to assume that everyone else must have some level of competency in this area. Many individuals with that type of know-how such as those that frequent Wilders might acknowledge that everyone else (the masses) don't have the same level of know-how as them, but many still assume, perhaps because of the prevalence of computers or perhaps because it seems so basic to them, that most people in general have the capacity and motivation to acquire the necessary know-how to secure their computer. As should be obvious, this is a false assumption. Vast amounts of people, constituting a majority of people world-wide are computer illiterate and lack the willingness and ability to secure their computers.

For those whose personal experiences don't necessarily align with this notion, perhaps consider that the sample (people you've observed and/or helped in this area) that you're basing your perspective on might be skewed for various reasons. It could simply be that you have too small of a sample size to generalize with any meaning, or it could be that your sample, even if substantial in size, is unrepresentative of the larger population (say if you are working within academia or your sample consists mostly of younger individuals who tend to be more familiar and comfortable with computers then their older counterparts).

Lastly, the solution to this problem isn't some sort of systematic education for the masses, as that is impractical at best. Perhaps the only reasonable solution involving systematic education would be to educate younger students in a more comprehensive manner, teaching them the basics of how to use and secure ones computer. This could be made standard curriculum in middle and high schools (and their equivalents internationally). While even this task would be difficult and convoluted, it is at least practicable (in some countries).

All the nonsense about requiring licenses to operate a computer is absurd. Its implementation is impractical at best, perhaps even impracticable altogether. It would be a logistical nightmare, and would require an international governing entity to regulate and enforce. Even if somehow it was implemented, it would put a halt to the global economy, and would be counterproductive in getting the masses connected and teaching them how to use and secure their computers as it would introduce unnecessary costs towards achieving that end.

OK, my 2 cents if you don't mind...

As I always say, there are four main defense walls. That are: firewall to control your Internet connections and traffic, HIPS to cope unknown by AV malware, anti-virus to prevent already known malware from execution and clean up unknown one when it will be known, backup hard drive in case your's one will die. Each solution covers other's back (weak points).

So, there is no "AV replacement" solution as AV's are THE MOST EASY IN USE! There is only one button "Scan now!" (mostly) and this is all simple user need. Firewalls and sandbox HIPS (as the simplest tool for HIPS) are not so simple for user.

Why "AVID"? The fact is that AV industry PR their scanners as front-line anti-malware solutions. But the fact is that nowadays its effectiveness in this role is about 50% and getting lower. But the can't stop their PR machine as this will show their lie. They can't stop, the can just add HIPS solutions into their products (Kaspersky), that is the only way for industry itself. So, yes, AV's are dying as first-line defense, but they are still effective as a second-line cleanup tools (malware response time is not important this case).

HIPS. Some of them are for geeks (classical), some are for advanced users (expert), some are for averages (sandbox). It is just the matter of core architecture. But, naturally, the weakest place for HIPS of any type are... their users! Social engineering will never die, it is thousands years old technique and will live to thousands years. It is harder to do this trick with AV scanner, but it is possible anyway.

"Teaching users" technique won't works, because there are a lot of people in the world why see no reasons for it and you can't make them.

{QUOTE-> My apologies; I quoted the wrong part of your post by accident. To correct my previous question: what do you find insufficient with F-DISR and AE? <-QUOTE}
FDISR does a good job in cleaning your computer, unfortunately this happens only on reboot and that is too late, because infections can install and execute themselves in the period between two reboots.
The freeze storage of a frozen snapshot = whitelist of ALL objects in my system partition and that's why FDISR is able to clean my system partition completely, but too late.

Anti-Executable acts IMMEDIATELY and that is excellent, unfortunately only for unauthorized EXECUTABLE objects and not for other unauthorized objects.

If Anti-Executable (= Anti-Malware) would act IMMEDIATELY for any unauthorized object, I wouldn't need FDISR anymore.
If AE (AM) would stop any unauthorized object, there is :
- no installation of infections possible
- no execution of infections possible, because there is no installation.
- no removal of infections anymore, because there is no installation.
If my system partition has that kind of protection, I don't need to protect my data partition anymore either.
My data partition can still be infected by downloading infected data files from an unknown source, but that's MY stupidity.

There are "exploits", that can't be detected and removed, because they operate in the memory.
So be it, in that case neither whitelists nor blacklists will remove these exploits.
Exploits prove only one thing to me : this time, the bad guys were smarter than the good guys. :)

{QUOTE-> Exploits prove only one thing to me <-QUOTE}

Hardware DEP + ASLR enabled will stop it cold.

{QUOTE-> Hardware DEP + ASLR enabled will stop it cold. <-QUOTE}
Thanks. I will look into this. This thread didn't mention anything about this. ;)

{QUOTE-> FDISR does a good job in cleaning your computer, unfortunately this happens only on reboot and that is too late, because infections can install and execute themselves in the period between two reboots. <-QUOTE}
The malware disappears when you reboot. Why is that "too late"?

The Wilders Security world and the real world are two different things.
Try explaining things like behavior blockers, HIPS, and sandbox to a newbie, matter of fact if it wasnt for this forum I would have no idea what the hell any of those programs were.

For an example, as a newbie to software security, I know about AV's, AS, AT, software firewalls and routers, thats WITHOUT coming here and learning.
It's when you start mentioning behavior blockers and HIPS that I can almost guarantee you that the beginners or average users in the real world have no idea what the hell you're talking about, matter of fact when a discussion comes up about security programs for a computer either at work or at home why is the # 1 question "What AV do you use?"
How come no one says "What HIPS program do you use?" "Which behavior blocker do you prefer?"

I've logged onto Wilders from work a few times and you should hear the reactions/comments from some people.
They have no idea what so ever what I'm reading, cant understand alot of it and most of the time their only response to me is "WTH are you reading, how can you understand that?"
So when someone mentions AV's are dead, dead for who, the advanced users, because the newbies or average users such as myself rely on some type of protection and an AV is part of the solution.

This was just my 2 cents, thanks. :thumb:

{QUOTE-> The malware disappears when you reboot. Why is that "too late"? <-QUOTE}
Because the malware could have already done its job, such as steal and transfer personal info, before rebooting.

Erik explained this in the sentence you quoted. . .
{QUOTE-> because infections can install and execute themselves in the period between two reboots <-QUOTE}

{QUOTE-> Because the malware could have already done its job, such as steal and transfer personal info, before rebooting.
<-QUOTE}
That is correct. FDISR doesn't recognize bad objects, because FDISR isn't a security software, it's an immediate system recovery software.

So why not add a firewall to your security setup, instead of praying that your one, single solution works against all kinds of threats?

{QUOTE-> So why not add a firewall to your security setup, instead of praying that your one, single solution works against all kinds of threats? <-QUOTE}
I have a router + firewall to control internet traffic, but that's not enough.
I want to get rid of my boot-to-restore solution and only an improved and bigger AE would make that possible.
Actual AE = whitelist of all executable objects.
I want AE = whitelist of all objects (like in FDISR).

{QUOTE-> The Wilders Security world and the real world are two different things. <-QUOTE}

No doubts!

{QUOTE->
Try explaining things like behavior blockers, HIPS, and sandbox to a newbie, matter of fact if it wasnt for this forum I would have no idea what the hell any of those programs were. <-QUOTE}

It is not really hard to do.

{QUOTE->
For an example, as a newbie to software security, I know about AV's, AS, AT, software firewalls and routers, thats WITHOUT coming here and learning. <-QUOTE}

That means that you've red it in computer magazines, that is why you know what is it. Right? So, it is just a question of PR. I may insure you- in case of massive PR campaign even simple users will know what HIPS are and why he/she need it. That is an average story - same was with firewalls. I remember those days when I haven't heard about it and how various journalists from magazines have explained me what is it and why I need buy it. I didn't, but the idea itself is very clear...

{QUOTE-> I have a router + firewall to control internet traffic, but that's not enough.
I want to get rid of my boot-to-restore solution and only an improved and bigger AE would make that possible.
Actual AE = whitelist of all executable objects.
I want AE = whitelist of all objects (like in FDISR). <-QUOTE}
When I meant firewall, I meant as in "software firewall with outbound traffic control".

A "whitelist" of "all objects" is clearly unfeasible, for reasons that have been pointed out earlier in this thread.

Ilya-

Explaining programs like HIPS or sandboxing may not be hard to explain for someone such as yourself (DefenseWall) but with someone like me (beginner) its quite complicated to understand, not so much with the sandbox programs but with a HIPS program I'm completely lost.
This is what I mean by the real world-people just do not understand certain security programs, yes it can be a PR issue but at the same time some of these programs are not beginner usable.
For instance SSM seems to be the HIPS of choice around here but for someone like me that's asking for trouble.
As I mentioned previously without this forum I have no idea what a HIPS program is or what it does or any other behavior blocker, sandbox.
I knew about AV's, FW's and such not from reading computer magazines but through word of mouth, matter of fact I have never read a computer magazine in my life, still haven't to this day.
I went through alot of trial and error but to be truthful it took one person to lead me in the right direction with the basics of security programs, from there I was basically self taught and to this day I'm still very much the beginner.
This is why when I ask questions about software I need as much detail as possible or I'm lost.
From my point of view everytime I read something posted here I'm doing it in newbie mode or I ask myself how would I explain that to someone who doesnt have a clue about a certain program.

{QUOTE-> That means that you've red it in computer magazines, that is why you know what is it. Right? So, it is just a question of PR. I may insure you- in case of massive PR campaign even simple users will know what HIPS are and why he/she need it. That is an average story - same was with firewalls. I remember those days when I haven't heard about it and how various journalists from magazines have explained me what is it and why I need buy it. I didn't, but the idea itself is very clear... <-QUOTE}
The notion that the masses acquire most of their information about computer security from public relations (PR) seems reasonable enough. However it does make the obvious assumption that most of the information the masses receive about computer security is somehow a derivative of PR, this I cannot confirm or refute as I simply don't know, I can only speculate about that. Your extension of this notion is that if the big computer security firms put forth a PR campaign for say HIPS that the masses would then 'know what HIPS are and why he/she need it'. This is where the argument becomes less straightforward.. I agree in part with the initial premise, but just because such PR worked that way with anti-virus and anti-spyware software, doesn't mean it will work the same way with other types of security software. Granted such PR would inform the masses about HIPS, but it wouldn't necessarily enlighten them about how HIPS actually work and the purpose behind it. Your example of firewalls reinforces this point. I made a similar observation in a different thread (see below) that posed a question that your notion addresses. The reason firewalls are the exception is because of the PR behind them, at least according to the notion. However, this doesn't reinforce your extension of the initial premise. Namely, just because there was significant PR for firewalls that informed the masses about them doesn't mean the masses understood what exactly a firewall is, how it works, what its purpose is, etc. To the contrary, from what I've gathered so far, most people don't really know what a firewall does or how to