Kees1958
September 15th, 2007, 03:57 AM
Dear all,
I would like you to give me your opinion what according to you should be the furture of anti-malware for the main stream user.
Microsoft being a dominant player already has showed what the direction will be: kernel protection, digital signatures and protected mode browsing.
Next I would have some easy to use form of containment like DefenseWall offers now. FIles and programs entered on your computer from threat gates can never elevate to admin rights when not explicitely gotten an aproval of the user (running it as trusted as DW now offers).
To protect the user against shoot in the foot errors I would like a behavior blocker with some elements of ThreatFire Pro, A2 IDS and NeoavaGuard.
A2 made the smart move to explain exception events very clearly and to focus on the result rather than protection mechanisme; protection against driver installation is called rootkit protection, protection against hook setting is called keylogger protection. I would like the option to give those exceptions a value ('suspicious behavior points'). Like in NeoavaGuard you can set a threshold level of suspicious behavior points (e.g. more than 80 or 110), but NeoavaGuard currently does not have the option to mark a driver install as (for instance) 60 suspicious points and a HKLM startup resigistry change with (again just an example) 30 suspicious points.
When a program is not a system process (like in ThreatFire) and has performed a series of actions (like in A2 IDS), which came above the suspicious behavior threshold (NeoavaGuard), I would like to this behavioral blocker, to check the programs certificates and its hash-value.
When okay, store the sequence and collected malware points (so when it would show more suspicious behavior on other area's it would be marked as suspicious next time) [action A]
When not okay (or program does not have a certificate), I would the behavior blocker to check whether it is a know malware with its black list (AV engine). If known give a clear warning and let teh AV engine handle the correction [action B]. When not okay known provide a clear pop-up (like in A2 IDS) [action C] and perform the the precautions for the future as marked in action A. Next send this file to a central spyware net (like PrevX, Windows Defender, ThreatFire etc).
When a program acquires two consequetive 'actions A' , I would like the this file be checked by the AV-engine again (may be it is known now). When not known, send it to the central spy-network, get a clear description and the options to allow or block and also have a 'roll back' option like in DefenseWall or Spyberus.
Further more I want my AV-engine to look in incoming streams, in stead on every programs startup, read or write. This would save enough CPU power to perform the above actions.
What is your opinion?
I would like you to give me your opinion what according to you should be the furture of anti-malware for the main stream user.
Microsoft being a dominant player already has showed what the direction will be: kernel protection, digital signatures and protected mode browsing.
Next I would have some easy to use form of containment like DefenseWall offers now. FIles and programs entered on your computer from threat gates can never elevate to admin rights when not explicitely gotten an aproval of the user (running it as trusted as DW now offers).
To protect the user against shoot in the foot errors I would like a behavior blocker with some elements of ThreatFire Pro, A2 IDS and NeoavaGuard.
A2 made the smart move to explain exception events very clearly and to focus on the result rather than protection mechanisme; protection against driver installation is called rootkit protection, protection against hook setting is called keylogger protection. I would like the option to give those exceptions a value ('suspicious behavior points'). Like in NeoavaGuard you can set a threshold level of suspicious behavior points (e.g. more than 80 or 110), but NeoavaGuard currently does not have the option to mark a driver install as (for instance) 60 suspicious points and a HKLM startup resigistry change with (again just an example) 30 suspicious points.
When a program is not a system process (like in ThreatFire) and has performed a series of actions (like in A2 IDS), which came above the suspicious behavior threshold (NeoavaGuard), I would like to this behavioral blocker, to check the programs certificates and its hash-value.
When okay, store the sequence and collected malware points (so when it would show more suspicious behavior on other area's it would be marked as suspicious next time) [action A]
When not okay (or program does not have a certificate), I would the behavior blocker to check whether it is a know malware with its black list (AV engine). If known give a clear warning and let teh AV engine handle the correction [action B]. When not okay known provide a clear pop-up (like in A2 IDS) [action C] and perform the the precautions for the future as marked in action A. Next send this file to a central spyware net (like PrevX, Windows Defender, ThreatFire etc).
When a program acquires two consequetive 'actions A' , I would like the this file be checked by the AV-engine again (may be it is known now). When not known, send it to the central spy-network, get a clear description and the options to allow or block and also have a 'roll back' option like in DefenseWall or Spyberus.
Further more I want my AV-engine to look in incoming streams, in stead on every programs startup, read or write. This would save enough CPU power to perform the above actions.
What is your opinion?