This is from a friend's PC, I don't know if some malware infected AVG files, but LOl!!

From a google search, there doesn't appear to exist a an avgupdm.exe, but an avgupd.exe. So it probably IS a real malware that finds its way inside AVG's folder. ;D

Exactly. Just a trojan trying to dusguise its self as one of AVG's components. Upload to VT and share the detections, rather than the vendors. And ThreatExpert.

I can confirm that there exists no avgupdm.exe in my AVG installation folder. It is probably real malware.

YOU ARE PROTECTED EXCEPT INSIDE OUR OWN FOLDER

ROFL

After all these years you think they would at least take some lessons from HIPS. Try to add either a file or folder inside my HIPS folder (EQS) and it's met immediately with ACCESS DENIED!

Just goes to show the weaknesses which still exist in some AV's if not all of them in comparison to HIPS!

EASTER

-{ Quote: "YOU ARE PROTECTED EXCEPT INSIDE OUR OWN FOLDER

ROFL

After all these years you think they would at least take some lessons from HIPS. Try to add either a file or folder inside my HIPS folder (EQS) and it's met immediately with ACCESS DENIED!

Just goes to show the weaknesses which still exist in some AV's if not all of them in comparison to HIPS!

EASTER" }-
With all due respect, I think you are totally wrong. Weak how? It obviously caught it which is what is what suppose to do. HIPS? Would have left it up to the user to say it is or isnt and to me that is never ever, going to sell on the open market. No product that leaves it up to the average consumer to play Russian Roulette on if something is malware, will never sell. A AV may not catch it all but the good ones will more then likely keep the average user safe for a long time.

-{ Quote: "With all due respect, I think you are totally wrong. Weak how? It obviously caught it which is what is what suppose to do. HIPS? Would have left it up to the user to say it is or isnt and to me that is never ever, going to sell on the open market. No product that leaves it up to the average consumer to play Russian Roulette on if something is malware, will never sell. A AV may not catch it all but the good ones will more then likely keep the average user safe for a long time." }-


If malware can put it's files inside your av's folder... imagine what it can do to the av itself (e.g. delete files, databases, license keys).... I'm not sure how AVG defends itself but it should have some sort of file defence at least. If it doesn't like some certain AV's, all it takes is a 1KB .bat file to wipe it out completely.

I think the ironic part, is , that from the screenshot, it appears that AVG caught it, but on demand. Meaning it didn't catch in in realtime. So, AVG's response time failed against a malware the specifically targets AVG. ;D

Malware vs AVG's honour 1-0.

-{ Quote: "If malware can put it's files inside your av's folder... imagine what it can do to the av itself (e.g. delete files, databases, license keys).... I'm not sure how AVG defends itself but it should have some sort of file defence at least. If it doesn't like some certain AV's, all it takes is a 1KB .bat file to wipe it out completely." }-

Absolutely True.

Case in point as pointed out, something as simple as a maliciously compiled batch file can render the entire AV useless. HIPS and even now many AV's set up shop where HIPS been standing sentry at the SSDT Table for one to prevent as little disruption as possible. So one better hope AVG doesn't put all it's eggs into a single basket (folder).

EASTER

my mistake, apology offered.

That any AV should be able to prevent infections to it's own folder/folders, that no one can deny.

But, I don't see how a HIPS would prevent such, unless the user knows exactly what to do.

Wouldn't a "normal" user just think it was his/her AV performing an update, and that's what the HIPS is alerting for? He/She would, most certaintly, allow it. Infection would still happen.

I think, that, for AVs to be able to stop this, some sort of behavior blocker should be implement just to monitor the AV's own file, and if no action is done under normal updates situation (the AV vendor knows better than anyone - I think - how their AVs work), then automatically block such action.

Not a HIPS, in my opinion.

-{ Quote: "

I think, that, for AVs to be able to stop this, some sort of behavior blocker should be implement just to monitor the AV's own file, and if no action is done under normal updates situation (the AV vendor knows better than anyone - I think - how their AVs work), then automatically block such action.
" }-

That is supposed to be the Av's self protection's job.

-{ Quote: "That is supposed to be the Av's self protection's job." }-

Yes, indeed. But, in AVG's case, it clearly failed the job. So, a better self protection is needed. :D

Maybe that's why they acquired SANA. :D

-{ Quote: "That any AV should be able to prevent infections to it's own folder/folders, that no one can deny.

But, I don't see how a HIPS would prevent such, unless the user knows exactly what to do.

Wouldn't a "normal" user just think it was his/her AV performing an update, and that's what the HIPS is alerting for? He/She would, most certaintly, allow it. Infection would still happen.

I think, that, for AVs to be able to stop this, some sort of behavior blocker should be implement just to monitor the AV's own file, and if no action is done under normal updates situation (the AV vendor knows better than anyone - I think - how their AVs work), then automatically block such action.

Not a HIPS, in my opinion." }-

Please... HIPSs are designed exactly for that, find AVG executables and permit to modify/read/delete/write %ProgramFiles%\AVGfolder\*.* all other deny, or simple use (some HIPS have) learning mode for a while ...

-{ Quote: "Please... HIPSs are designed exactly for that, find AVG executables and permit to modify/read/delete/write %ProgramFiles%\AVGfolder\*.* all other deny, or simple use (some HIPS have) learning mode for a while ..." }-

Yes, and if you read well what I wrote, you'll see I didn't say otherwise.

-{ Quote: "
But, I don't see how a HIPS would prevent such, unless the user knows exactly what to do.

Wouldn't a "normal" user just think it was his/her AV performing an update, and that's what the HIPS is alerting for? He/She would, most certaintly, allow it. Infection would still happen.
" }-

Or will you say that every user knows what to do with a HIPS?

Most will simply, for example, allow everything with UAC. A very simple and not complicated tool. The users are the complicated component. And, unless they learn what each alert means, they won't known what to answer.
And, as I already mentioned...

-{ Quote: "
Wouldn't a "normal" user just think it was his/her AV performing an update, and that's what the HIPS is alerting for? He/She would, most certaintly, allow it. Infection would still happen.
" }-

So, in a situation as this, a HIPS wouldn't make any difference. The user would be allowing the infection.

Security vendors need to protect better their own applications. Not every user has the knowledge to interact with a HIPS. And, it shouldn't be the user concern to protect his/her antimalware tools or any other security tool. If we consider they're paying for that security, then it would be to expect that it wouldn't be vulnerable to such attempts of malware modifying files, etc, which are part of those tools.

Well, this debate clearly points out one major thing: AV vendors have to ascend to a whole new level together with their software if they want to stick around..

Basing the whole idea of protection (almost) solely on real-time blacklist scans against known threats already proved a way back to be pretty worthless - but to be able to continue with that, first they will have to be at least able to protect the core of their software and of the underlying operating system.

Otherwise they'll end up being used only as demand only scanners. So the evolution is inevitable:)

Both sides are right. For experienced users hips is a powerful weapon, but for the average user is a nightmare. These are things that can not compare.

I learned from you guys what "layered security" means.

Your disputation is about something about which you agree. ;D

-{ Quote: "Wouldn't a "normal" user just think it was his/her AV performing an update, and that's what the HIPS is alerting for? He/She would, most certaintly, allow it. Infection would still happen." }-
-{ Quote: "So, in a situation as this, a HIPS wouldn't make any difference. The user would be allowing the infection." }-

-{ Quote: "...find AVG executables and permit to modify/read/delete/write %ProgramFiles%\AVGfolder\*.* all other deny, or simple use (some HIPS have) learning mode for a while ..." }-

There are no questions, answer is already remembered, deny

-{ Quote: "There are no questions, answer is already remembered, deny" }-

I'm glad you can work with a HIPS and deny, as a custom policy mode, such modifications.

The ultimate questions still remains: Does the newbie/average user know how to work with a HIPS to do that? Will those users know what they should or not allow/deny access to?

And, unless they know it, a HIPS won't do any good for them.

One thing is for you to know. One other thing is for other millions of users out there to know it.

Regards

-{ Quote: "I think the ironic part, is , that from the screenshot, it appears that AVG caught it, but on demand. Meaning it didn't catch in in realtime. So, AVG's response time failed against a malware the specifically targets AVG. ;D

Malware vs AVG's honour 1-0." }-

Real-time scanning is often not as deep as on-demand scanning; otherwise your system resources would be drained.

Average user should learn that deny/block is much better answer than allow, if something doesn't work dig-ask-learn...

-{ Quote: "Average user should learn that deny/block is much better answer than allow, if something doesn't work dig-ask-learn..." }-

So, someone who, for example, works days and noons, and then studies at night, needs/has to waste time digging-asking-learning about HIPS?

I guess that by the time he/she ends digging-asking-learning, his/her time to be able to use the Internet for a little while goes out of the window. And I have a pretty good feeling time was wasted in vain.

Or, when he/she is performing online searches to get info for some school work, musts waste time digging-asking-learning HIPS. I guess this person would be better on the security field studies, rather than any other. After all, it would spend all his/her time learning such tool.

Or a busy mother, who works her ass the entire day, gets the kids from school, gets home, takes care of the kids, helps them do the school work, and finally, gets a little time to check her e-mail, she must learn how to interact with a HIPS tool.

Then why not saying if they wish security, go learn how to develop security software and make it to your own taste. I guess this would bring a lot people to unemployment.

I agree that users should be concerned with their security, and that's why they use security software, either installed when they bought their computers or some friend installed for them. But, shouldn't be their concern if the security tools they use and bought are weak enough to let malware infect their systems and weaken the very own security tools. This should be the vendors concern. To implement strong defense mechanisms in their security tools, so that their apps won't be bypassed by malware. The users are paying for their tools, so why don't they implement stronger defensive mechanisms.

So, a user buys an antivirus, and so that the antivirus doesn't get bypassed by malware, will have to get a HIPS to protect it?

-{ Quote: "
So, a user buys an antivirus, and so that the antivirus doesn't get bypassed by malware, will have to get a HIPS to protect it?" }-

Of course AV vendors job should be to protect their software, especially when they plan to sell it:)

But, being the weakest link in the "security chain", The User will unfortunately have to learn a bit more about security, since it is obvious that we can only expect rougher times ahead (and I'm not talking about the great depression no2 :))

-{ Quote: "Real-time scanning is often not as deep as on-demand scanning; otherwise your system resources would be drained." }-

Yes, but this was a simple exe. It wasn't a rar, zip, cab or i don't know what that can be excluded from real time scanner because the file is packed so represents no immediate danger.

-{ Quote: "Of course AV vendors job should be to protect their software, especially when they plan to sell it:)

But, being the weakest link in the "security chain", The User will unfortunately have to learn a bit more about security, since it is obvious that we can only expect rougher times ahead (and I'm not talking about the great depression no2 :))" }-

Yes, indeed. Unfortunately, the user is the weakest link in all the security chain. And that's what the bad guys will always count on. Otherwise, during all the times malware exist, there would be practically no infections and what comes from that.

But, also, unfortunately, not everyone (millions of people) have the time to learn a bit more about security. And how much would be a just a bit? Just the enough to know there are bad guys in the cyber world? That they develop malware to spy on them?

Some are not even aware of such. And those who are, just don't have the time to learn all about it and the best way to protect themselves. They should, and that I do not deny. But, many, just don't have the time. Should they be insecure?

That's why I have my own idea about what should be done to fight all this malware thing. But, it would raise other discussions, which, in turn, would turn all this into off topic topics. (Ours already are a bit :D )

Perhaps, starting a new thread. I believe would make a great and healthy discussion.

Best regards

All that seems to have happened is that

1) AVG didn't have a signature for the virus at time of it getting into the system
2) AVG didn't have a behavior blocker that stops program writing to the AVG folder.

Why is there so much fuss around this?


This could happen to any AV
Why is having this virus in the AV folder any different than malware hiding in the system32 folder?


Having a behavior blocker protect certain folders may have unintended consequences and the mainstream user wouldnt want to deal with this.

-{ Quote: "All that seems to have happened is that

1) AVG didn't have a signature for the virus at time of it getting into the system
2) AVG didn't have a behavior blocker that stops program writing to the AVG folder.

Why is there so much fuss around this? " }-

Because this is Wilders', so my AV is better than yours and it's an opportunity to bash a product you probably don't like. ;D

-{ Quote: "All that seems to have happened is that

1) AVG didn't have a signature for the virus at time of it getting into the system
2) AVG didn't have a behavior blocker that stops program writing to the AVG folder.

Why is there so much fuss around this?


This could happen to any AV
Why is having this virus in the AV folder any different than malware hiding in the system32 folder?


Having a behavior blocker protect certain folders may have unintended consequences and the mainstream user wouldnt want to deal with this." }-

Most likely is that AVG, as with any other AV, did not scan as deeply when the file was copied to AVG's folder. And extended/deep/aggressive heuristic scan of every single disk activity can put quite a drain on system resources. Deep scans are left to the on-demand scanner..

-{ Quote: "Yes, but this was a simple exe. It wasn't a rar, zip, cab or i don't know what that can be excluded from real time scanner because the file is packed so represents no immediate danger." }-

How do you know if it wasn't packed?

-----
However, the AVG folder should be kept as read-only, as a most basic form of security. Surprised that AVG did not do that by default ...

-{ Quote: "
How do you know if it wasn't packed?
" }-

I can't know it for sure, but it's likely it wasn't.(that's why real time scanners usually don't include them in detection). One thing is for sure, that the user didn't extract something in AVG's folder (why would he do that). So even if it was packed initially, once unpacked and ended in AVG's folder, it was active, as an exe, hence AVG's real time scanner must have accessed it and failed to identify. Packer or no packer, an exe was written into AVG's folder and was obviously active, shouldn't AVG's real time scanner scan that? Twister scans exes on the fly as they are extracted from a zip, i can't believe that AVG simply let's exes being written here and there without bothering to see what they are.

-{ Quote: "Does the newbie/average user know how to work with a HIPS to do that? Will those users know what they should or not allow/deny access to?" }-Some folks seem to define "average user" as being synonymous with "ignorant/feckless user."

The "average automobile driver" must learn basic safety rules, else they shall die. The same is true for "average internet users" -- learn basic security or die.

A HIPS job is to WARN users of possible nastiness for which blacklisting is not yet available. We must all learn to react prudently to many kinds of warnings in our lives -- hurricane warnings, flood warnings, wailing sirens, flashing yellow lights, security app pop-up's, etc.

If someone chooses to remain ignorant of what to do when warned, then bend over, grab both ankles, & have a nice ride. Wheeee! :argh:

Depends on just how deep AVG's real-time scanners scans.

-{ Quote: "Depends on just how deep AVG's real-time scanners scans." }-
Not sure how old the signature was, but it may simply be that it was dropped before AVG added a detection and if the file was inactive, then there's a higher chance AVG wont detect it untill the following scan.

-{ Quote: "Depends on just how deep AVG's real-time scanners scans." }-

OK, either they have a problem which is much bigger, and regards their resident scanner or they missed a signature when the infection happened. I hope for them to be the second one. Because that user, packed or unpacked, got infected successfully. Meaning, the payload was delivered and activated (that's what was supposed to happen). That's what trojans are all about, they aren't made to just go to deliver a file in AVG's folder just for fun, but to execute code eventually. The name was to fool the user into thinking in the taskmanager,that was part of AVG's update processes. Which means malicious exes were executed. If AVG couldn't see them, then i think he has biiig problems as a scanner. But since i 've used AVG 6 and 7 free, i doubt their scanner can miss that. Most probably they hadn't included the signature when the original infection occured.

That's how i see it.

-{ Quote: "Some folks seem to define "average user" as being synonymous with "ignorant/feckless user."
..
The same is true for "average internet users" -- learn basic security or die.
" }-

That's the very thing I've been struggling to "implant" into many minds for a long time now - you just can not make it with only AV onboard nowadays, and unfortunately that means you must perfect your internet driving skills further more or u'll be swept off the road, constantly trying to repair your vehicle just to face the same situation again..

But fortunately we already have tools that can be used in a combo that should be operable even by those "average joes/janes" without scaring them away or assisting them in annihilation of their windozes, and I'm pretty sure we will see more of those "user friendly" evolved "suits" very soon.

Therefore we just have to continue preaching, and eventually, but probably only after 2K years have passed, this "great knowledge" of ours will be wide spread and acknowledged fact:)

-{ Quote: "--------------------------------------------------------------------------------

That any AV should be able to prevent infections to it's own folder/folders, that no one can deny.

But, I don't see how a HIPS would prevent such, unless the user knows exactly what to do." }-

It's called rules. Once you set rules on the HIPS or any other folders, you don't even get a choice anymore to accept or deny, it just blocks the attempt with a ACCESS DENIED! display or no display at all depending on how you want it to be.

That's the extra protection HIPS offer over some AV's which they should have used all along, but then they wouldn't need to keep selling licensing for something that can't happen anymore could they?

The smart thing to do is use a HIPS that can block entry to your AV folder/files and you'll never run into that again.

I been far more secured with HIPS then any AV ever offered.

EASTER

-{ Quote: "Some folks seem to define "average user" as being synonymous with "ignorant/feckless user."

The "average automobile driver" must learn basic safety rules, else they shall die. The same is true for "average internet users" -- learn basic security or die.
" }-

If you want to drive an automobile, you need to get a driver license. To get a driver license, you need to go to school to learn with someone how to drive and to learn defensive measures, in case you're faced with real world situations, such as wet floor, etc, which could cause an accident and possible death of you.

Are there any schools out there just for the purpose of folks wishing to use the Internet, so that they can learn about computer security?

Most know the basic security - use a firewall (the system firewall), antivirus (which includes antispyware).

Is HIPS a basic security tool? I guess my grandmother would know how to work with Outpost HIPS or with Comodo HIPS.

-{ Quote: "
A HIPS job is to WARN users of possible nastiness for which blacklisting is not yet available. We must all learn to react prudently to many kinds of warnings in our lives -- hurricane warnings, flood warnings, wailing sirens, flashing yellow lights, security app pop-up's, etc.
" }-


I don't see what a hurricane, flood or even flashing yellow lights has anything to do with a HIPS, but ok.

My grandmother knows what to do in case of hurricanes, etc. She doesn't have a clue about HIPS, but thats ok.

-{ Quote: "
If someone chooses to remain ignorant of what to do when warned, then bend over, grab both ankles, & have a nice ride. Wheeee! :argh:" }-
" }-

I wouldn't wish my grandmother to be your grandmother, that's for sure.

-{ Quote: "It's called rules. Once you set rules on the HIPS or any other folders, you don't even get a choice anymore to accept or deny, it just blocks the attempt with a ACCESS DENIED! display or no display at all depending on how you want it to be.

That's the extra protection HIPS offer over some AV's which they should have used all along, but then they wouldn't need to keep selling licensing for something that can't happen anymore could they?

The smart thing to do is use a HIPS that can block entry to your AV folder/files and you'll never run into that again.

I been far more secured with HIPS then any AV ever offered.

EASTER" }-

Yes, I agree about everything.

Then, again, would my grandmother know how to such? Would everybody's father, mother, sister, brother, uncle, grandfather, etc know how to do it?

Like an early example I gave before, would a mother that works an entire day, then gets kids from school, helps them do their school work, etc, and then finds a few minutes of her day just to check the e-mail know how to do it, or waste that time to make some custom policies regarding HIPS?

We don't live in a perfect world. No one can expect that mother and other millions (maybe billions or more) like her to know such thing.

Who's gonna do it for them? If they have people who know about it, that's a great thing. But, does everybody have such people living with them? Some do. Many don't. That's life.

The hell with them, right? If they can't find a few seconds to learn how to interact and to work with HIPS, then they don't deserve to be secure.

I see and understand your point. Very valid, that's why it's ultimately ever the more important never to trust anything you're not relatively certain about, at least to a degree. No, theres no way for them to know if they can depend on what is claimed/supposed to protect them when it comes to computer safety, and for that matter it also includes everyone of us no matter how learned or educated we think we are. We all can be at risk at any time irregardless of the program we depend on to protect us, because no software is fool-proof, but many are very close.

At that theres always System Restore or better yet an automated imaging program that makes duplicates where if bit, we can simply press a few buttons and Presto! we're right back on track again.

EASTER

Such a classic example of Malware totally owning an AV program.

This thread should achieved/pinned.

-{ Quote: "This is from a friend's PC, I don't know if some malware infected AVG files, but LOl!!" }-


Epic failure, on your part. Disguised Malware. ;D

-{ Quote: "We don't live in a perfect world. No one can expect that mother and other millions (maybe billions or more) like her to know such thing." }-That's where sandboxes, system restore, deepfreeze, etc come in.

In due time, big-brother protective apps may become increasingly pervasive, effective, &... mandatory. Some day, trying to override Windows Security Center may result in your computer saying...

-{ Quote: ""I'm sorry Dave. I'm afraid I can't do that." (spoken by Hal 9000 computer in 2001- A Space Oddysey)" }-

-{ Quote: "Epic failure, on your part. Disguised Malware. ;D" }-Hahahaah

I haven't talked to him since. If I get some more info I will share, I think it had sth to do with Rapid Antivirus, a rogue.

Tha name avgupdm.exe is also strange, cause there should be at least a few hit in google I think, even if it's a random string attach on AVG's updater. There exist none.

Moonblood, Easter, Bellgamin, all have their valid points.

Idealy, a classical HIPS is powerful, for the knowledgable user. For an expert user, it can become virtually undefeatable.

I too often find myself bored of pop ups, but at the end, i return to the classical hips, because it gives me peace of mind. I know though that i am not an expert and there is one kind of attack that i won't be able to parry. Malware within an installer that i think is a legitimate program. Because i will put installation mode and won't care what happens. For that, trying the installer in virtualized system can be of help.

But usually malware, comes from within a browser exploit, or downloaded "game no cd patch", "crack", "keygen", malicious media files, pdfs, documents, unpatched OS/software holes and in all these cases, a pop up out of the blue, is really a red flag that you can't miss or ignore as "probably normal".

Unfortunately, most people don't use and aren't willing to learn to use a classical HIPS. The answer is what Bellgamin says. Specially virtualization would make things much easier, although i am sure that if it was to become mainstream, we would see a boost of malware capable of identitying that they run in virtual enviroment (already happened) and specially crafted to leak out. But the main point is, that widespread use of sandboxes and system virtualization, won't happen, until the AV major companies decide to employ them. Until then, only a few will hear about Tzuk, Tony, Coldmoon etc. So what Moonblood says is true.

I also find this quite true:

-{ Quote: "That's the extra protection HIPS offer over some AV's which they should have used all along, but then they wouldn't need to keep selling licensing for something that can't happen anymore could they?" }-

Not only for HIPS but also for other more signature-less solutions. Eventually any defense can be foolded, but the rate of successful attempts would diminish and rate with which users renew their licenses would diminish too i think. For example, SSM isn't first at Matousec's. But honestly, what are the chances that will meet the malware that will slip through? So, one can keep on using it for quite a long time. The same could apply with virtualization solutions.

The danger and risk malware presents, is good for business in the AV sector! It's like pharmaceutical companies. If they were by miracle one day to discover the drug to cure all diseases, they would have first to invent a new disease,incurable, to keep selling.

And to come to this:

-{ Quote: "At that theres always System Restore or better yet an automated imaging program that makes duplicates where if bit, we can simply press a few buttons and Presto! we're right back on track again." }-

+

-{ Quote: "That's where sandboxes, system restore, deepfreeze, etc come in." }-

Imagine, if these instructions were put on every AV box or as startup tips when you run your AV... But they won't, will they... "Your AV protects you! We care about your safety! You are in safe hands" is much better for business. ;D

-{ Quote: "In due time, big-brother protective apps may become increasingly pervasive, effective, &... mandatory. Some day, trying to override Windows Security Center may result in your computer saying..." }-

MS is already going that way. It's common knowledge that MS has reduced access points to kernel of Vista 64bit so much, that HIPS programmers have difficulty taking control of apis to make 64bit compatible versions. This of course doesn't hurt traditional antiviruses that don't need to hook so deep and in so many places.

-{ Quote: "Such a classic example of Malware totally owning an AV program.-{ Quote: "
Nothing is "owning" AVG in this case, there's no evidence of AVG being infected or influencing its workings and ability - its a malicious file sitting in AVG's folder. Yes, it shouldnt happen because users may think its AVG, but AVG's self-defense has not lapsed, nothing has hindered AVG's abilities. In this case, malware is not "totally owning" AVG

-{ Quote: "Depends on just how deep AVG's real-time scanners scans." }-
Well, there is that option called "on-close scanning" (scan on process closing) for the Resident shield in AVG 7.5 and 8.0, checking which allows the real-time monitor to perform a more stringent real-time scanning (by default this option is off as it consumes more CPU resources).

-{ Quote: "
It's like pharmaceutical companies. If they were by miracle one day to discover the drug to cure all diseases, they would have first to invent a new disease,incurable, to keep selling.
" }-

Who can be sure that they don't? Or that they won't when/if they develop a new bread of "unbeatable" protection?:)

My guess is that we should see very soon more security software vendors "reinventing" their approach in dealing with malware: rely less on blacklists of known threats, put more efforts to protection of "the doors to infection" in the first place!

I mean, how on earth can one expect that some newlybred polymorphic virus, encrypted with 1Kbit+ encryption can be blacklisted?! Remember that recent Kaspersky's SOS call to crack the 1024bit key?

So it's easier to "just" cover the entry points, than to try to decipher the badass, isn't it? And that can also be done with almost no (or minimal) user input even now, so we can foresee highly improved protection is just about to hit the market.

And, yes it will be unpenetrable! But very soon (conspiracy theories thought us well) we will witness "the cure" being released that will make it look just like swiss cheese:)

All jokes aside, and since we can not expect that this search for the holy grail between good and bad guys will ever stop, we can only expect help from programs that are "trying to think as the bad guys".

From this point in time looks like that should be a combo/crossbred of behaviour detector, policy based restrictor, and HIPS like protector.