Avast Safe Zone.

I assume because Safe Zone uses its own browser, you can't use your favorite (Firefox) extensions like LastPass. Right?

 

That's correct.

 

I upgraded to Avast Pro last week specifically to get Safe Zone. It works really well except for the fact that you can't print in Safe Zone. In other words if you are looking at your bank statement or buying something online using Safe Zone you can't print it out. I contacted support and was told that it is a known bug in the current version and they expect to have it fixed in the next update. Looking at an earlier thread, it has been a problem since at least April. I suspect this is not a problem for everyone, because I don't see any mention of it in current threads, but some of us can't print.

 

It is a common problem, and I am not sure when it will get fixed. While I like Avast and am using it on my laptop, the sandbox is a real problem, and lack of printing from SafeZone is a handicap. I hope we do not have to wait until V 8.

Regards,
Jerry

 

Avast Safe Zone and Kaspersky Safe Money are total gimmicks. You simply cannot create a safe "zone" from an unsafe/untrusted environment. It defies every law of security.

Ask your selves these questions:

1. What if the malware infected a system DLL that was loaded by the Safe browser.. say something like mshtml.dll ? The malware is now running in the Safe "zone"
2. What you have user-mode (or worse a kernel-mode) rootkit that prevents the system/product from launching thee safe zone.

There are dozens of other such bypasses in bother products.

 

Wait a moment, with this logic, isn't any AV software in existence just a gimmick? I mean, all of them are sort of "reactive" and work on a best-effort basis. They can all be bypassed.

But in real world, in the vast majority of cases, they are not. That's because they're effective at stopping malware that's currently in circulation.

Now, how do you know how well SafeZone/SafeMoney/SafePay deal with malware currently in circulation? Especially today's banking trojans and other bank fraud types of malware?

Is there any publicly available test for that? Or have you done any kind of testing?

Or was your point just to say that if you can't provide a 100.0% solution, it's better to just not do anything?

Thanks,
Vlk

 

Whatever they might be they are not gimmicks. Although problems are occurring at this time, Avast folks will fix the problems in time.

Regards,
Jerry

 

Hi Vlk,

Very valid points. However, let me explain why this is different. Security products aim to block malware from infecting your system. They are not 100% fool-proof and never will be. Hopefully that you agree with.

However, what Avast (and Kaspersky) are claiming, is that even if the malware bypasses the security product layers, it will still not be allowed to steal credentials (user-ids, passwords) from transacations conducted within the safe zone. This I find totally ludicrous. Think about this - the system is totally infected, possibly with some of the most sophisticated malware like zeus, ZeroAccess, Cidox, TDS etc., many of which are capable of injected DLLs into any process they please, INCLUDING THE BROWSER. Yet, here we have companies like Avast and Kaspersky claiming that they can create a Safe Zone on an infected machine.

Giving the users the impression that its OK to do financial transactions etc., even if they have reason to believe the machine is infected, simply becuase the "SAFE ZONE" will protect them, is VERY DANGEROUS. I think these two companies are promoting dangerous behavior and putting their users at risk.

I will say again, ONCE THE MACHINE IS INFECTED, they is nothing any product can do to create a process (like IE/ custom chrome) in a safe manner. You must assume that this process has also been compromised.

I know the Avast & Kaspersky guys are on this forum. If they can confirm if their Safe Zone/Safe money feature can protect the user even if system DLLs are infected, then I'd like to understand how.

 

Safe Zone is implemented as kernel mode protection so it has a privilege level as good as or better than malware that gets installed successfully. Workarounds/new kernel protection mechanisms can be made to combat other kernel mode malware, as it's a game of cat and mouse once you're on same privilege level. They aren't explicitly saying it's perfect now are they, but it does offer added protection.

Actually, no.

 

This is not true right. Malware that is loading from MBR, boot loader infections etc., get control before the Avast/Kaspersky driver, so they totally control what the driver can see. Again, I dont see how these guys are claiming a "Safe Zone" on an infected machine.

 

Going by that, its impossible for AVs to disinfect MBR/VBR based rootkits, right? Since such rootkits "have the upper hand" and all... The reality is different.
I'm not a programmer, but having kernel mode privileges enables the AV to (retroactively) combat any given threat that is installed on the host system, provided that the programmers behind it know what they're doing. It enables them to catch up to new mechanisms even if they're limited by official kernel APIs by MS whereas malware writers aren't.
Plus, don't forget ELAM on Win8 which is another added layer of security.

 

You're absolutely correct that once the malware gets the opportunity to load a kernel-mode driver, the situation becomes very difficult. If that happens, the AV loses its only advantage it had, and then it's really only a fifty-fifty chance that it will win (a "cat and mouse" game).

That said, there's a clear trend for banking malware today to run in user-mode only (i.e. not have any kernel-mode components). This is probably because of UAC - it's meaningful for malware writers to focus on the scenario where they won't have admin access to the system (i.e. running in user mode and unelevated). After all, they're after your online transactions (and money), and for that, they don't need to own your computer. They just stick with MITB ("Man-in-the-Browser") type of attacks, by installing all sorts of browser plugins etc - stuff that they can easily do even unelevated.

Examples include Zeus and SpyEye - malware that has traditionally always come with hardcore kernel-mode rootkits, but whose newer versions are user-mode only.


Thanks,
Vlk

 

Hi Vlk,

Again, very valid comments. That been said, I will contest that Safe Zone can't even protect against certain kinds of user-mode infections. Like parasitically infected system DLLs. How can they load a Safe version of IE/Chrome when critical DLLs that the browsers use, have been infected. One you load IE, it will load the required DLLs, and now you have an infected browser process. And all it takes is ONE user-mode hole for Zeus will be modified to take advantage of it, if they believe they are running into too many Kaspersky/Avast-protected users. And there two problems with cat&mouse games in the AV world
1. Sometimes that mouse is so stealthy, there there is simply no way to catch it. A parastically infected mshtml.dll (loaded byIE), or some other similiar DLL, is going to be very difficult to work around unless they carry a copy of these DLLs.
2. The mice tend to move real fast, and the cats tend to move much slower. This is particularly true for professional mice like Zeus.

So practically speaking, I dont think Safe Money/Safe Zone stand any chance against Zeus. They will always be behind and those product's users will continue to have their credentials stolen, Safe Zone or not.