A little analogy regarding real-time protection

[HURST]

A friend of mine asked me to explain to him the differences between the different protection software (HIPS, behav blockers, sandboxes, etc)
He is totally non-geek, so I decided to explain in terms he can understand. I developed this little analogy, and wanted to post it here first, so if there's a flaw in it you could let me know. (That way I can also make sure I'm understanding things right ) - I'm just focusing on basic things, not on stuff like heuristics, evolving malware, etc. I'm also NOT focusing on the downsides of each, like FP's, etc.

So, here it goes:

Lets say you want to protect your house, so you decided to hire a private security guard.

The first one to apply to the job is "Mister Blacklist Scanner" aka. "Mister AntiVirus". He has the FBI's "most wanted" list, that gets updated every week. He just sits at the door and if anyone wants to get in your house, he checks the list. If the person is not in the list, he just steps aside. The person can then do anything in your house. Please note that the fact that person isn't listed, doesn't mean he can't be a criminal.

Next one to come to see you is mister "Behavior Blocker". He just lets anybody into the house, but stays with them all the time. If the stranger starts doing suspicious stuff like putting things in his pocket, try to figure out the combination to your safe, etc, the security guard warns you abuot this and ask you what to do: "can he do that or shall I kill him?"

Now lets interview mister "HIPS". He just sits there and until someone rings on your bell goes to ask you "can he come in?" If you do let the person in, he keeps keeping an eye. "Can he go into the living room?", "is he allowed to read that book?" "Can he talk to your daughter?" etc.

Now two more guards have just arrived looking for the job. Mister "Policy Sandbox" and Mister "Virtualizating Sandbox". Although they are cousins, they work in a different way. Policy Sandbox will let anybody in. He just follows the person supervising everything he does. If he want's to go to certain restricting rooms, he just forbids entry. If the person want's to write something into, lets say, an important book, policy sandbox will not allow it. But anything not restricted can be done by the stranger. Virtualizating Sandbox on the other side, grabs strangers and throw them in the basement, locking the door. If the stranger wants to see something in your house, sandbox just hands him a copy. The stranger can do whatever he want's in the basement, but certain restricted files you keep in your safe won't be handled to him. When the stranger is done and ready to leave, sandbox just kills him and dumps the body.

Now lets interview mister "Anti Executable". He just sits at the door and waits. If anyone comes to your house and it's not in your list of friends and family, AE will forbid them to enter your house. He doesn't care if stranger are criminals, if it is the police, or the president of your country. If he's not on the list, he can forget about visiting your house.

And last, there is another applicant to the job. It's mister Virtualization, sometimes known as Mister ISR. He tells you that maybe you wan't a last line of defense. His idea is to build an exact replica of your house, with everything in it, and even some clones of you and your family, so that all strangers go there instead of your actual house. If anything goes wrong, he will just burn down that house and start over, leaving your actual house untouched.


~~End of analogy

I'm waiting for comments

[BlueZannetti]

Too complicated.

Blue

[WSFuser]

Makes sense, though it is rather lengthy.

BTW for the anti-virus analogy, wouldnt "Mister AntiVirus" constantly be checking the list even after the person enters the house? (realtime protection)

[Dark Shadow]

Hurst excluded heuristic in his open,So In a sense mr.security would not check any further If Mr.Bad guy was not on the list.Only the known from the listed would be captured so to speak.That is of course the name on the list is correct.

[dmenace]

LOL Hard to understand the policy sandbox paragraph. Non-geeks wouldn't understand... umm so which one do I use? lol

[HURST]

Maybe that's because the policy sandboxes where the last that I understood (and I wonder if I understand them completely)... that's probably why I can't explain it in a simple way

[cheater87]

LOL that was great. I needed a good laugh today.

[Ilya Rabinovich]

Quote:

Originally Posted by HURST

and I wonder if I understand them completely

Not really, but very close Policy-based sandboxes just forbid untrusted (guests who are known as spies and their girlfriends who came with) guys to do certain things (access into rooms with sensitive information, mix wine with poison, jumping through windows with rope and so on) and keep them isolated into one room, specially made for them they couldn't blow up the doors and do everything they want to.

[Rasheed187]

I must say I like it, I like it a lot, nice job HURST. Of course, I´m not sure if noobs will understand it right away.

[BlueZannetti]

What happens when you don't do it by analogy....

• Classical Antivirus
  • Maintains a "blacklist" of known malware
  • Compares files against the blacklist
    • If a file is on blacklist - it is known to be bad
    • If a file is not on the blacklist, it is presumed to be fine.
  • Since new malware appears continually and now spreads very rapidly, the presumption that an unknown file is good can be rather problematic and is the Achilles heel of a classical AV
• Classical Antivirus augmented with heurisitics
  • Augments the definitive blacklist with a flagging mechanism based on observing the presence of specific program instructions or file characteristics
  • Wider coverage than provided by a confirmed blacklist, but is more prone to flag valid files as malware
  • Coverage of "unknown" malware is still dicey - currently 60-70% in the best cases
• HIPS
  • For a program to be malicious, it has to actually perform some basic tasks. The role of a HIPS system is to wait until these tasks are queued for execution and either:
    • Pre-emptively block execution of those tasks
    • Request explicit user approval for execution of those tasks.
  • Main issue is the depth of user knowledge required for efficacy. The primitives (file reads/writes, creation of registry entries, communication with outside world) are the same for good and malicious programs - it is the intent of the operation that differs and determines whether the act is malicious or not.
  • Context of the operation is critical and this is not always apparent to a casual user.
• Policy Sandbox
  • Operating scope of a program is restricted as a matter of policy (rules).
  • Effective as long as policy cannot be circumvented.
  • Quite robust
• Virtualization/Sandboxing
  • Works by creation of a secondary environment (either an isolated island or virtual replica) separate from the real system.
  • Any malicious behavior is performed on the secondary system and isolated from the real system. Changes are discarded when the secondary system is discarded. This is often via a simple system restart or emptying a sandbox.
  • Potential issue is leakage between the real and secondary systems
  • Advantage is ease of use, particularly for partition based virtualization and application sandboxes
• Execution control
  • Creates whitelist of programs allowed to run
    • If program is on whitelist, can run with impunity
    • If program is not on whitelist, it cannot run.
  • Relies on maintaining a clean whitelist
  • Potential issue - malicious scripts run by clean programs to yield bad results. Often dealt with via higher level restrictions imposed by control program
• System Replication
  • Focuses all effort on rapid recovery to a known clean state
  • Conceptually similar to virtualization except:
    • The "real" system is maintained offline as a source clone when needed/desired
    • The virtualized system is actually a fully running replica that is discarded as desired.
    • Recovery from any untoward event is via resurrection of the known clean state using the clone

With respect to how one might wish to configure their own realtime security...

• Classical AV to provide expert guidance on confirmed bad content (you never know when you may download it).
• Address the Achilles heel of a classical AV via one of the other mechanisms (HIPS, policy, virtualization, execution control). Specific choice depends on a lot of unknowns, so general guidance is difficult. I happen to like SuRun with LUA (basically OS level policy control) with partition virtualization as desired. It's simple and effective.
• Have some form of system backup/replication implemented. This could be in the context of addressing the gap covered by a classical AV or as a separate level of protection.
• Regardless of security choices, off machine backup is really a required item these days since assets (downloaded programs/music/video/personal photos/etc.) are increasingly in downloaded electronic only form and may be impossible to replace if this is not available.

Specific choices and best balance depends strongly on workstyle.

At least that's my quick and very approximate take on things. Others may differ, particularly on details.

Blue

[Page42]

Quote:

Originally Posted by HURST

A friend of mine asked me to explain to him the differences between the different protection software (HIPS, behav blockers, sandboxes, etc)
He is totally non-geek

Usually non-geeks don't ask for such explanations. If they ask at all, it's along the lines of, just tell me what I need. Or, to put it another way, don't tell me how to make a clock, just tell me what time it is.

I agree with Blue that your analogy is too complicated. The impression I got while reading it is that you were writing for two audiences... the non-geek and the geek. I realize that you are seeking accuracy (and thus the hidden geek agenda), but my opinion is that if you want to produce a good non-geek analogy, then strive to address only that audience.

I used to think analogies were good vehicles to get a greater point across, but have since come to view them as trivializing and unintentionally condescending. And like I said initially, I don't think the average non-geek gives a damn, so the effort is largely wasted.

If you stick to a basic, non-analogy approach, then the non-geek friend rises to a level of understanding because of a real desire to learn. If they aren't willing to go that route, spend your valuable time with someone who is.

[HURST]

Quote:

Originally Posted by Page42

Usually non-geeks don't ask for such explanations. If they ask at all, it's along the lines of, just tell me what I need. Or, to put it another way, don't tell me how to make a clock, just tell me what time it is.

I agree with Blue that your analogy is too complicated. The impression I got while reading it is that you were writing for two audiences... the non-geek and the geek. I realize that you are seeking accuracy (and thus the hidden geek agenda), but my opinion is that if you want to produce a good non-geek analogy, then strive to address only that audience.

I used to think analogies were good vehicles to get a greater point across, but have since come to view them as trivializing and unintentionally condescending. And like I said initially, I don't think the average non-geek gives a damn, so the effort is largely wasted.

If you stick to a basic, non-analogy approach, then the non-geek friend rises to a level of understanding because of a real desire to learn. If they aren't willing to go that route, spend your valuable time with someone who is.

So, maybe i'll reduce it to: tradicional AV's, HIPS (and here I include classic hips, b.blockers and sandboxes), and virtualizating. Maybe the HIPS section I'll just focus on that there's no blacklist and the user has to make choices. If he asks more, I can expand on any of them...

[Dark Shadow]

@ Blue.
@Hurst.
IMO.I think both Analogys where Nicely Done.Great job guys.

[Firebytes]

Seems like a nice analogy to me. I can't help but feeling that I have seen something very similar to it before somewhere though, but if I have the location escapes me. Maybe just deja vu

[Carver]

If you give your freind the tech answers first,you may just scare him off (another words "Sorry I asked"). On the other hand if you start with the analogy He can set the level of techyness for himself by asking questions. BTW Hurst I've used the House Analogy myself, I've used the analogy for computers in general as well as security appps.

[EASTER]

This is by far and away the very best security & security products information forum in the world!

I challenge any others to match the scrutiny and/or the depths of details and results that surface from both membership and staff here.

On Topic, i enjoyed and learned myself from the above explainations, so thanks for that input.

EASTER

[ErikAlbert]

I don't have much faith in security, I only trust immediate and image recovery, because they don't fail. Once threats bypass my security, they remain on my actual system. Even when I backup my actual system every day, I backup remaining threats as well and any restore will re-infect my system.

Any security software, that requires intervention of users, is a bad one because it asks users what to do instead of doing its job independently like a professional, regardless which user is behind the keyboard.
Only security softwares, based on local whitelists are real security softwares, like Anti-Executable. AE doesn't need users, it prevents installation/execution of any unauthorized executable and the worst malware are executables, because they have to be an executable program in order to do sophisticated evil things.
AE doesn't ask users what to do, it detects and removes immediately. Unfortunately AE does only executables, so I'm waiting for security software, based on local whitelists, that take care of all the rest.
I have such a complete whitelist already, but it doesn't act immediately, it works only during reboot and that is in theory TOO LATE. Nevertheless it removes any remaining malware during reboot and that is also good.

Another professional security software, that hardly requires intervention of users are policy-based sandboxes, like DefenseWall. Only in rare cases, DW will ask me what to do and I will always answer NO, because my system is already working properly without needing any changes, good or bad. So DW is always doing right for me.
Other sandboxes are also good as long you say NO to NEW objects.

HIPS and BEHAVIOR BLOCKERS in the hands of average users are "dangerous" security softwares, because they ask users constantly what to do. If my bodyguard would ask me constantly what to do, I would get rid of him, because that man doesn't know his job.

SCANNERS have missing signatures and false positives, like any other blacklist-based security softwares. Protecting your system with blacklist-based softwares = russian roulette.
That's why I don't use them anymore. My whitelist-based Anti-Change scanner does a much better and faster job and I only need one.
In practice, I have beaten all scanners of av-comparatives and many more. My system is only good for testing scanners on false positives.

My ultimate weapons that remove any malware are my zero tool and clean images (ShadowProtect) in order to remove malware that changed my harddisk in another way (lowel level) than using bad objects.
Unlike most users, I don't backup my actual system, which has been online too long and can be possibly infected. Instead of that I renew my actual system with a clean updated system, that has hardly been online.

I consider any object that was not in my original system as UNWANTED and it doesn't matter if it is good or bad, it simply doesn't belong there.
That keeps me completely in control. I'm the boss, not some malware or bad guy. I don't even have to work anymore to keep my system clean. I only boot, reboot and keep my system up-to-date, nothing special about that.
I only replaced wrong-but-easy classical procedures with new and correct procedures.
I work theoretically and I'm not interested in malware or bad guys, they get already more than enough undeserved attention in the media.

[yxclark]

Quote:

Originally Posted by HURST

The first one to apply to the job is "Mister Blacklist Scanner" aka. "Mister AntiVirus". He has the FBI's "most wanted" list, that gets updated every week. He just sits at the door and if anyone wants to get in your house, he checks the list. If the person is not in the list, he just steps aside. The person can then do anything in your house. Please note that the fact that person isn't listed, doesn't mean he can't be a criminal.

Your description of antivirus software is a gross oversimplification. It was true maybe ten years ago, but the technologies have since evolved rapidly while general knowledge about them haven't. There are a host of new techniques such as generic signatures, proximity matching, static/dynamic unpacking, etc and a very wide range of heuristic approaches that vary from vendor to vendor. Many products also inspect PE file structures for non-standard code characteristics that aren't malicious by themselves, but indicate with a high probability that the file is. I know that you're just trying to focus on the basics, but even then, describing today's AV products as simple blacklist scanners is doing them a great injustice.

[EASTER]

Quote:

Originally Posted by ErikAlbert

Only security softwares, based on local whitelists are real security softwares, like Anti-Executable. AE doesn't need users, it prevents installation/execution of any unauthorized executable and the worst malware are executables, because they have to be an executable program in order to do sophisticated evil things.
AE doesn't ask users what to do, it detects and removes immediately. Unfortunately AE does only executables, so I'm waiting for security software, based on local whitelists, that take care of all the rest.
I have such a complete whitelist already, but it doesn't act immediately, it works only during reboot and that is in theory TOO LATE. Nevertheless it removes any remaining malware during reboot and that is also good.

Faronic's AE would do themselves and it's customers proud if they would also include a WhileList of "known" "unchanged, untampered with" scripts. In the meantime the only software i know is trustable is ScriptDefender, but then it's uninstall never returns all the defaults as they were. Really wish AnalogX would address this finally. But at least i have ALL the default associations ready to return thanks to Doug Knox's now age old reg files. I know i can put them to right again when or if i decide to uninstall ScriptDefender.

Why no developers even bother to fill in this area with a simple app of their own is beyond me, but EQS (HIPS) can help too, but like Eric says, it's not an average users security program no matter how strong it might be. And an average user needs something to do the job for them, for that matter so do even the learned users because i always thought computers were designed to accomplish even these type tasks on it's own without my having to sort thru what a pop up is alerting to.

It's not occurred to many but to some an app to "restart" any running process that's been shut down either thru a malware attack or a windows explorer "burp" is another in my *MUST HAVES.
But i don't see any even freelancers breaking down the doors to fill this gap with a small app to serve that purpose. Shame, shame.

In all my researching malwares and variants with testings and pitting against security softwares, i'm still human and haven't a clue how to protect the MBR from an attack that might evade normal security program means. Would be useful for something immoveable & safe to ward off and alert to a potential MBR tampering. Now "that" alert & answer would be a no brainer.

I really don't favor the removal after the damage is already been done scenario either, and is why i prefer Whitelisting like AE offers alongside my (HIPS), but we are in the minority there. The average user isn't interested in being interrupted by a pop up when their working on an essay, game, or other PC doing.

Deep Freeze is another Faronic's "Winner", untill an MBR infector comes calling or something designed specifically to take it down. Just how strong can Self-Protection become before another clever coder finds the loophole, windows is full of them, patches or not.

[tbay2athome]

Quote:

Originally Posted by EASTER

It's not occurred to many but to some an app to "restart" any running process that's been shut down either thru a malware attack or a windows explorer "burp" is another in my *MUST HAVES.
But i don't see any even freelancers breaking down the doors to fill this gap with a small app to serve that purpose. Shame, shame.

A suggestion,
http://www.taskcatcher.com/

[EASTER]

Quote:

Originally Posted by tbay2athome

A suggestion,
http://www.taskcatcher.com/

Thanks tbay2athome:

I have had that app offered as an alternative many time already and i did try it but really prefer if it becomes possible at some point just a solo app like what's incorporated in the HIPS system safety monitor.

It escapes me at the moment why taskcatcher didn't suit me, but it can't hurt to try it yet once again and see what it is that wasn't satisfactory enough.

Thanks EASTER

[Defcon]

You should also tell your friend that all the guards will also be following him, his wife, his kids and his friends and poking their nose in everything they do and constantly interrupting for permission or block their way when they try and get a glass of water.

He will then say something like 'but that's bloody ridiculous, they will get in my way and slow me down'. And that's when you get to describe user interventions, silent operation, slowdowns, effectiveness and the tradeoff in all these, which is what security software is all about.

[Kees1958]

Quote:

Originally Posted by BlueZannetti

What happens when you don't do it by analogy....

. . . . are increasingly in downloaded electronic only form and may be impossible to replace if this is not available.[/list]Specific choices and best balance depends strongly on workstyle.

At least that's my quick and very approximate take on things. Others may differ, particularly on details.

Blue

When I was Mr HIPS I would not let you read anymore books (you know enough), talking to my daughter is okay, she is not into security anyway, she would ask you what it's speed (assuming you would also drive a motor bike, like me, because you also tell something boring on security like me)