Antivirus and App Whitelisting

I think you can get it for free.
I will contact Melih to check it.
For others you have to pay.

Edit: It is not free.

 

Initial whitelisting takes long time to finish.
It is similar to Safe 'n' Sec.
Can you make some kind of a system snapshot instead?
This is approach used by VoodooShield and requires no scanning of a hard drive.

 

I decided to sign up for the Beta,I like the concept and wish this project well

Perhaps you'll be able to get a dedicated forum on here if there's sufficient interest,it'd aid development.

 

In time you will learn that (almost) everybody has a favorite AV vendor in this forum.
For example, I could say that I vote for Dr. Web's engine/signatures instead.

 

Wow, you seem to know Melih well. Are you an employee from Comodo? I will be keen to know what's the outcome after you have spoken to him.

Just to clarify your last sentence. Which one are you referring as not free - Comodo or others?

 

Hmm, haven't thought of that before... will explore it further if this forum really takes off... Thanks for the suggestion

 

This is getting interesting. Why Dr Web's engine?

 

Understand where you are coming from...
There is always a trade off between CPU resource usage and speed.
If we allow an application to perform faster, it means it will consume more CPU resource.
Currently we have set the initial whitelisting in such a way that it will slow down when you are doing work, but it will increase the speed once the CPU is idle.
The purpose of slowing it down is to give more resource to you (and other applications), so that you can do your daily activity smoothly.
It also depends on how many files that you have in your hard disk.

But you do have a point there. We will look into your suggestion and see how we can speed up the initial whitelisting process.

 

Hi Siketa, another factor that attributes to the slowness is that before we set an application as trusted, we scan it first using ClamAV.

We will look into this to see what can be done to speed up the performance.

 

sinlam, thank you for detailed answers.

No, I am not Comodo employee...just an active member on their forum and also translator for CIS product.
Melih confirmed that Comodo AV is free only for home users.

 

Hi guys, a new version 1.0.28 is now available. You can view the latest release note at the resource center for the modifications. Have fun testing!

 

Hello guys, our long-awaiting new beta version 1.0.29 is finally out. We have made a few minor bugs fixes and some enhancement on the UI. You can view the latest changes in our release note from the resource center. Please check it out.

We are drawing nearer and nearer to the official release of SecureAPlus. Do watch out for it!

 

the first whitelisting product for me

notice few thing on 1.0.29
clam av is surely heavy, turned off, maybe you can make this an optional install from the first set up
first run white listing is slow, and I didn't do anything with the pc

haven't tried this for long, will post again later
ps: I use this with panda cloud, wokhan windows firewall, and also sandboxie

 

Tested the latest beta on real system XP SP3 with app. 70-80 ZeroDay Malware.

I think application whitelisting needs system restarts coz after whitelisting completed I tried Fake AV & it installed & killed this.
Application whitelist completed & system restarted, then it worked fine & gave popup "Untrusted, not signed" for all the malware.


When you get "Unsigned File" popup, you get option allow/block & treat as trusted installers.
Block - You will again get the popup when you try to run the file again, Good...And I think a check box below allow/block or under More Options, Block Permanently option would be good.

Allow - When allowed the file becomes trusted, I think same as block option would be good here i.e allow -one time allow, allow with check box ticked - permanent allow (currently check box option is not there)

Treats as Trusted Installers - on the popup, under more options - this option is there.
Does the popup differenciate between file & installers i.e does the popup mentions Unsigned File for files & Unsigned Installers for installers?
Coz for all the 70-80 malware I tested, I got Unsigned File popup only, for Fake AV too.

 

Hi blasev,

Based on several feedback from the beta testers, we have already made the av as an optional installation for the commercial ready version. It is going to be launched soon. So watch out for it

The speed of the whitelisting really depends on the number of applications and files that are on your pc. Initial whitelisting can be a painful process as it basically whitelists everything on your pc but it is necessary for a more robust protection. The slowness may also be attributed to the av scanning but this will no longer be a problem with the commercial ready version which allows the option of not installing the av.

Feel free to give more feedback

 

Hi narenbisht,

We need to do further testing on the portion about the system need restarting after application whitelisting has completed. Good feedback To assist us in our testing, where was the malware sample stored when the whitelisting was in progress - in the pc hard disk or external disk, USB flash drive?

Comments to your suggestions:

Block - We didn't add in the block permanently option because if it is a malware, it is more advisable for user to delete the harmful file instead of blocking it permanently.

Allow - Good suggestion We will keep this mind and add in the option "trust one time only" in future.

When you run an untrusted executable file, we cannot really tell whether it is an installer. So a popup with the message 'This file is not signed' appears.

Let's say you are running 7-Zip installer from Windows Explorer.

After trusting the 7-zip installer, it will start to install the executable file. At this point, it is detected as an installer with the popup that says 'This process is not signed'. Here, we only mention that "the process is not signed" instead of "Untrusted installer" in the message. The key reason is that not all process that create an executable file is an installer. For example, a browser can create a new executable file when the user is downloading the executalbe file from the Internet. But we cannot call this an an untrusted installer.

We do have different popup when we suspect that the process is an installer or when it is signed or unsigned. We also provide details on what executable file is created, and whether it is signed or unsigned.

Hope this answers your query.

 

The samples were in harddisk, in my documents folder I created a folder & the samples were in it.

I wasn't able to update the AV databases. I tried app 5 times & everytime halfway it failed giving errors. I dont remember the errors now but something like invalid recd, unblock recd, etc...

As others have mentioned Initial Whitelisting is damn slow, on 4.76 GB harddisk full here it took app. 45 mins to an hour. Clam AV is damn slow & the detection is poor.

One thing I forgot to mention in my previous post, sometimes the popup appears 2-3 times i.e you run an app, popup appears, you hit NO, then again popup appears, you hit NO then again popup appears, you hit NO & finally it settles.

Block - I still think permanent block option would be good.
Allow - I think one time allow should be default action, with the current option i.e trusted i.e permanent allow.

By the way if an app is allowed or treated as trusted installer, rightclicking the app shows trust level but nothing in the GUI, right? I think it would be good if the GUI have Users Trusted Apps List & Users Trusted Installers List.

Its good that the apps signed but not whitelisted by you is not automatically allowed but the popup mentions signed, not whitelisted.

Whitelist - Your product to be used by majority, the Whitelist needs to be huge one, up-to-date with the latest versions & malware free.

Any plan to replace ClamAV with other good AV?

 

Hello Narenbisht, happy to see your feedback. Please keep them coming

Here's the reply to your query:

The samples were in harddisk, in my documents folder I created a folder & the samples were in it.
We have tested this and found that this is a bug that occur only in Windows XP. We will fix this and may release a new beta version next week.

I wasn't able to update the AV databases. I tried app 5 times & everytime halfway it failed giving errors. I dont remember the errors now but something like invalid recd, unblock recd, etc...
I suspect that maybe the ClamAV virus definition file is somehow corrupted. To confirm, you can try to do the following:
- Go to C:\Documents and Settings\All Users\Application Data\ClamAV\db
- Delete bytecode.*, main.*, daily.*
- Delete " clamav-*" folders if there is any.

As others have mentioned Initial Whitelisting is damn slow, on 4.76 GB harddisk full here it took app. 45 mins to an hour. Clam AV is damn slow & the detection is poor.
Yes, agree. We will definitely think of a way to improve this.

One thing I forgot to mention in my previous post, sometimes the popup appears 2-3 times i.e you run an app, popup appears, you hit NO, then again popup appears, you hit NO then again popup appears, you hit NO & finally it settles.
Can you please share with us what is the application that causes this popup to appear 2-3 times? We hope to reproduce it at our side so that we can diagnose it further and then fix the bug.

Allow - I think one time allow should be default action, with the current option i.e trusted i.e permanent allow.
I think one time allow should be kept as optional. It is useful for technical or advanced users who want to first test and analyse the cause before deciding whether to trust the application later. Only in very rare occasions, the users may see executable file suspiciously execute by itself when they didn't run anything. In this scenario, the users may choose the one time allow option.

By the way if an app is allowed or treated as trusted installer, rightclicking the app shows trust level but nothing in the GUI, right? I think it would be good if the GUI have Users Trusted Apps List & Users Trusted Installers List.
Another good suggestion . We will look into it.

Its good that the apps signed but not whitelisted by you is not automatically allowed but the popup mentions signed, not whitelisted.
If you see a popup which states that the file is signed, it means that it is signed but not whitelisted because you have never trusted this software vendor before.

Any plan to replace ClamAV with other good AV?
We will be launching SecureAPlus freemium in a couple of weeks' time. It is free and anyone can download. In this version, we allow users to choose whether to install the AV. We are also coming up with an exciting new and improved AV solution around end of this year which we have already filed for a patent in US. Please watch out for it

 

Well, add an option to auto allow signed executables from user determined publishers/vendors and you will have the best freemium AE solution available. Glad we could convince you to drop the clam AV. Now your marketing and sales can be focussed on the advantages in stead of weaknesses.

 

I did a test with malware so no specific program to share. If I do another test & the prob occurs will share the malware programs.

For me, one time allow default is always safer, one can allow permanently if the need arises, its your call.

You mean In-House AV?

 

We will do further testing on the error you are facing. The next beta release may be next week. I will announce it once it is out.

Regardless of our current stance, we will still take note of your suggestion. If there is more request for this requirement, we will definitely change it. Just like the AV, we have changed and made this as an option during the installation based on numerous beta testers' feedback.

As for the new AV, do watch out for the next beta program in a few months' time

Have a wonderful weekend

 

As far as possible, we will try to heed the advice from the beta testers / users. Ultimately, they are the users and they deserve to use the software that make them happy.

By the way, for those beta testers who have registered with us will be getting a perpetual free user license for the commercial ready freemium version. I will furbish more detail as the closing of the beta program draws nearer.

 

Sorry, I think I have missed out on your comment regarding 'auto allow signed executables from user determined publishers/vendors'. SecureAPlus does have this auto allow feature but I am not sure if this is good enough. It will be great if you can advise us.

We have included some of the signed executables from popular publishers/vendors like Adobe and Microsoft in the trusted certificate list by default. During the whitelisting process on the computer, the signed executables that are not found in the existing list will also be automatically added into the trusted list. So any program that are found in this trusted list will be allowed to run automatically without any prompting. We also provide the option whereby user can manually add or remove certificates to the trusted list.

Thank you so much for the encouragement We really hope to build the best freemium solution by listening to the comments from the beta testers and thereafter, from the users after the soft launch.

 

Well there is not much to ask for then, great thanks

Knowing Wilders community a little, I think the following features should be considered (when this does not interfere to much with your release planning)

1. At program instal, provide two options
a) automated configuration
b) manual (expert) configiration

Automated configuration would build the white list automaticcally for the user.
Manual configuration would ask the user to build up the whitelist for directories the user can select/specify. The reason for this strict user control is because many Wilders Members want to control what they allow themselves (most relevant for FireWalls and Anti-Executables). In their eyes full control is the ratio behind a whitelist application, hence they should decide what to allow.
I would for example choose C:\Windows first, coming back in choose folder option dialogue I would add and C:\Progam Files\Common Files (because some hardware related programs reside there) and then choose "Finish setup".

2. With the manual add/remove option also provide an option
a) Allow all executables from this signer (trusted Vendor) when adding a certificate
b) Deny all executables from this signer (blocked vendor) when removing a certificate

 

Hi Windows Security, it is great to see your comments .

Here's my reply to your comment:

#1 - Sorry but we don't have the expert configuration at this moment but your suggestion makes us realise the possibility of adding this option in for the advanced users. We will keep this in mind.

There is a way to work around it but need to do it manually for now and can be a bit tedious. You can just whitelist from a sample machine that has already installed everything you wish to whitelist (eg. C:|Windows and C:\Program Files\Common Files. Other folder which you do not wish to whitelist can be deleted. Alternatively, if do not want to delete, you can simply untrust them after the initial whitelist is completed).
Then, bring this whitelist file to other machine where you want to use for testing. Put the exported whitelist in the same folder as the installer and install the whitelist. The detailed steps can be found in chapter 4 of SecureAPlus Installation Guide which can be downloaded from the resource center in SecureAge Beta Portal.

#2 a) - We have this option to add / remove cert manually. Please see the image below. As long as an exe application's cert is in this trusted list, it will be allowed to run. I am a bit concerned... It seems like this feature is not obvious to the user or am I missing something? Is this feature good enough or you have something in mind?



#2 b) - Currently, we do not have a special list for deny certificate. But as long as they are not in the Trusted Cert list, the executable from the signer will be denied.