If one cannot detect how it can protect/prevent?

The debate on detection rate of antivirus is going every where on all most every tech forum but I cannot understand the conclusion come out of this debate.

The function of Antivirus Software are:
1..Prevention
2..Detection
3..Removal.

The various av testing labs test the products and give the result on basis of detection rate and usability.

I read many forum members and the person(company staff,moderator other) related to the product which generally get poor result explain that their product mainly care about prevention and one will be safe with their product.

My point is How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system.

As for example:
Avast may have not good removal capability and it detect a threat on my system but it cannot remove it I can at least Trust Avast as it warn me about infection and I can take help of other software to remove the infection.

But in the case I use av which cannot detect the threat say Webroot,I will think my system is safe and I will not take any steps to remove the threat as early as possible.

Webroot claims that the av will detect threat in few days and system will be back to clean state but in the mean time if I use some sensitive data on my system will they be safe?

My question is again the same,Product whose detection rate is not as excellent as others,how can prevent an infected file/process/software to stop infect one system.

Thanks

Please note this thread not resemble to any specific product but the name of product given are only for examples.

 

By using internal behavior blocker or sandbox.

 

Even if you have an av with the best detection rate, there is no guarantee that in case of infection it will detect the malware in your comp.

 

There is no guarantee you will be cured after taking medicine when you are ill but one takes best treatment to get rid of disease,
It does not mean ill people should not take medicine as death is the real truth of life

 

Your example is wrong as detection is not "cure". "Medicine" is removal.

 

The way I see it, an AV should be installed on a clean system. if it is not clean then the OS should be re-installed or use an image of it. If these solutions aren't available then the system can only be cleaned (or attempted to) with several scanners, it can be time consuming, and there is no guarantee of a thoroughly clean system in the end (although the OS may function properly).

At this stage an AV can be installed which will detect and block ideally malware from accessing the system. Most companies are doing a good job nowadays, but to rely only on the AV is wishful thinking, at least another layer is required IMO as well as imaging your system.

 

This has been discussed several times in here... i.e. by preventing data leakage by its identity shield module. No malware is yet known to bypass this protection.

 

i PURPOSELY infected my machine () BUT i can say webroot worked exactly as it should. when testing with a keylogger it did not allow the info to be recorded.

 

"My point is How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system."

I can only answer for us.

If an infection is missed at its first execution it may still be stopped if its secondary components are downloaded from blacklisted IPs or if the secondary components are detected. A sample may also be missed but protection could stop its source completely thus the missed sample would never even make it to your system.

 

Medicine can only relieve symptoms, it cannot cure anything. Hence, the common cold. Antivirus software acts the same way; however, like a flu shot it may or may not prevent the virus. Like the precautions you may take to avoid a cold or the flu, precaution must be taken to avoid being infected (safe web use). However, most people don't know how to prevent being infected or think they are invulnerable to infection.

 

Well put MADx. AV can not prevent an infection. It can detect it and it can delete it, but only if it is a known malware. That is why I do not like AVs. It is kind of impossible to get infected these days, just by following basic security rules and above all: IE and Chrome are sandboxed. Email services scan email attachments. Windows has UAC, etc.

 

Sandbox can be the answer:

known good file get through
known bad file is blocked
and the "SUSPICIOUS" program will be isolated till evaluation

but we have another kind of antivirus....
comodo
As it claims,known good file get inside
known bad file is blocked(the same protocol till now)
and "THE UNKNOWN" file will be isolated(sandbox) till evaluation

 

well antivirus program these days don't just use a black list.
Most use a whitelist and a blacklist and then screen any unknown programs.

 

In regards to your Avast comment, it is a matter of emphasis between different AV manufacturers. Avast has developed of reputation of being excellent at blocking malware from entering your system. On the other hand as you have personally discovered, its removal capabilities are not at the same level.

There is currently a heated debate in the AV community if the the traditional AV model, the one that is based on signatures, is going the way the dinosours went. It just can't keep up with the multitude of malware being introduced on a daily basis.

The other two methods of malware detection are hueristics and behavior. Both were developed to thart the impact of 0-day malware.

Most tradition AVs incorporate some form of hueristic checking. Hueristics simply explained checks for "patterns" in software code that are of a suspicious nature. As such hueristics suffers from mistaken identity i.e. false positives.

Behavior detection on the other hand examines what the software actually doing. If it is accessing or attempting to modify protected system software for example, it treats that software as potential malware and blocks it. Some AVs include a basic form of behavior detection. However in most cases, behavior analysis is reserved for HIPS, Host Intrusion Prevention Systems. These usually packaged as part of a comprehensive firewall. Comodo, PrivateFirewall, Online Amour, Outpost, and the like have HIPS components. There are also standalone HIPS.

One final protection method is isolation. Sandboxing is a example of this. By isolating a process and preventing anything from running outside of the sandbox, the malware cannot do any damaged to the non-isolated portion on the system. Classic exanmples are running your browser within a sandbox.

 

well,your sentences are all correct,but these are also DETECTION
(by malware signature,behaivioral,hueristic,.....)

I think this is the right answer ....

 

Correct!!!! if it is something like Zeroaccess then no antivirus so far is able to remove it in normal windows enviroment..but:

Prevention is better than cure

and avast has excellent reputation for prevention IMHO

 

SBIE or better yet Returnil.

 

I've seen many cases where even if the AV detects the threat it can't delete it. People have to rely that the Av will detect the threat before it finish downloading. Sometimes the AV fails in both and it's party time for all sorts of malware.

 

Modern medicine is all about diagnosing and treating patients. A lot of the times treatment results in complete recovery or a "cure." For diseases that we have no cure for, we generally try to find preventive measures. That's how we came up with flue shots, MMR and other vaccines. The only part of medicine that deals with symptomatic relieve is for those terminally ill. For example end stage cancer, advanced AIDS, etc. And we even do have cure for certain forms of cancer, especially when caught early on. It could be as simple as surgical removal after which you will be 100% cured or as complicated as radiation therapy. There is for example cancer called choriocarcinoma. Even with distant metastasis to the brain and other organs we can provide patient with nearly 100% cure rate via chemotherapy. Also there was a case recently when patient with AIDS was cured via bone marrow transplant (although still debated). To say that medicine can only relive symptoms and not cure anything is an insult to my field.

Now going back to this topic. If you want to compare Medicine with Antivirus. I would say you are looking at certain AV programs being more concerned about preventive measures. You can use vaccine analogy from medicine. We give you a Hep B vaccine and you are less likely to get infected. Other AV programs might more emphasize about what happens after you get infected. In such case these AVs assume that everybody will get Hep B and look for the best antiviral solution instead. Now if you ask me which one is more important then I would say both. 1) There will be always someone who claims "but doc I know my body..." and not take the vaccine or 2) The vaccine will fail. In such cases not having plan B can be devastating. So both, good preventive measures and good detection/cure rates are important. Once your preventive measures fail you need to have a good alternate solution to the problem. Hence we got layered security idea here in wilders. In medicine it works exactly the same, or at least we strive as much as we can to make it so.

Another idea you may want to consider modern airlines. If something breaks, you usually got ~5 back up systems. Any AV that relies on 1x back up and states that others are less important inherently has a problem.

 

Other than what's already discussed, an AV can still prevent a malicious sample by blocking its source (website, e-mail, etc.)

 

I still think it is a waste of money. No matter what brand people still get infected because avs don't detect all the stuff they should detect. For example they should prevent all toolbar installations. But they don't because that will get them in trouble with big friend google and others.

 

People do need to not be stupid as well. it is easy to untick a box to not install a toolbar. Antivirus products do protect well But keeping all software up to date and learning not to click yes on everything will help alot. Not all toolbars are bad but I dont like them so do not install them.
Both criminals and antivirus companies are both getting smarter and it will always be a cat and mouse game.

 

They need to come out with more passive security measures. Giving my 80 year old grand mom HIPS and asking whether SVHOST.EXE is trusted doesn't help much.

 

Why should they? Toolbars often come with other software installers and will only install if you allow them to do so. Blindly clicking "Next" during every installation (like most people do) is like signing for an insurance policy without reading any terms stated in it, then blame the police for not stopping you from doing so.