If you could design your own anti-malware program?

I think it would be neat to see what features people would put in their program if they could design it. In other words, please describe the "ultimate" antimalware program. Also, let's try to:

1. Be realiastic and
2. Not simply plug your favorite program, but really try to think of something new.

My program would have:

1. A sanbox...say similar to sandboxie
2. HIPS...But unobtrusive easy to use HIPS like Cyberhawk
3. Active Protection...Like Spysweeper, Spyware Doctor, Counterspy
4. High detection and removal rates with low false positive rate
5. All the conveniences like programmed scans, autoupdates, etc
6. Low to medium resource usage...this might be the pipedream part
7. Logically laid out gui, easy to use.

None of the above is new, but putting it all in one package is. But the above program would be my dream anti-malware program.

REALISTICALLY...What do you think minimal memory usage for a program like the above would be?

 

I am still somewhat new so I wouldnt know maybe 45Mb?

 

So would you want all of that in a program or prefr to have separate programs for the different functions?

 

Hello,

This question was asked in the HIPS thread, so my answer is:

A driver that sits between kernel and user.
Whitelisted apps can run.
You can add new apps by selecting their installer and allowing to execute.
No popups or anything.

Requires user to avoid installing ****. Otherwise allows full transparency during daily work.

This is basically WinLinux.

Mrk

 

MrK, Anti-Executable does that, sort of, no?

 

A really good HIPS thats already been developed using a kernel level driver, that has a sandbox incorporated into it and can protect files from deletion modification etc.

 

Hello,
When I think of it, sounds like it. I never looked too deep into AE. But yes...
Mrk

 

One question.
Who or what kind of user is this being designed for? What I would like for myself and what would work for the average user are 2 completely different things.
Rick

 

It is being designed for you!

My program. is being designed for the average user, because I am a average user.

 

Well if i could design my own anti-malware program I guess I would get someone who knows way more than me to design it. I wouldn't use anything I designed.....

Requesting features is one thing, but "designing" the whole bloody thing from ground up? No way.

 

errr, DA, the question is "If you could ..."

 

if I could, I wouldn't. cos i would come up with rubbish.

 

Then we would all say: ha, it doesn't even handle dll loading! What a piece of crap!

 

As long as this is "if you could", because I couldn't begin to code such a thing.
I wouldn't want a single program. I'd want several free standing programs designed to be used individually but able to integrate with each other and work together, without the need for any central core or control program.
The individual programs would include:
1, A rule based firewall, with both global rules and rulesets for individual users. It would have a Kerio 2 style interface but be IPv6 compatible. It wouls also have several "custom address groups" for which separate rules would apply. There'd be a hotkey for blocking all traffic with a single click.
2, A HIPS program, with separate global and user rulesets. It would be similar to SSM in basic concept, except the registry protection would be a separate program. It would also be more flexible in regards to the "depth" of operation, being able to be set to monitor and alert on anything from just new processes to listing every DLL, driver, etc when the user wants more info, but not requiring the user to answer prompts of that nature unless the user wants to. This would be configurable on a per application basis, not a global setting.
3, A file and file system protection program. Besides preventing changes to either files or the file system, it would also back up the files/folders being modified or replaced, giving the user the option to restore the originals whenever they chose, on a per file basis. It would also function as an install monitor. It would also be able to open any changed or new file to either a text or hex editor.
4, A registry protection program that works the same way as the file system protection. It wouls also include the ability to load several user defined "test registries" for trialling new software without changing the main system registry.
5, There would be a web filtering app that performs the functions of Proxomitron that can actively integrate with the firewall to block certain types of content as well as with the HIPS component to stop specific activities from being started by all but a short list of trusted sites.

All the components would function together, but share no common components. That way, a failure in one wouldn't crash the others. As an install or update monitor, they would not only list file and registry changes, but would be able to produce a record of every system command or call made during the process, including a copy of all data sent or received from the net in the process.

As long as I don't have to build it, this is what I'd like. Give or take more features I didn't think of just now.
Rick

 

for me, the ideal anti-malware would have a HIPS and registry protection working with both whitelists and blacklists. the entire package would be use little resources and its options would have a Beginner and Advanced mode.

 

OK, i guess i can give an opinion already

If i could, i would do Prevx1, with firewall module, sandbox module, password protected, that one could easily define what normal users (non admin) can or not do. A way that makes me comfortable to let friends use the computer without messing/ infecting it.

 

Yeah, like all you guys I want every conceivable technology you can think of (even unthinkable ones) plus the kitchen sink too!!!

 

Actually,The biggest difficulty is update virus database frequently and forever

 

I see the value in discrete applications that watch each other
rather than an all inclusive central application that if its successfully exploited has the potential to go undetected.

I think the most rational approach is to accept that from time to time you will be unable to prevent a subversion, or inadvertently approve a subversion. But that the most important thing is knowing that it has occurred and you can quickly re-image the whole system partition back to a known clean state.

So the more tripwires and decentralization the better.
Of course that doesnt preclude trying to get the lowest level subversion resistant applications possible.

what Id like is for applications to be intimately aware of the validity of their counterparts.
That "signatures" start to include not just malware but also verify the integrity of installed software
not just the simple changed state, but in-depth verification. Of course the level of cooperation between vendors and potentially rivals makes that unlikely.

Id also like to see many of these discrete applications have a LiveCD counterpart that can be employed offline and outside the OS to verify their own intergity.

 

I see your point and agree. I take back what i said, Prevx1 is great as is.
It's best to complement with other apps, for different purposes.

You're right

I guess that if i could develop a product some more, would be GeSWall, that enforces security policies. Besides highlighting what is untrusted, as the new version apparently does, i would like it to highlight differently when something tries to hide from the user. Like a rootkit, failing to hide itself, highlighted by GeSWall, so we could erase it. It would even pop, to notify that, asking if i want to erase it and everything else that came bundled at the same time (dropper, whatever).

Just me thinking out loud

edit: maybe it already does this, i don't have 2.5

 

Im doing a little thinking out loud too

wouldn't it be nice to have an ap that could verify the kernel itself?
that of course implies that the source code would be available and legitimate kernel level modifications are accounted for, which of course precludes Windows.

But it would be nice to drop a LiveCD into the drive and scan a given box that should match to a known clean state.

 

MrK will drop by soon with a suggestion.
I guess his idea for a antimalware program would be ideal for you too.
I prefer something flexible enough.

 

I'm not a programmer and thus I may well have some fundamentally flawed concepts when it comes to the inner workings of an OS or ap. But when I do finally manage to pound an accurate concept through my noggin, Im very good at translating that into analogies others can understand.

So Id be very interested in a better understanding of kernel level modifications, rootkits, drivers ect.

 

Hello,

I dropped.

The problem with computers is that they depend on the user. Even Linux systems can be destroyed easily. All you need is login as root and install a driver that contains malware. Nothing magical about it.

Therefore, i think the use of the computer should be as transparent as possible. Any decision that you leave the user is one chance more he will screw it up.

My idea was to place a uni-driver that will regulate access to the kernel. Whitelisting will allow work without any interruption. On the other hand, applications that are not specifically approved will not be able to do anything system-wise.

This means that self-contained applications like Portable Firefox, for example, will be able to work. But applications that must leave a trace outside their folders will not unless approved.

Furthermore, for advanced users, I would leave the option of controlling individual handles of a process.

But for everyday users, they would login into their administrator-flavored Windows and run with fully limited privileges without ever knowing it. Approved apps (by the user) will run or be installed without any prompts or popups - because if you trust it and want to install it, you will.

Of course, my model hinges on the user, but that's what we do, after all. We use the computers and we decide what to do. If anyone of you wanted to delete a driver, a .sys file or anything else on your computer, what is there to stop you?

Of course, alternatively, you can simply use Linux.

Finally, Czar that's a very good suggestion. But open-source already exists and works great. So both you and I would be reinventing the wheel called *nix.

As to the live CDs, you can pop one or two in and do a bit of forensics.

Mrk

 

Very well said and right to the point. Nothing really can do anything beyond it's own design or what we allow to happen in front of our eyes.