Network / Cloud latency-->key factor in WSA compatibility with other AV's

Hi PrevxHelp,

Thank you for your answer regarding WSA compatibility with other AV's!

While you claim that "... WSA is smart enough to know that the other antivirus program is a good program..." in fact the main contributing factor in this, so called, compatibility is the network / cloud latency which will determine a delayed detection from WSA compared with a traditional AV with a resident signature database.

In the example mentioned (WSA and Avast) the sequence of events in my test is the following:

1.Right click on a file;
2.With "Avast" disabled , WSA will Quarantine the file in aprox. 0.3-0.5sec.The delay is small but noticeable; WSA has to compose MD5 of that file, send the request on this route:

WSA-->firewall-->NIC card-->router-->modem-->ISP server-->few other servers-->Amazon cloud

In the cloud MD5 is analyzed and a decision to "Quarantine" is sent back following the same route.

Meanwhile, with Avast enabled, the file is being sent instantaneously to "Chest". Files inside the Virus Chest are not accessible for any outside process or software application (see:https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,2,45)

When the request sent by the Cloud to quarantine the file will arrive back to my PC, the file is long gone, quarantined by the other antivirus and there is nothing left for WSA to do.

While from a marketing point of view sounds nice to say "WSA is smart enough to know ..." (the same like WSA will scans your PC in 20 sec or less) I truly believe is not fair for the average user to be lured into buying a product based on false advertising.

Respectfully,

Claudiu

 

The delay you're seeing is just because WSA doesn't need to scan immediately as the file is saved to disk. If the file executes or loads into memory in any way, then it will check in-line with the operation, but it isn't a threat when just sitting on disk so it scans passively.

I still don't see anything false about these claims or any of our advertising, but I'm happy to keep discussing it with you if you like

 

Also consider that if the exact same file is checked on the same system a second time, there is no cloud latency since the MD5 definition of the file is stored locally (You can see it listed as "Block" in the local information), yet the results are the same.

But I agree with the above. Sitting on disk does nothing. Don't waste my CPU or personal time or disk resources scanning it, because I don't care about inert junk. Since it doesn't scan inert junk, my computer runs faster and more efficiently and I'm still protected if the inert junk is activated in any way. Other AV programs waste my time and CPU scanning way too much stuff.

And where did you find "WSA will scans your PC in 20 sec or less"?

 

Hi PrevxHelp,

Thank you for your answer and thank you for not locking up or delete my post

The test was performed with an executable file and the results are those mentioned above.

About your statement:" ...but it isn't a threat when just sitting on disk so it scans passively."

This is , indeed ,an unusual approach from an AV with real time protection; however , if WSA has a pure reactive behavior what is the point in having on demand scans, what is the point in having a "Right click" scan, what is the point in performing a Quick scan upon a detection, what is Website blocking needed for? All these are just sitting there, not doing anything, so?

 

Use honey instead of vinegar and you get better responses. There's a difference between concern/questions and attacks.

Looking at the logs, I think "passively" is somewhat weird to consider. I don't think it means "Waits forever until it runs", but rather looks like it caches. You see evidence of that in the logs:
Thu 2012-09-20 12:29:42.0341 Begin passive write scan (2 file(s))
Thu 2012-09-20 12:29:43.0280 End passive write scan (2 file(s))

That makes sense from a computer performance standpoint. If you procmon a download from some browsers, you'll see that several systems that write files will "Open, write, close" over and over and over. Many AV programs will end up halting access to the file to scan it on every close call. That's just messy. :\

On Demand? Like "Scan Now"? I'd say because a lot of people get way too much glee from pushing a button and watching it do stuff.

Scan on detection has been explained before as finding all the interrelated items and also the sensitivity is increased. That makes sense. Kind of like if you're in your house and you hear a weird noise, you investigate more thoroughly.

Website blocking because of Phishing. ^.^ There's no virus in the "paypall" site, but it will still accept your PayPal login and steal your PayPal account and money.

 

Exactly and just because it is an executable file doesn't mean it's treated differently. It matters if it is an executing file for whether it is scanned synchronously in all cases or not.

 

With respect Claudiu on August 21 - 2012 you said:

('After few weeks I decided to dump WSA and to return to a classic AV.

Thanks,
Claudiu')

You have made your points & have decided WSA is not for you, why continue banging the drum over & over? Either you are looking to improve WSA & use it again? Or do you you feel so aggrieved over your purchase of WSA that you are unable to contain your annoyance? Of course you may have other reasons, if so I'm intrigued as to what they are?

Your questions are lucid & intelligent though maybe hint at the fact that that users of WSA were either born yesterday or dropped off a Christmas tree & haven't yet quite grasped your points regarding WSA & if only you remake them yet again the penny will eventually drop & we too shall move (back) in droves to a 'classic' AV & realise how silly we have been - I have 2 different '3 PC' shrink wrapped classic AV solutions (whatever a classic AV is) in my PC spares cupboard that were given free for my beta testing AV's this year - They are unlikely ever to be used & I can’t sell them: Would you like one gratis?

I for one are willing to chip into a pot to give you a full refund for moneys paid for WSA

You are now heuristically showing all the signs of being a troll though.

Edited twice for grammar as it's 3.30am -

 

"Because heuristic detection can be rather generic, it may be prone to false positives"

http://antivirus.about.com/od/antivirusglossary/g/heuristics.htm

 

That's good! but time for bed here.