ok AVs detection rate,how about disinfection?

ok lets talk about AVs but this time about the "forgoten" AVs factor:disinfection!
its obvious that if the "A" AV is better than B doesnt means "A" can disinfect better. the interesting is that ppl is looking to install antivirus
only by detection rate results. i have seen infected PCs with good brand name
AVs that failed to disinfect 100% and some "crap" AV to disinfect 100%
the problem is that its very hard to test AVs about disinfection in real machine
and so easy to test the detection rate. iam always sceptical about all those
AVs detection rate tests in youtube etc.i would like to know if ppl care
about disinfection tnx.

 

i don't know about others but i would never trust a system which was infected & cleaned afterwards.just like there is no 100% guaranteed AV there is also no 100% guaranteed disinfection.

 

If you go to AV comparatives , there are some removal tests, the last one being, Nov 2012 http://www.av-comparatives.org/

 

Repairment is also one of AV-Test's modules.

 

I agree with the above statement, that there is no such thing as a guarantee when it comes to detection or disinfection, but for me the decision to go with high detection rates over disinfection is simple. My goal is to keep my system from becoming infected to begin with, which is why I run multiple sandboxes and conduct several on-demand scans. I don't recovery anything directly to my system unless I absolutely need to and I back up a lot of data to cloud storage such as mid-term study guides, etc. I do not foresee system infection happening anytime soon and I'm prepared to completely wipe my system if that should occur. I'm more worried at the moment about being exploited online by phishing scams and other malicious web activity.

Sandboxes aside, I can understand, someone seeking to disinfect a file such has family photos after a massive infection. These are memories you don't want to lose. Folks that torrent really aren't going to benefit form disinfection in my honest opinion. Why stop at a bundling a Trojan with the download, when you have physical access to the application itself. I just don't see disinfection being nearly as useful for the average user if they layer their security and catch the infection before it physically reaches their system.

 

Agreed - I run an AV to tell me when I need to restore from a known-clean system image. (All data files are on a separate partition and backed up.)

 

Haha then you better change to something better that actually can prevent an infection in the first place

 

this approach that AVs and some on demand scaners used just to show if ur infected and if yes go for a clean image is interesting as i use that method too
but for average joe who knows his AV has lets say 95% detection rate
looks attractive, he will have a false sense of security thinking his AV will
disinfect in the same rate the system ,leaving his comp with many virus remnants and leftovers, there are many cases that after "disinfection" the comp
looked fine til all of the sudden the same virus emerges again.
thats why i advice all new users to make a clean image and dont trust AV to disinfect the system (who really would trust any AV or tool to disinfect a system from a backdoor or a nasty rootkit ,mbr infector etc?)
AVs vendors should advice average user about that backup-clean image and
forget removal abilities my opinion tnx.

 

I do that, too, of course - using Norton DNS, running as non-administrator, using a good AV with URL filtering, keeping my OS and applications updated, using a (relatively) secure browser, not installing frequent targets (like Java, Adobe Reader, etc.), and basically practicing safe surfing. You know - the standard recommended practices of a layered approach.

But back to the original poster's question - when my AV sends up a red flare, I don't bother disinfecting. I restore from a known-clean system image. As Ripley said, "Nuke it from orbit - it's the only way to be sure."

 

i agree, any AVs that let a malware running is already a failure, with all the technology we can have, (HIPS/BB, sandbox, full virtualization, web filters, etc...) be infected is mostly due to the user fault.

i rather restore an image/snapshot than disinfecting , not saying some critical areas of the system may be crippled after a disinfection.

 

I agree with this also, if ever I got infected or even doubted at all, first thing I'd do is restore an image. However, I don't think the average joe user operates this way. But for me, disinfection is of no real concern.

 

What is blacklisting for you?

Just signatures? Generic detection? What is the difference between detection and prevention in your view?

Behaviour blocking is blacklisting (certain behaviour is blacklisted).

HIPS is blacklisting with user interaction (certain behaviour is blacklisted and the user must decide if it is ok to allow it)

Even sandboxing can be considered as blacklisting (some conditions must be met that an application will be sandboxed - if you bypass these, you will bypass the sandbox).

Every technology has advantages and disadvantages. You can prevent malware with every security technology,not even HIPS/BB/Sandbx, but none offers 100% protection. Every protection technology can and eventually will be attacked and bypassed by malware,even HIPS/BB/sandbox are being attacked and you can find these bypasses making the news.

All serious AV products these days combine as many of the available protection technologies in one way or another, trying to achieve the highest possible layered protection with the least amount of performance impact.Even HIPS/Virtualization can be compromised,want to see proof?? search it up on google.

There is no most prospective AV technology that can prevent everything...Go read AV EULA's.So if something gets past BB/Sandbox/HIPS it always cant be a user's fault,it can also be the malware that went past was able to bypass it.

But off course some people around here..will always have a misconception that HIPS/BB/sandbox are ultimate.No wonder COMODO has so many fanboys and stuff with them.

 

IMHO blacklisting is signatures - gives detection, whitelisting is like TVL in CIS. BB, Sandbox give prevention and they are not blacklisting (or maybe you can call their rules as some "local blacklisting/whitelisting" - IDK). This is how I understand or misunderstand .

 

To answer the questions, IMO the terms blacklisting and whitelisting both involve classification. Without classification and the construction of 'lists', at least implictly, the terms are meaningless. A security model based on blacklisting is inherently default-allow, whereas a security model based on whitelisting is inherently default-deny. Sandboxing and policy restriction do not depend on classification into good and bad, and are therefore neither default-allow nor default-deny.

The fundamental problem with basing a security strategy around the default-allow model employed by AVs is its permissive nature in relation to objects of unknown status and the risk of classification errors. In order to prevent infection, the classification of objects as good or bad has to be made by the software itself, with all of the problems and risks that arise from false negatives and false positives due to the difficulties of reliable classification. Prevention is only effective if malware can accurately be detected without error.

The default-deny approach used by anti-execute and HIPS programs is more robust because it is based on whitelisting, not blacklisting. With this security model, the software itself doesn't have to do any classification in order to prevent infection. The software temporarily blocks and issues alerts: It is left up to the user to make the classification as to intent and purpose and decide what course of action to take. This illustrates the difference between detection and prevention. With default-deny, detection by the software isn't necessary for effective prevention. The question of detection is left to the user to decide; it is the user that creates and maintains the whitelist.

Comparing the two approaches: In the hands of experienced users who know what they are doing and can make the correct decisions, default-deny provides for excellent security, especially for users who like to have full control over their system. However, it may not be suitable for inexperienced users who may not be capable of making the correct decisions, or for experienced users who prefer not to have to respond to alerts and who prefer silent operation. Default-allow provides weaker security, but is suitable for users of all experience levels because the user does not have to be involved in decision making about what to allow.

Sandboxes and policy restriction programs are neither default-allow nor default-deny. The restrictions that these type of programs impose on running processes do not involve the determination of purpose or intent, either by the system or by the user. Processes are restricted solely in terms of whether behaviour, if allowed, would breach the software's security model. Classification into good and bad is unnecessary. With these types of software, prevention is automatic and mostly silent, with no need for user involvement in decision making. The question of detection therefore doesn't arise at all.

Sandboxes and policy restriction programs provide a high degree of security that is suitable for both experienced and inexperienced users alike. They are inherently more secure than the default-allow model used by AVs, based on blacklisting. Problems associated with erroneous classification of good and bad are eliminated. AVs do of course in practice combine blacklisting with elements of other approaches: e.g. whitelisting of critical system files, sandboxing/restriction of processes of unknown status, etc. Nonetheless, it has been proven that AVs are less effective overall at protecting the system than sandboxes and policy restriction programs.

Sandboxing (virtualization) should never be used on its own though. Whilst virtualization is effective at protecting the system, on its own it can't protect the user against the damage that malware can do while running in the virtual environment in terms of access to personal data, monitoring of keystrokes, etc. Some form of blacklisting, whitelisting, or policy restriction should always be used in conjunction with virtualization, either by using inbuilt features of the virtualization program if it has them; or by adding it separately.

These different approaches can be usefully combined. Whilst it is my belief that default-allow is not the most effective primary security, it can certainly be added as an additional element to the main security as part of a layered strategy. For most users, IMO a primary security built around a combination of sandboxing and policy restriction is likely to be more effective than relying on AV, with AV added as an optional extra. Experienced users who can handle and respond correctly to alerts can also effectively deploy an anti-execute or HIPS program, either as the only security or in conjunction with other approaches.

In the case of an already infected system, the situation is different. The question of prevention doesn't arise; the system is already infected. In this situation, the detection and disinfection capabilities of an AV are clearly important for remediation. This is especially likely to be the case with inexperienced users who may not be using imaging software, and who may not have enough experience to reinstall the entire system from scratch. For these users, an AV may represent their best chance of restoring the system to normal operation.

Just some personal thoughts.

 

Right! But every AV technology can be bypassed,even HIPS/Virtualization can be...even mighty uncle google can find the bypasses.

Yes thats correct...Detection=Prevention but as mentioned earlier everything can and will be bypassed.

And what when a piece of malware is added to the TVL list the default deny system is not that effective after all...I think the day will come when pieces of malware will be getting digitally signed and they will be bypassing Apps like CIS.I mean some shady looking rogue type apps have bypassed CIS because of having a trusted digital Signature.Now dont tell me there are no digitally signed malware.

Everything is as statistically effective in this AV world,no technology is less or more effective if it is default allow or defaul deny and could please enlighten me with the term " default allow " and what you understand from it??

And what when if a company with the default allow technique create their own in house internal sorting systems and detect a lot more than the 90% mark of malware and be very closely as effective as HIPS/BB/Sandbox.Honestly, a user would click allow on all of those D+ alerts because they think it will do something good for there computer. That is the only reason they would download something.

Just my 2 cents!

Thanks!

 

Sounds good though IMO Adobe Reader is fine as long as you keep it updated, and I hope you got my point too as in if you don't get infected there's no need to disinfect

 

Default-allow simply means that if an executable isn't determined to be bad it is allowed to run. Whilst it may be run in a sandbox by way of mitigation if it looks suspicious, that is by no means guaranteed; it also depends on how well the monitoring and sandboxing functionality has been implemented by the AV.

It is true that any approach to security is capable of being bypassed, which is why it is usually recommended to combine different approaches to create a layered security. Just because nothing is 100% doesn't mean that there isn't a difference in the effectiveness of different approaches though. It is a fact that the amount of malware is increasing at such a rate that there is now way too much malware out there for blacklisting to be viable as a primary defensive strategy if the goal is to get as close to 100% prevention as realistically possible.

Whilst there is a huge amount of malware in circulation, there are only a finite number of ways in which the system can be attacked. The use of containment and restriction to reduce the attack surface has been proven to be more successful than an outdated approach that relies on detection of hundreds of thousands of variants of malware all trying to use the same limited number of methods to infect the system.

Techniques for bypassing sandboxing and policy restriction programs do get reported from time-to-time, but they are usually fixed very quickly by the developers. These reported bypasses are few and far between though when compared to the number of reports by users of the failure of antivirus to protect. The published test results of the major AV testing organisations also testify to the inability of AV to provide anything close to 100% prevention in real-world testing.

That's not to say that blacklisting shouldn't form part of a layered security. Some forms of Internet-based criminality can only be prevented using conventional anti-malware techniques based on detection: social engineering for example.

 

Right! but no one is claiming a 100% protection...every piece of security layer is and will be eventually bypassed.Even if it is HIPS or anything else there is still a fair chance for the user to click allow on everything and then the default deny system will not be good after that and then my choice remains "default allow" and some great internal sorting technology.

Virtualization occurs on some rules and if you bypass the rules you bypass virtualization.

 

Can you be 100% certain your images are clean.?
A re-installation of the operating system is the only way to be totally sure.

 

finickiness

 

What a superb and very clarifying post and thank you for posting this Pegr.One of the most informational posts ive seen on this forum for a longtime.
I believe this post should be pinned for future reference.

 

@true indian.
Would you be so kind as to stop with your anti comodo waffle.Whenever you mention comodo,you are continually using terms like "bypass" and other tiresome terminology.
If you dont like the product then simply dont use it,but dont come on here with your anti comodo cackling.
Thank You.

 

I am of the school that wants protection first. Disinfection is necessary only if protection fails. I guess that can happen, but I have never had an infection in 15 or so years of owning computers.
Admittedly I am a "safe surfer."

Jerry

 

the major problem with av sandboxes is, that they are not separated from system like Sandboxie or Bufferzone can do. so i can not see any bad while pointing that out.

concerning pegr - sandboxes can prevent some major damage at the system - but not prevent stupidy of user or malware acting in sandbox.

sandboxie acts this way
http://images.netzwelt.de/articles/sandboxie_1180529603.jpg
other work similar.

 

to be simple, (after Pegr post ^^) my view is:

detection: use signature or everything than compare a suspicious exe/file to a list/code.

prevention: any system that monitor any process trying to interact/modify the system.

yes

not totally true, originally HIPS monitor any and every processes (safe or not) running on the system, then generate an alert if a system area is going to be modified and the user be asked if he will allow/block it.
Many HIPS now are paired with whitelist/cloud to ease the user decision (Comodo with TVL, OAP with the cloud, etc...).

this is Avast/comodo auto-sandbox, OA runsafer, etc... those sandbox are not real sandbox but policy/restriction based "sandbox"

true sandboxes are like sandboxie

sure but set them on paranoid/max settings, with other layers to backup them then the chances to be infected is very light.

everything can be compromised by 0-minute sophisticated malwares, but for how long; strong products with large user database or cloud, will have a signature quite early.

Sure but if you surf to safe known website (this case can be discussed ^^), never open unknown mails, don't run any cracks or unknown exe, and never "happy-click" the AV popup but read it properly; the chance to be infected is very very low.

Comodo is not the best, Emsisoft is ! (joking).
i don't like to use only suites, i prefer rely on different softwares for every layers available.

example for me Emisoft IS + Webroot SA + Sandboxie + Shadow Defender + Rollback RX + a backup image.

yes i do a clean image backup right away after installation & update of my OS nothing more, after i use Rollback RX to do snapshots when i install softwares, drivers, etc...

i am a paranoid user so i take all the necessary steps in my knowledge to prevent infections.