@Brummelchen If a machine was infected with powerful malware that can block access of antimalware solution to the file system, no other solution will be able to detect it. You can only reformat the machine. But afterwards, how can you ensure that you will not get infected again afterwards? With traditional antivirus, you are depending on the detection of one single antivirus engine (some of them two or probably three). And to make it worse, this solution will not notify you when something new (without you knowing) trying to execute in your machine. With SecureAPlus all new application trying to run will need to get your approval. If you do not run any application and suddenly there is a notification that a new application trying to run, you will need to be on guard and probably just prevent them to run. And based on Imperva study (http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf), only less than 10% of malware get classified on the first week of finding. This finding might be old, but with current rate of new malware found on the wild, I believe the number is even worst now.
Hi, bjm_. Many programs work inside and outside SBIE w/out template, and it is empirically known that in some cases where template is available a program works better if you disable template. For actuall example of this, ask bo elam in SBIE thread or SBIE forum. Template is needed when a program inside SBIE need to communicate w/ a program outside SBIE. Outside program usually can inject code or dll to sandboxed program w/out problem, but if injected program try to communicate to the outside program, SBIE prevent this unless it is in exception. Here template is needed to allow the communication or make IPC exception. But AFAIK, SAP don't injects programs (SAP don't need to know what the program doing internally), it achieves blocking probably by OS kernel functionality. I don't know exact technical details of SAP but from my limited testing, it blocked execution even when I disabled most of its components tho ofc GUI notification was no more available. So I assume it leverages OS function, and can be applied to programs regardless of if they're inside or outside of sandbox. I also have been using SAP w/ NIS2014 & SBIE, it works well.
I don't see why it is error by design. Maybe you want everything in a product. Not to mention nearly all anti-executables or application whitelisting avialble assume your system is clean, but that is outside scope of this kind of program, user should confirm your system is clean by other way, or preferably they should install it on fresh Windows. But SAP take infested system into account in at least minimal degree by UAV scan after installation. It may not detect new malware or hidden rootkit, but same goes even for established commercial AV/IS. Tho I once suggested them to implement rootkit scanner, still I don't hope SAP to implement more function which are not the job of app whitelisting. I hope SAP do their job well, with lean and fast manner.
Thanks...great reply. Thanks ! My suspicion that communication is required between SAP and SBIE stems from .... AppGuard has a SBoxie exception. HMP.A has a SBoxie consideration. EXE RadarPro has a consideration for SBoxie. So, logically SAP requires SBIE communication. Oh, also that VoodooShield does not have a SBoxie consideration and does not run in sandbox. With browser sandbox'd VS only acts on processes outside the sandbox. So, why would AppGuard and HMP.A and ERP have a consideration for SBIE. VS acknowledges VS does not communicate in sandbox. Why would I expect SAP whitelist engine to run from browser sandbox. As VS whitelist engine doesn't and ERP makes a line of code for SBIE File Access. Thanks for educating me that SAP does not need a template or a line of code to communicate through SBIE... Bizarre, other toys add a line to File Access or add an exception for SBIE
HMPA and Appguard definitely need to communicate as they includes memory protection (and more). I don't know much about VS & NVT-ERP, but I found this, I don't know what is \mailslot\NVTInj\ but its name suggests it injects sth, also this rule is for pipe which is used for communication (IPC). I don't know why VS doesn't work with SBIE. Any executable downloaded in sandbox are actually located in your sandbox folder (usually C:\Sandbox\) so theoretically they should be able to block new executable. Maybe you can ask VS dev and post a link to reply if there's no enough explanation yet? Note, there're some ways to achieve execution blocking.
I have perused VS + SBIE with VS developer. Maybe VS developer is mistaken. Maybe I'm mistaken. A Wilders moderator tested VS + SBIE with the conclusion they do not communicate. I'll try to locate that post. Bottom line for this Thread. Not to go off Topic. SAP + SBIE do communicate. Thanks !
Hi, I have just started using this program and it seems really good. One question though. I have tested a few malware links and some recent ones seem to be blocked by the application whitelist and shown that its malware via virustotal but is not detected by the universal AV.....and when looking at virus total often av's such as bitdefender and eset are already detecting it so why does not the cloud universal AV detect them straight away. Is there a delay in the virus defs being included in Univeral AV?? Just wondered if anyone knows? Cheers James
Developer mentioned server updates in the works...as needed by increased SAP interest. << Recently our server encounters a very heavy workload due to the high number of new people signing up >>
When application whitelisting prompted you, first it will check against our database at the server, if we don't have the sample file yet, then VirusTotal will be used. The uploading and scanning of a new sample file is not immediate.
...then what happens based upon virustotal results ... which is often not conclusive...when some engines flag and others don't... ...then what happens if virustotal is file not found ...how do we get the upper hand on zero day...with inconclusive...delayed scanning
Is up to you to decide like and a good companion to any other AV. You can install it with clamAV which is optional, this or any av of your choice should handle the 0day.
...er' what ...the definition of 0 day is that av will not detect...um, that's 0 day....if av detects then it ain't zero day ...what do I decide....the item is an unknown ...what does SAP do with an unknown....it's not whitelisted...it's not categorized...what is it...what does SAP do....simply upload and then what do I do...what does SAP do... okay, I'm virustotal = file not found .... then what...what does SAP do...
The problem is that you want this product to be something that is not designed for. According to your arguments a 0day can't be detected by an AV... so we can't stop talking here since what you are saying isn't true.
Your definition is wrong, tho 0day has some different definition, if it means 0day malware, common def is a malware which is within 24h from being discovered or born. Since most new malware are just a derivative of known malware or have similar characteristics or behavior, AVs can detect those 0day malware to some extent. SAP can block ANY executable or script by its proactive protection, regardless of if it is good or not. So if you are hit by 0day exploit, which BTW its definition is exploit which is not yet patched, and it tried to download 0day malware which all AVs miss, then you're protected UNLESS you allow the execution by yourself. This is generally how this type of program works. But SAP's UAV is more aimed at preventing known malware. However, as it continuously scan your files in cloud, as soon as new malware is detected by 1 of UAV engine, you'll get warning.
You lost me... repeated scanning of my whitelisted file repository in the cloud....scans known categorized files...unless the file changes on my machine...what good is comparative scanning in the cloud comparing already known good files with already known signatures... What happens when a file changes or an item tries to be added on my machine.... What happens if the item is unknown... What happens as SAP cloud is not adequate as recently reported....
We are pleased to announce the release of SecureAPlus v3.3.4. We have fixed the update status bug that reported previously in this forum. In this version, SecureAPlus can work along with Windows Defender, if the offline AV is disabled. More details can be found in the release notes: http://www.secureaplus.com/Main/secureaplus_releasenote.php
I updated to v3.3.4 this morning. Later, I somehow got this popup, but I can't see how I got this to show. Just wondering that nothing has happened between May 2014, until today. That seems a little odd to me. Spoiler: screenshot
This dialog displayed when you clicked on "Previous". It shows the history of previously blocked items.
I installed the latest version for the first time yesterday, the system has been left on (normal to do so), and 24hrs later the initial full scan would be lucky to be on maybe 2%. Is this normal? Cheers