Google CAMP: Content-Agnostic Malware Protection

https://www.networkworld.com/news/2013/040913-camp-for-chrome-catches-99-268529.html

https://www.cs.jhu.edu/~moheeb/aburajab-ndss-13.pdf

http://www.darkreading.com/security...reputation-to-detect-malicious-downloads.html

~ Removed Copyrighted Image ~

Opinion:
The end of the anti-malware industry? I hope so, with this and an on-demand scanner for USB and maybe some other security tools like trusteer rapport, ExploitShield, EMET, windows firewall (Windows Firewall Control) more than enough.

 

Google the white knight of internet privacy comes to rescue

Did those 200 million know Google 'tracked' their binaries and 'infringed' their privacy

 

The privacy implications are the same needed for the "safe browsing" mode that chrome has always had, you can always enable or disable it as everything privacy related in google.

 

Basically they "invented" Evo-Gen and MSS from avast!... it works on the same principle...

 

Yeah, ok, everyone's always copying Avast.

 

I could think of far worse vendors to copy than Avast.

 

Says a die hard Comodo fan...

And yes, knowing the technology background, it is what i said. Google does exactly that. Gathers bunch of data, aggregates it and then compares other samples to it and decides based on that.

And for the record, i never said they copied anything...

 

Comodo fan?

 

Nope. The first article actually mentions a few words from some security vendor member saying that while it protects 99% of downloads at the browser level, it won't protect against 100% of the downloads when getting e-mail.

Not to mention that one thing is the study, another thing is real life: cybercriminals will adjust, so we'll have to see how it evolves then.

Anyway, I'm all for new/"new" ways of fighting malware and keep as many users as safe as possible.

The first article also mentions something about CAMP not protecting against exploits... well... that's Chrome's sandbox task. They forgot to take that under consideration.

 

Comodo or whatever else your message was not great to hear.

"everyone's always copying Avast" ironic ?

For this case, indeed it looks like Avast's Evo-Gen / MSR.

Why posting such a reply ?

 

Isn't the Windows Smart screen also similar to this approach?
I guess Smart screen has some kind file reputation system too. It blocks automatically if the file has low reputation or bad reputation.

Good to see these kind of technologies being implemented at browser/OS level. Reaches broader audiences.

 

Reputation system is another thing.

 

I really don't care who copies an idea as long as they improve upon it in a positive way. I applaud the initial developer for their ingenuity and I think they should get a percentage of the profits, but copy write shouldn't prevent people from taking an idea and progressing forward. For a company with the power and resources to do so, like Google, to get involved it may not be a bad thing. Almost every company data mines its users to some degree. My only issue with Google is knowing just how blood thirsty they are compared to some others. This doesn't make the company evil. I'd only condemn them if they took a viable idea and drove it into the ground in a manner that turned users off of such applications or intentionally caused lasting harm to the end-user.

 

Why would Google need to copy anyone? They have all the data they need from VirusTotal, if you haven't noticed they even raised the maximum file size to 64mb get more data.

 

can someone please explain how this CAMP works?

 

How big brother is protecting me against malware

1. Google Web Crawling
Google search engine crawls thousends of thousends website per day to add them to their search listing. Websites are analysed on their servers, making a static forensic analysis of that site. This data is enriched with findings of other web infrastructure providers/participants ==> input for first blacklist layer

2. Google DNS and search engine
All our internet activity (search requests => keywords) need a translation to domain names and IP addresses. Repeated requests are cached. To this cache a bad/good website flag is added ==> Google safe browsing & safe search first blacklist layer

3. Using Chrome as a browser
a) Blacklist
Downloading stuff also checks the hash of this binaries against blacklist data (as mentioned by aero5588 Google receives VT results of around 1 million VT submissions a week) ==> second layer of blacklist on downloaded binary level, possible first layer of whitelist (clean according to AV's, together with first seen date, adds reliability to this analysis)

b) Whitelist
Downloading stuff from the internet, the reputation of both the website your downloading from as the reputation of binary your downloading is examined (like certificates of safe HTTPS/trusted websites and digital signing of software and trusted vendors and the hierarchy of certificates, some certificates are more secure than others, think of Comodo errors/practises in the past) ==> Google reputation scoring second white list layer.

4. Grey list remains
Like PrevX has options and levels to warn you when a binary has not been seen by the PrevX/Webroot community, Google can track the same usage statistics from its servers/engine/browser worldwide (only with a magnitude of data/much larger community than PrevX/WSA). Avast now also uses reputation scoring (so Rezjor is not quite acurate in "everyone is following AVAST", WSA used community popularity in its heuristics and also has an option to run an unknown binary in a sandbox, as far as I can recal PrevX4 was released before Avast 8 ).

I think CAMP is a refinement of the analysis of 2, 3, and 4 (without actually sandboxing or code emulation as suggested) So a very thorough reputation scoring which will give a 'red' traffic light warning "Possible malware" or a 'yellow/orange' traffi light warning "File with low reputation" or a green light ==> third whitelist/blacklist analysis. CAMP study tuned the metrics of inputs 1,2 and 3 against the algorithme (red, orange, green), to minimize the orange (grey = not safe/not known bad) part and reduce false positives.

5. Grey rare samples future
Files with low reputation could also be analysed on a Google server side sandbox like Comodo's Instant malware analysis, GFI (Vipre) Sandbox, Norman Sandbox and Threat Expert (Norton/Symantec) analysis. In this CAMP study Google seams to take the opposite position they won't do that. Problably because it has bought VirusTotal and won't upset the AntiVirus community against it (like Microsoft does with server side analysis and a free AntiVirus). I think they will get those results via VT anyway.

Down side of this server side analysis is that the first downloaders, automatically are the first victims. This explains the advantage of client side sandboxing. Take for instance Avast's auto sandbox, which runs the file with low reputation in the sandbox and analysis its behaviour. Behaviour plus reputation enables an accurate evaluation of the binary. This explains Rezjor's "been there, done that, got the EVO-GEN T-shirt" reaction. To Avast's credits (and Rezjor ), I have not seen a (free) AV which has perfected this combo of reputation scoring and auto sandboxing and analysis like Avast .

N.B.1 Avast as AV-vendor with the most users world wide, will have problably sufficient user coverage for simular results (combined with local sandbox). Maybe also the reason why Avast is a hybrid (cloud/local) solution (and tells us it will stay hybrid for the time being).

N.B.2. The numbers game of user community in regards to reputation scoring is problably the reason why Bitdefender licenses its engine to many other vendors AND why it has launched a free cloud solution (to collect samples). 2013 is the strategic window for Bitdefender, because they were best AV of 2012. This year they need to eat market share from other free AV's.

N.B.3. The numbers game (and gain) and emerging Chinese market is also reason for Avira to provide their Engine to Baidu (also a search engine , do you get the picture).

Regards Kees

 

Is CAMP already turned on by default in Chrome?

 

Moreover, is it a part of the Google search engine at this point or is it still in the testing phase?

 

http://www.networkworld.com/news/2013/040913-camp-for-chrome-catches-99-268529.html

However, Lance James, chief scientist at application security vendor Vigilant, said that as an overall security system, CAMP falls short because it does not catch malware that exploits vulnerabilities within the browser.

Such malware often gets into a computer by email recipients being tricked into clicking on a malware-carrying attachment.

"[CAMP] may be able to see 99% of malware downloaded through the browser, but they won't see 99% of malware that is never seen by the browser," James said. "There's a big blind spot and that's a problem."

 

Is this CAMP and default since version 17?

http://www.csoonline.com/article/697628/google-chrome-finally-gets-malware-download-protection

 

Looks interesting.

 

No the next generation of it.

 

Is it an extension, or default part of Chrome? Do you have to turn it on?

 

Ya, what he asked.

Thanks for your input and clarification on this Kees.

.

 

No it is a study, the actual results have to be implemented yet