Anti Executables are useless overtime

Rick first thanks for joining this discussion.

You and blue are fueling evidence for the basic statements I am making:

1. An AV although blacklist (see post 12 in this topic) is problably the most consistent and reliable level of security for the average PC user.

2. A user friendly behavior blocker (like A2) does provide a sustainable level of defense (also when installing a program, because behavioral blockers are directed to minimising damage through abnormal behavior).

3. A user friendly policy/rights/privaliges manager ('Sandbox') is as effective as the average AE of preventing malware from damaging your system. A policy manager like DefenseWall is so simple to use. In stead of focussing on preventing code to starting it lowers the right of these possible 'carriers' of exploits (like your webbrowser) or files created by these carriers (e.g. limewire downloads).

So my comment is: A lot of experienced members of Wilders nearly always advice to go for the best (often a AE) to new members. This 'best' is true as long as they do not install new programs.

When you use a AE, you should like you check with Inctrl5 what a program does when you install it for the first time on a Virtual Machine.

When this practise is above your head using an AV + Behavior Blocker and Policy Right Manager gives more overall and consistent protection.

Regards Kees

 

I have not seen A2 refer to itself as a "behavior blocker" but rather as an "Intrusion Detection System" (IDS). I do not make this comment as a *gotcha!* but because I am truly seeking to learn ...

What exactly is the difference between (1) behavior blocker, (2) HIPS, (3) IDS & (4) anti-executable?

and

WHICH of those categories is most descriptive of A2?

 

If thats the case then my machine would be a total mess by now.

Courtesy ONLY system safety monitor/power shadow/kerio 2.15, for many months now this trio has afforded me as a malware researcher/hunter to hit any drive-by site as well as launch the fiercest of rootkits locally without sustaining any repercussions whatsoever and that's chiefly been directly related to System Safety Monitor's ability to 100% SUSPEND in mid-air if you will, any virus/trojan executable and pass data/path on to my attention where i can easily scoop (Copy) up these malicious creations and forward them on to vendors as well as run them locally and follow what they change on the system so they can be categorized as either severe or lesser type threats.

Useless OverTime? Not from this end in what i've experienced over time.

Regards EASTER

 

Another good point there Kee's, that Peter2150 points out.

How many times have you installed a perfectly good program but it was hard coded to RUN AT START-UP and you don't need it to do that. In case anyone needs to know, i always use HijackThis to "FIX" those start-up entries and that's the end of that. I do it all the time as in routine.

Also like mentioned you can get hold of what you perceive as a safe program but for whatever reason the server's files were compromised and so some clever witted gent decides to emplant a nice little virus into the program. Still happens.

 

Why is it an unknown source? If we are not expecting an executable to launch especially after visiting an unknown source then of course common sense dictates we block it after an AE warning. If we are downloading code from a crack or warez site, then we are not willing to pay for it and we are also willing to take the chance that it is harmless code so we allow it in hopes of gaining free software. Tough luck if it screws your machine, because we are looking for something for nothing.

If you want software and you are willing to pay for it then you will acquire it from the proper source and will not worry about it infecting your machine when you install it. The purpose of the AE is to alert on unexpected executable launches, as well as for controlling the behaviour of parent-child activity. There is a real educational benefit to using the AE as long as we read and try to understand the alerts. It is an added layer of defensive security that will alert on activity that an av might miss.

 

Ad1.
Yes AE provide a real edductational benefit, but how many are willing to know that level of detail (using a PC as a consumer product to do other things, like surfing, downloading music files, etc)

Ad2.
How different is that of a behavioral blocker? Only when installing programs a behavioral blocker keeps working and attending you on anomalies. The weak point of behavioral blockers is the clearness of their information pop-ups (e.g. EQSecure only explains what happens technically, but A2 gives a sound explanation to what threat this behavior might relate to) and the smartness of their rules (therefore again Emsi with A2 and Sana Security, score better than for instance CyberHawk).

regards K

 

Thansk Easter could be my arguments on Watt0114's post

Regards Kees

 

Unless you use the hammer, to hit the chicken in the head. Then it ends.

 

Does it matter how many are willing to know? All that really matters is an AE might be the right fit for those in this category.

I can't answer this because I have not used any of those behavioral blockers, unless the component control and/or anti-leak options in Outpost fw Pro count as behavioral blockers. They might to some extent. All I can say is that there are so many security choices suitable for different folks. Some are comfortable with AE's, some are comfortable with behavioral blockers, some with firewalls. Some with all or a combination of the above. We could throw in sandboxes and antiviruses into the mix too.

I would agree 100% that an AE is useless if the person responding to the prompts simply ok's everything just to get on with their installs or surfing, because they don't understand the prompts, nor care about them because they are too excited about trying out their new software or loading the activex so they can view the girly movie. The same could be said about behavioral blockers, firewalls, and, to some extent, antivirus, though I would think a virus warning might be taken more seriously, even by those who lack the knowledge or patience. Besides,aAntivirus apps are generally installed by default on new machines and have been around for eons.

In use by the right person, any security app has a certain degree of usefulness. In the wrong hands, they all become that much more useless.

 

Then return the my first statement and I will change the question

On this forum most members use AE's to have an additional layer against zero day threats. My claim is that this is (only) true as long as you keep the system stable (no new code).

The defense is as strong as the weakest link. So what counter measures do AE fan's use to determine whether new code is 'safe'.

I think Rick (Herbalist) made clear to me that he checks new code in depth

Regards K

 

I think what you need to clarify is where is it any different than any other program.

Opening documents, pdfs, jpegs, movies, etc., i am not expecting any executables. Even if i don't disconnect UI, any prompt is easy to answer: Deny. But i do disconnect it.

Anything i install intentionally, unless the AV gets something, even a BB will give you a hard time interpreting the results. A-Squared seems to be in the right direction, yes, but i did have FP's.

Any solution you employ, will do little if you intentionally install something.
Like the man says,

To me, a defense is more and more about what i didn't ask for (default deny).
I think this is what the others are saying too.
An open discussion is if something like a sandbox will provide more protection than execution interception, or parent-child control. Anything else is what i intentionally did.

 

Kees, About the only way your "useless overtime" argument hold up is if it's in reference to a typical user who knows nothing about how a PC works. To one of them an app like SSM is useless, but so is every piece of software that doesn't figure out everything for them. If their PCs were cars, they wouldn't be able to get a drivers license because they couldn't pass the test. The logic you're using would call the car useless because those individuals couldn't drive it.

I'd disagree. The AE is doing its job. It's that persons decision making that's useless.

You can use whatever standard you want, including vendor supplied white lists. I'm glad SSM doesn't come with one. The white list of sites that originally came with NoScript was one of the main reasons I stopped using it. I don't want some vendor telling me who or what I should trust. Just because I'm running windows doesn't mean I should trust Microsoft. I don't.

As soon as you start depending on a vendor maintained whitelist, you're back to the same problem that exists in AVs blacklists. Never complete, never up to date. Not reliable. Nothing gained. My application whitelist contains the executables for the applications and windows components on my system that are necessary for normal usage, no installers, no updaters, no unnecssary windows components. As long as SSM stays in user mode, (disconnected UI) that is all that can run. Useless? Not even!
Rick

 

Very true. I should have worded it better, but that is basically what I meant

 

I started a somewhat similar thread a while ago here: https://www.wilderssecurity.com/showthread.php?t=165308

I'd say AEs might seem useless in the meantime, but they can really be useful over time.

 

In a relatively static machine, you shouldn't be expecting new executables. Otherwise, there's a good amount of tools/practices/questions to verify the legitimacy of a file with low chances of making mistakes.
- Did I request that file?
- The file was downloaded/written to disk with my consent?
- From where/who did I get that file?
- Checksum verification (if provided).
- Which kind of file is it?
- May it contain hidden executables and/or shellcode/exploits?
- On demand scanning with AV/AT/AM.
- Imput from Jotti/Virustotal.
- Imput from automated experts (i.e. Norman Sandbox, Sunbelt Sandbox, PC Tools Expert).
- Imput from the viruslab (if possible/feasible).

- Execute in a restricted environment (VM, sandbox, manual checking of scripts in text editor, doc viewing without macros/scripts).
- EULAlyzer, TCPView, firewall prompts/logs, install monitor.
- Etc.