Anti Malware for the main stream, how should it look like?

Dear all,

I would like you to give me your opinion what according to you should be the furture of anti-malware for the main stream user.

Microsoft being a dominant player already has showed what the direction will be: kernel protection, digital signatures and protected mode browsing.

Next I would have some easy to use form of containment like DefenseWall offers now. FIles and programs entered on your computer from threat gates can never elevate to admin rights when not explicitely gotten an aproval of the user (running it as trusted as DW now offers).

To protect the user against shoot in the foot errors I would like a behavior blocker with some elements of ThreatFire Pro, A2 IDS and NeoavaGuard.

A2 made the smart move to explain exception events very clearly and to focus on the result rather than protection mechanisme; protection against driver installation is called rootkit protection, protection against hook setting is called keylogger protection. I would like the option to give those exceptions a value ('suspicious behavior points'). Like in NeoavaGuard you can set a threshold level of suspicious behavior points (e.g. more than 80 or 110), but NeoavaGuard currently does not have the option to mark a driver install as (for instance) 60 suspicious points and a HKLM startup resigistry change with (again just an example) 30 suspicious points.

When a program is not a system process (like in ThreatFire) and has performed a series of actions (like in A2 IDS), which came above the suspicious behavior threshold (NeoavaGuard), I would like to this behavioral blocker, to check the programs certificates and its hash-value.
When okay, store the sequence and collected malware points (so when it would show more suspicious behavior on other area's it would be marked as suspicious next time) [action A]

When not okay (or program does not have a certificate), I would the behavior blocker to check whether it is a know malware with its black list (AV engine). If known give a clear warning and let teh AV engine handle the correction [action B]. When not okay known provide a clear pop-up (like in A2 IDS) [action C] and perform the the precautions for the future as marked in action A. Next send this file to a central spyware net (like PrevX, Windows Defender, ThreatFire etc).

When a program acquires two consequetive 'actions A' , I would like the this file be checked by the AV-engine again (may be it is known now). When not known, send it to the central spy-network, get a clear description and the options to allow or block and also have a 'roll back' option like in DefenseWall or Spyberus.

Further more I want my AV-engine to look in incoming streams, in stead on every programs startup, read or write. This would save enough CPU power to perform the above actions.

What is your opinion?

 

My opinion is simple- non-restrictive policy-based sandbox with whitelisting elements.

 

Ilya,

I agree for a first layer (besides hardware firewall), I only want my AV or Behavior blocker to provide a second layer, when I choose to run something as trusted: add the quarantaine threshold/susipicious behavior points of NeoavaGuard and the user friendliness + intelligent false protection of A2 to the new ThreatFire Pro and I would be happy.

When can we expect a Vista64 bits version of DefenseWall? HauteSecure seems to be able to handle the limitations.

Regards Kees

 

I think it'll be Linux.

 

Zapjb,

And when will the main stream use Linux, in 2107?

 

Yes if SP1 gives me ability to modify SSDT with legitimate API.

It is founded by MS people, this is the answer.

 

Well prediction time, it is then.

Just move the 1 over. I say by 2017.

By 2017 all but gamers will feel stupid for using an M$ OS.

 

... In other words, it can be done?

 

Possibly, but I think Apple may have something to say about who would be the next to dominate the market...

 

I agree and disagree. Apple has found a way to sell more computers in recent years. However, the closed physical architecture makes the Apple platform extremely unappealing to OEM producers and customers who prefer a hands-on type of hardware acquisition.

The PC is this generation's "garage car". Almost everyone has one, almost everyone tinkers with it in some way, and the individuality that comes with the ability to have a system (hardware-wise) as unique as you are makes it a part of modern-day Americana.

Apple will truly be able to rule the market when their hardware platform becomes more open. The day you see "Apple Approved" motherboards, video cards, etc. that can go in either an Apple system or a PC is the day that Apple has officially started to move up the food chain in a serious way.

 

Excepting for the EFI firmware and the different Video BIOS, a Apple of today can be called a PC.

 

Hello,
Since we're talking Windows:
http://www.mozilla.com/en-US/firefox/
Mrk

 

What do you mean with "main stream" users? I guess you´re not talking about noobs? Because in that case I would not recommend any HIPS, because you need to have some knowledge when responding to the alerts. I would probably install realtime AV/AS/AT + firewall + sandbox. But anyway, I think you´re thread should rather be named "How should the perfect HIPS look like". Am I correct?

 

Well,

Perfect in the sense that it can be used by noob's with the power of a nerd's choice. Come to think, lets throw in the cleaning power of Primary Response Safe Connect.