Anti Malware for the main stream, how should it look like?

Discussion in 'other anti-malware software' started by Kees1958, Sep 15, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dear all,

    I would like you to give me your opinion what according to you should be the furture of anti-malware for the main stream user.

    Microsoft being a dominant player already has showed what the direction will be: kernel protection, digital signatures and protected mode browsing.

    Next I would have some easy to use form of containment like DefenseWall offers now. FIles and programs entered on your computer from threat gates can never elevate to admin rights when not explicitely gotten an aproval of the user (running it as trusted as DW now offers).

    To protect the user against shoot in the foot errors I would like a behavior blocker with some elements of ThreatFire Pro, A2 IDS and NeoavaGuard.

    A2 made the smart move to explain exception events very clearly and to focus on the result rather than protection mechanisme; protection against driver installation is called rootkit protection, protection against hook setting is called keylogger protection. I would like the option to give those exceptions a value ('suspicious behavior points'). Like in NeoavaGuard you can set a threshold level of suspicious behavior points (e.g. more than 80 or 110), but NeoavaGuard currently does not have the option to mark a driver install as (for instance) 60 suspicious points and a HKLM startup resigistry change with (again just an example) 30 suspicious points.

    When a program is not a system process (like in ThreatFire) and has performed a series of actions (like in A2 IDS), which came above the suspicious behavior threshold (NeoavaGuard), I would like to this behavioral blocker, to check the programs certificates and its hash-value.
    When okay, store the sequence and collected malware points (so when it would show more suspicious behavior on other area's it would be marked as suspicious next time) [action A]

    When not okay (or program does not have a certificate), I would the behavior blocker to check whether it is a know malware with its black list (AV engine). If known give a clear warning and let teh AV engine handle the correction [action B]. When not okay known provide a clear pop-up (like in A2 IDS) [action C] and perform the the precautions for the future as marked in action A. Next send this file to a central spyware net (like PrevX, Windows Defender, ThreatFire etc).

    When a program acquires two consequetive 'actions A' , I would like the this file be checked by the AV-engine again (may be it is known now). When not known, send it to the central spy-network, get a clear description and the options to allow or block and also have a 'roll back' option like in DefenseWall or Spyberus.

    Further more I want my AV-engine to look in incoming streams, in stead on every programs startup, read or write. This would save enough CPU power to perform the above actions.

    What is your opinion?
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    My opinion is simple- non-restrictive policy-based sandbox with whitelisting elements.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ilya,

    I agree for a first layer (besides hardware firewall), I only want my AV or Behavior blocker to provide a second layer, when I choose to run something as trusted: add the quarantaine threshold/susipicious behavior points of NeoavaGuard and the user friendliness + intelligent false protection of A2 to the new ThreatFire Pro and I would be happy.

    When can we expect a Vista64 bits version of DefenseWall? HauteSecure seems to be able to handle the limitations.

    Regards Kees
     
  4. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    I think it'll be Linux.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Zapjb,

    And when will the main stream use Linux, in 2107?

    ;)
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes if SP1 gives me ability to modify SSDT with legitimate API.

    It is founded by MS people, this is the answer.
     
  7. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Well prediction time, it is then.

    Just move the 1 over. I say by 2017.

    By 2017 all but gamers will feel stupid for using an M$ OS.
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    ... In other words, it can be done?
     
  9. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Possibly, but I think Apple may have something to say about who would be the next to dominate the market...
     
  10. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN
    I agree and disagree. Apple has found a way to sell more computers in recent years. However, the closed physical architecture makes the Apple platform extremely unappealing to OEM producers and customers who prefer a hands-on type of hardware acquisition.

    The PC is this generation's "garage car". Almost everyone has one, almost everyone tinkers with it in some way, and the individuality that comes with the ability to have a system (hardware-wise) as unique as you are makes it a part of modern-day Americana.

    Apple will truly be able to rule the market when their hardware platform becomes more open. The day you see "Apple Approved" motherboards, video cards, etc. that can go in either an Apple system or a PC is the day that Apple has officially started to move up the food chain in a serious way.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Excepting for the EFI firmware and the different Video BIOS, a Apple of today can be called a PC.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    What do you mean with "main stream" users? I guess you´re not talking about noobs? Because in that case I would not recommend any HIPS, because you need to have some knowledge when responding to the alerts. I would probably install realtime AV/AS/AT + firewall + sandbox. But anyway, I think you´re thread should rather be named "How should the perfect HIPS look like". Am I correct? ;)
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well,

    Perfect in the sense that it can be used by noob's with the power of a nerd's choice. Come to think, lets throw in the cleaning power of Primary Response Safe Connect.

    ;)
     
Loading...
Thread Status:
Not open for further replies.