Antivirus and App Whitelisting

Thanks Kees We will look into your suggestion. It is great that we have kick start this beta program as we need valuable comment like this before the official launch.

 

Hi sinlam,

I already installed it in my system, installation process showed 2 error messages, one regarding the program stopped responding and another one regarding the driver not being compatible with Windows XP, after these messages the installation continued with no further issues. At the end, a reboot was needed to get it working.

Here's my insight:

Antivirus Menu:
1) No need for 2 tray icons, both modules can be integrated into one single tray icon and manageable with right-click
2) Update AntiVirus Data should say: Update AntiVirus Signatures
3) Antivirus Settings > Updates > Why are there 2 options for update servers? Which one is 'recommended'?
4) Antivirus Settings > Updates > Add ability to specify time interval for updates, (example: every X hours, every boot, once daily) not just 'automatic daily update'
5) Real time scanning: Add ability to choose wether you want on-access scanning or on-execution scanning (to save resources)
6) The context scan window reported that it only scanned 1 item when I scanned a .zip archive. It doesn't scan within archives?
7) Give the ability to schedule scans

Application Whitelisting Menu:
1) Is there a wizard for whitelisting?
2) Please explain in more detail what Observation Mode does and how it works
3) Does this have a built-in (default) whitelist? If so, where can I check it?
4) Please explain further the functionality of the Scripts tab

Overall performance:
Runs 4 processes, clamd.exe likes to chew on CPU, a fact that I personally don't appreciate.
Feels heavy on my system (however, I have a low-spec machine but other products feel lighter), slow startup, programs take a while to open.

That's it so far. Please let me know if it's ok to provide feedback over here (it's way more convenient for a lot of us).

It looks promising. Don't abandon it.

Regards.

 

On mine, 2 error when installing, failed to install a file twice, and very high memory usage. 167mb on one process. It takes a lot of time whitelisting the entire computer, slow scan speed.

It's a pretty cool software but apparently needs somework.

 

I made a suggestion to make AV installation optional in installer.
Or to make two separate installer files: one with and one without AV.

 

Good idea siketa

 

Thanks, K!
Most of the performance problems are there because of ClamAV.
It is heavy. That's a fact.
They should drop the AV module...or at least give the user a choice.
Remember Safe 'n' Sec? It's F-Prot is/was the same story...

@atomomega:

 

IMHO they will thrive without AV.

 

Didn't Safe n Sec use the VirusBuster engine? (now owned by Agnitum)

 

It's F-Prot. I was testing it last week.

 

Thanks for the encouragement! We will definitely work very hard to make SecureAPlus even better. Here's my reply to your questions:

Antivirus Menu:
1) No need for 2 tray icons, both modules can be integrated into one single tray icon and manageable with right-click
The reason to have 2 tray icons is to distinguish the 2 different processes - Application whitelisting and antivirus. Application Whitelisting tray icon appears during initial whitelisting process to indicate that the whitelisting is still in progress. Once the initial whitelist is completed, the application whitelisting icon will disappear and replace by SecureAPlus icon. Perhaps the 2 icons look too much alike which may cause some confusion. We can fine-tune both icons to show a clear distinction. Will this be better?

=================================================================

2) Update AntiVirus Data should say: Update AntiVirus Signatures
Good suggestion! We will rectify this right away.

=================================================================
3) Antivirus Settings > Updates > Why are there 2 options for update servers? Which one is 'recommended'?
There are 2 options:
1. clamavdb.secureage.com is hosted by us, SecureAge.
2. database.clamav.net is the default AntiVirus signatures server provided by ClamAV.

After undergoing an intensive internal testing, we strongly recommend user to use the server that is hosted by us (clamavdb.secureage.com).

=================================================================
4) Antivirus Settings > Updates > Add ability to specify time interval for updates, (example: every X hours, every boot, once daily) not just 'automatic daily update'
Currently, the automatic update is done for every boot. If the machine is never switched off, it will perform the next update every 24 hours. We have only provided 2 options so as to simplify the configuration. But we will keep your suggestion in mind when more users requested for more options.

=================================================================
5) Real time scanning: Add ability to choose wether you want on-access scanning or on-execution scanning (to save resources)

These are already included. On-access scanning is only done for documents file. On-execution scanning is for executable files. This has helped to save the resources significantly as compared to the pioneer versions but there is still room for improvement. Do you have any other suggestions?

=================================================================

6) The context scan window reported that it only scanned 1 item when I scanned a .zip archive. It doesn't scan within archives?
It actually scan within archives, but it will only report .zip as 1 file (even inside the .zip files there might be multiple files being zip).

=================================================================

7) Give the ability to schedule scans
Another great suggestion! We will keep this in our pipeline the our future release.

=================================================================

Application Whitelisting Menu:
1) Is there a wizard for whitelisting?
By default, whitelisting is already running in wizard more. The end users just need to stick to the default settings without doing complicated configuration. Untrusted file can be whitelisted on the fly. When it runs untrusted file (especially unsigned file), it will prompt you, and let you choose whether to allow it to run or not.
Is this good enough? Perhaps you can share with me what do you have in mind for the wizard?

=================================================================

2) Please explain in more detail what Observation Mode does and how it works
Observation mode is for testing purposes to observe the behaviour of application whitelisting.

=================================================================

3) Does this have a built-in (default) whitelist? If so, where can I check it?
It does not have built-in whitelist. That's why initially it needs to whitelist your entire hard disk.

=================================================================

4) Please explain further the functionality of the Scripts tab.

Application Whitelisting only takes care of the script that is specified in the list unlike executable files.
You can customize it by adding in which script you want to be included in the Application Whitelisting. For example, you want perl scripts to be able to run only when they are trusted. In this case, you have to add .pl extension and perl.exe (as the interpreter) in the script list.

Hope this helps.

 

I was doing some research and it appears that Safe n Sec has used several engines, in 2007 they used the Dr.Web engine, and in 2009/2010 they used Bitdefender, and somewhere after that I know it used a version of the VirusBuster engine, and now according to you it uses the F-Prot engine. Feels like they have changed engine in every new version. This was just FYI now let's go back to this topic.

 

Hi sinlam,

I always prefer simplicity and automatization whenever possible. In this case, if you think the whitelist icon should be there, I'd suggest having a tray icon popup reminding the user that the whitelist is in process and that as soon as it finishes, the icon will disappear. Yes, you can do design changes to the icon, but it's kind of confusing the existence of two icons in the tray for the same software, so at least, let the user know what both are for.

=================================================================

Are definitions available at the same time on both servers?

=================================================================

Why is this? It would be nice and more informative if it could report on all scanned files, even those within archives.

=================================================================

I think this one relates to the my first suggestion. I think it's better to inform the user that the whitelist is running in wizard-mode and also when the whitelisting finishes.

A wizard like the one in Voodooshield is very user-friendly in my opinion. See here

Also, you can have the software run a scan to build the whitelist right after installing the software, like the one in Comodo Internet Security (you have to manually start the scan in Comodo, but the objective is to build the whitelist)

=================================================================

Ok, I'm still confused, what do you mean by 'observe the behaviour of application whitelisting'? Is it for advanced users? What's the purpose?

=================================================================

By the way, I don't know if it's normal but on my system I still see the 2 tray icons and it's been around 2 days since I installed it. Does that mean it's still building the whitelist? Where can I see the progress? (If there's no way to see the progress, maybe you can add a progress bar with an estimated time remaining)

Regards.

 

On my system, building was finished after app. 10 minutes.

 

Can anyone post few screenshots of this AV & screenshots of popups too?

 

Thank you for your suggestion. We will think of how to improve this.

We synchronize the update every 1 hour.

Thank you for your suggestion. We will look into it.

Thank you for pointing out the example. We will look into the possibility to incorporate a similar Wizard mode as you mentioned.

Basically observation mode is passthrough mode. It will not block untrusted application, but it will let you know what untrusted applications have been ran. Furthermore, with the central management server, an enterprise can analyse the log to detect potential malware that have been excuted on the user's machine. It is also useful in the case when you want to do mass delpoyment with a standard white list, and you want to make sure your settings work fine and do not accidentally block some crucial applications.

You can go to Application Whitelisting by going to the Start menu: Start->SecureAge->Application Whitelisting. Go to "Status" tab to check the status.

Regards.

 

Hi sinlam,

Thank you for your reply. I've removed it from my system for the time being. I'll wait for the next beta release to test the changes.

Regards.

 

Sure. I will let you know once the next beta release is up. Thank you so much for your time spent in testing. Your comments really help

 

Just a suggestion. Drop the AV engine. It's pointless because you'll be playing catch-up with other vendors whom are more experienced in the field. By dropping the AV, you can reduce unnecessary comparison/complaints/FPs/bug and incompatibility reports by users. Less work for you guys and if need be, the time and effort can be used to work upon and polish the white-listing component instead. Instead of competing with companies from 2 industries, you can focus your energy and marketing efforts to competition within the white-listing industry alone. It's nice to have a '2-in-1' combo but when part of it doesn't shine, the reputation can be pulled down. Not worth it at all.

 

Hi Safeguy, Peter and the rest of the Wilders,

Thank you for all your feedback. We will be keeping the AV due to our future product planning and preparation of a new product around end of this year. Please watch out for it! But we have heed Siketa's suggestion to give user a choice to disable the AV. Siketa has been actively giving us lots of good feedback. Greatly appreciated and hope to see more coming.

Just need a feedback from you guys. Is there any feature in SecureAPlus' application whitelisting that you specifically like? Do you find it easy to configure and use? Are there any feature which you think should be included but is currently lacking?

 

Hi sinlam,

As you said you plan to stick with the antivirus module, are there any plans to replace ClamAV with a different engine? One more commercial I mean, after all, you plan to sell SecurAPlus, right?

 

Hmmm... All I can say is ClamAV will not be the sole dependent av engine whereby it will tie the user down. Users will have another av option with a more complete protection but this will only be out end of this year. But for the official release in this coming July / Aug, SecureAPlus will still come with ClamAV but with the disable option. SecureAPlus is developed in such a way that it can work well with other antivirus software and further boost the antivirus security with its application whitelisting component.

 

That's good to know. Thank you!

 

My TIP: make it loosely coupled, provide an option to NOT install the clam AV

 

Yeah. That would be the best thing to do.
I like context menu option to make file trusted or untrusted.
Reminds me on GesWall/DW...

Waiting for the next beta...

Sinlam, what kind of licenses will you offer for the product?
Estimated price?