Antivirus and App Whitelisting

We will keep this suggestion in mind... may be for the enterprise version. We will let you know once decided.

 

There are two versions - home and enterprise. Enterprise version includes more features than home version and is based on annual license with competitive pricing. Well for home users, we are finding avenue for home users to enjoy the protection for free. So watch out for the official launch!

 

Nice to hear about home users...
Just give us an option not to install ClamAV and you will gain many users.

 

I completely agree.

BTW, what would you say from a sales perspective makes your product different from other whitelisitng/policy-based products?

 

Let's reverse it, what I would like to see is:

Ease of use
1. Option to auto trust all SIGNED Applications. Option to strenghten this allow rule by limiting auto allow SIGNED from safe places ONLY (windows and program files)

2. Monitored applications will be excluded from auto allow rules, option to add monitored applications. So programs created by these monitored programs are excluded from auto allow rules. Provide an out of the box default monitor list of popular webbrowsers, script interpreters, email programs, media players and (dll's) of vulnarable plug-ins (flash, pdf, etc). Option to strengthen exclude from auto allow, to an explicit always block executables created by this programs (with right context menu option to trust individual programs).

3. Informative / rich option pop-up
a) same colouring scheme as UAC uses (less variance is easier to use)
b) option to remember (allow/block) for
- publisher + productfamily
- hash
c) Option to check hash at Virus Total, and pause the execution flow
d) Option to go into install mode (allow all consequetive)

Granularity
1. Auto Allow list
Ideally the program comes with an auto allow set of Windows OS and popular AV's and FireWall''s. The power user has the option to remove or add publisher + program families to this auto allow trust list.

2. Monitored file types list
Like SRP, the list of included file types could be edited by the (power) user to increase or limit scope of anti-executable.

3. Install mode scope (slider)
a) Option to auto allow all consequetive (temporary ONCE) and processes created by these binaries (add to trusted)
b) Same as (a) with limitation that scope is limited to the parent directory of the triggering process
c) Same as (b) with limitation that created processes must be stored in a safe place (Windows or Program Files)

 

I would add an option for automatic creation of Path/Publisher/Publisher+Product/Hash rules like in AppLocker.

And an option for logic "And" and "Or" for Path/Publisher/Product/Hash rules.

 

Just checking this out, seems interesting So all executables created by restricted programs are automatically untrusted, which means they are not allowed to execute, hence traditional driveby attacks on browser etc won't work. But what if the browser is hijacked through a vulnerability and then the browser process injects into a legit windows process?

Good suggestions

 

On top of what is written on SecureAPlus brochure which can be downloaded from the Resource Center in SecureAge Beta Portal, here are other key strengths we envision SecureAPlus to be:

1. Highly secure and yet efficient on the user machine with almost no impact on the performance of the machine.
2. Highly automated with almost transparent operations which minimize the interference with the use of the computers.
3. Offering the home version free for anyone to try out the solution.
4. Enterprise users can choose to combine it with our SecureData and Application binding solutions to counteract APT.
5. They can also use it with our SecureAge Management Server to centrally manage and control the applications and software that are installed on their company PC and laptop.

We are currently working very hard to achieve the above. All kinds of suggestions are most welcome Keep them coming and coming....

 

Hey, this is a good and interesting question Let's cite a zero day attack scenario. We will first analyze what will happen when a browser is hijacked through a zero day attack vulnerability. The browser may then be forced to download certain harmful payload (eg. dll) that will be used to inject into a legit windows process. Since the payload is downloaded by a browser, it will not be trusted. When the browser use this dll to inject into a legit windows process, it will be blocked.

 

Hi sinlam,

I was thinking that perhaps you can have 2 user profiles:
1) For basic users/beginners
2) For advanced/power users

The reason of this is that I'd suggest you can incorporate a trusted vendor list (like the one in Comodo) to minimize the time it takes for SecureAPlus to build it's own whitelist. This way, users will have a predefined set of rules for (built-in) whitelisted processes. That would be for basic profile. For advanced profile you can actually have the program build it's own whitelist as it does now.
This is a suggestion made with my family members in mind (basic users) who would not know what a 'whitelisted process' is.

 

It is important to do the initial whitelisting of the machine after installation instead of using the predefined whitelist. Let's take Windows software as an example. Windows runs update quite regularly, as such the hash may change and this new harsh may not be in the predefined whitelist. Anything that is not in the predefined whitelist will be blocked. As a result, any system files that has been updated with a new hash may potentially be blocked and in the worst scenario caused the machine unable to boot up.

We do understand that most home users may not understand the concept of a whitelisting process. That is why we have designed SecureAPlus in a way that they can simply just stick to the default setting without having to be overly concerned with the advanced setting. Most of the time they will not get much prompting unless they have initiated the installation of a software with the cert that is not listed in the whitelist or a harmful and stealthy risky program is attempting to run in their machine.

For the advanced users, they can go to the advanced settings and configured it according to their requirements.

What do you think?

 

Hi thanks for your suggestions. Most of them are already in SecureAPlus.

Ease of Use
#1. Yes this in. This is the default setting. You can see the setting by going to Application Whitelisting -> Advanced setting -> General Tab.

#2. Yes we have. You can configure this in the same tab as mentioned in #1. Simply choose the observation mode and unchecked the rest.

#3a) Noted and we will do something.
b)Yes we have for the allow.
c) & d) No. Will add this in our development list.

Granularity
#1, #2 & 3a) Yes we have that and it is in the advanced setting.
#3b) & c) We will look into these.

 

Yes, I know, I tried it briefly

Confirmation question
Did not notice the sub #1 option to limit trusting signed programs to safe folders only (Windows, Program Files). Your answer seems to point out, it is allready implemented (correct?)


Last tips
1. Clam AV (drop or make it separate/optional install option), I know I already mentioned, but you will shoot yourself in the foot for the second phase jump (please learn from Immunet, your claim is identical "next generation antivirus", with a limp companion AV?, really who are you kidding?)

2. At Wilders there are quite a few members who are system administrators/IT-managers of smaller companies, use their insights and experience, ask them to be your beta-corporate-customer-user-counsil (e.g. ask them about central management features, I think they would not allow ordinary users for instance to go into install mode, option 3D of ease of use).

3. HitmanPro has a cloud feature. maybe an auto lookup to their cloud service is an option for mutual benefit (they don't have a real time application, but seem to have alliances and contracts with AV-vendors, you have a real time application and currently no contracts with AV-vendors).

Regards Kees

 

Nice reads on whitelisting http://www.sans.org/reading_room/wh...ication-whitelisting-panacea-propaganda_33599 and http://blogs.forrester.com/stephani...ernative_to_popular_whack_a_mole_antivirus_st

 

Once again, thanks for your feedback.
#1 option, we have not implemented that part about limiting trusted application to safe folders. But it is already in our pipeline and this is only for the enterprise version.

 

Do you have an ETA for the new beta build?

 

Ah, good

 

Like other posters here I'd say do away with the AV and concentrate on the Whitelisting.

For me,Whitelisting is definitely a great approach,however it lives or dies on the quality of said listing. Not only does it need to be extensive in scope,it has to be maintained with great frequency. A product can quickly become annoying and unwieldy if it blocks half your applications and isn't able to keep pace with all the latest versions/patches,etc.

IMO there's undoubtedly a place for a top quality W/L application,but rather than try and integrate a mediocre AV,concentrate on the primary functionality.

 

The release of the next beta version is very likely to be in one to two weeks time.

 

Hi Andyman and to all the rest of the Wilders who want us to drop av completely. There is a reason why we still keep the av as explained in my earlier post below. But we will keep this suggestion in mind and hold an internal discussion on this.
Greatly appreciate all your interesting suggestion and feedback We are still hungry for more

 

Thanks for the info, sinlam!

 

Hi Guys, the new beta version 1.0.27 is finally out! Please go to SecureAge Beta Portal -> resource center to download the latest release note to see the changes. Since the default is automatic update, you don't have to do anything. Don't be disappointed if your suggestion is not rectified for this version. We have already kept it in our pipeline Please keep your comment coming!

 

I've got an idea, but it's a long shot. Rather than use ClamAV, why not try to get COMODO to let you use their engine? I remember Melih going on about how AV companies should share signatures with each other for the betterment of all, so maybe you could get them to let you use their engine or at least signatures for your product?

EDIT: Just saw the part about another AV engine being an option later in the year, but I'd still try my idea.

 

Comodo is much better option than ClamAV.

 

Just curious. Why Comodo out of so many other av in the market?