AntiVirus feature prediction thread (let's look ahead and see who's guestimate is close to reality)

Discussion in 'other anti-virus software' started by Windows_Security, Nov 22, 2014.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,068
    Location:
    Netherlands
    My take
    I always use freebies, but WSA has on my wife's laptop for years. WSA does not participate in security test anymore, because they showed poor results, AVAST shows very poor RAP results. I know of one PrevX4/WSA user which is running in community block mode for years and at least five Avast users running hardened mode for a year now with no problems at all. The attack vectors have changes with the world going on-line (shopping and social media). Let's move and guess how it is implemented

    1. Cloud reputation and auto sandboxing using CPU's VM capabilities
    The new Virtualising capabilities of the newer CPU's will boost code emulation and behavioral analysis to the next level. Programs with poor reputation will be auto-sandboxed using code emulation and simple file and registry emulation. When program does not show any suspicious actions it is allowed. Sandboxed programs are send to central servers for further analysis.

    2. Setting white-listing as the default

    When will vendors dare to set this as the standard? When will vendors start to pitch on average JOE/JANE who don't install programs for fun, but install programs by accident? Simply spoken, when a program has poor reputation and it changes the core of the system (elevation of rights, survice re-boot), I want it blocked, not executed!

    3. Blacklisting only for attack surface programs.
    Local blacklist data base will be used fore script based attacks. The anomaly of an exploit is: script execution (java, flash, PDF, HTML, VB) in genuine/white-listed program (browser, office etc), exploiting a bug to gain access to the shell . To these type of attacks blacklisting and code pattern analyses are proven defense mechanism, which are right at the center of an AV's capabilities. No one does a better job in this field, so use old skills (blacklisting/heuristics) to these type of attacks.

    4. Extra security features for safe shopping and social media
    Looking at the rise of the Virtual Economy and social media usage, I always was surprised the focus of AV companies was on proving their skills in the PE department. WSA's was one of the first to take the lead in browser/SSL/MITM fraud protection.

    5. Personalized curing mechanisms
    To my knowledge only WSA (rollback) and EAM (blitzblank) offer such features. I am not an AV-user, so there might other AV vendors also offering this type targeted curing mechanisms.

    Regards Kees
     
    Last edited: Nov 22, 2014
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    No.1 (Avast) and No.2 (F-Secure) do cause problems to users that run programs with "low reputation". They both require knowledgeable user to avoid problems...
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    IDK, maybe Comodo's Viruscope falls into this type?
     
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,068
    Location:
    Netherlands
    People installing software for fun should be knowledgeable, so they should be able to change the default to something else when they are installing software with low reputation using their full senses.

    Limited to my observation, people installing software by accident, are no knowledgeable users, so they are better protected when someone prevents them installing stuff.
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,068
    Location:
    Netherlands
    Thx for posting, old school regrun reanimator offered this long time before any AV had this type of repair mechanism.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    There are some users that are not knowledgeable but do use some not very known software (like software that our company is making). After each update they have to unblock/unsandbox all new executables which can cause them a lot of troubles. Explaining them that all their work is gone, since AV sandboxed our software is no fun either.
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,068
    Location:
    Netherlands
    Not knowledgeable users use mainstream software, which mainstream (commercial) software is unsigned these days? There are always exceptions which proves the rule (as we say in Holland). Why don't you sign your software?
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Kees, can you pleas explain how to set up WSA in community mode for us. thank YOU
     
  9. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    784
    Webroot SecureAnywhere is (or was) revolutionary in many aspects, it is the security concept that is gonna be mainstream soon (just look at the new Panda and Norton).
    WSA just need to have better execution of his own concept, during my years of use I found too many bugs that really annoyed me. (to be fair many people wouldnt notice in first place).



    The future in my opinion will be a combination of cloud signatures/reputation plus "Hitman Pro Alert " look like concepts (anti exploit, virtualization, vaccine, anti ransomware ...)
     
  10. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    784
    http://i.imgur.com/ZyJcdjP.png

    Settings > Heuristics > Warn when any new program executes that is not specifically whitelisted
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,068
    Location:
    Netherlands
    Hmm WSA has changed the interface considerably, so I had to look for it:
    Settings > Heuristics > Warn when a non whitelisted program etc ...

    The block option seems to be removed, pitty. It shows that AV Vendors are reluctant to make the step to whitelisting.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    That's a question for our development team. I guess for now signature is not needed. Apart from some AVs flagging our binaries, we don't have other problems.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Who is we?
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Small company that develops ERP software.
     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Trend, Norton, and others are moving more toward a rollback, validation, fingerprinting type of system - or they already have. In both cases I would have more confidence in those products over Webroot because they generally seem to be tested, and performing quite nicely in those tests. With the newer, stronger, and trickier threats, I think these types of systems will be mandatory for most users in the years ahead. It's pretty tough to score 100% these days without reputation/fingerprinting types of systems, as evident by the latest AVC tests.

    I love validation/reputation systems on corporate clients because they have NO reason to be downloading rare, unseen, or unsigned files. Period.. BLOCK!
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Again you know nothing about how WSA works and the other two do not work like WSA does and full cloud application in which the other two aren't: http://www.brightcloud.com/platform/webroot-intelligence-network.php

    TH
     
  17. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Actually Norton and Trend as of 2015 are fairly heavily reliant on the cloud, and I am well aware how all three work, some in great detail. The fact is, regardless of how marketing decides to label the technologies, they are quite similar. Except that Norton and Trend have more modules, and varied architecture to back up the cloud aspects. Also both Norton and Trend have emulation/rollback types of systems in place now. The delay with Norton processing some files is because it has tossed the file into an emulator while it awaits realtime classification from the machine learning/validation/reputation systems, with full rollback potential present when necessary.

    The reason Trend is scoring 100% in all of the tests right now is precisely because it deploys a blended solution to a blended threat matrix, up to and including similar cloud/virtualization/fingerprinting systems WSA has, but with fallback systems so the product CAN be tested using traditional methods, and score perfectly on them. Since Trend is being rapidly deployed to consumer routers, the knowledge pool of it is growing exponentially, by the week - but scoring better than 100% isn't possible, so that will just ensure the scores are consistently 100% through a variety of test methodologies, and threat categories.
     
    Last edited: Nov 24, 2014
  18. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    At a 750kb installer 3 to 6MB of Ram and No need for definition downloads? And I tested the other 2 to see there "cloud" still very large installers even Panda is quite large as well.

    TH
     
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Add the 300MB Webroot balloons Explorer to be fair, Ok?

    Nevertheless, all of them have technologies not reliant on the cloud, which is why they can deal with blended threats, and pass traditional test methodologies.
     
    Last edited: Nov 22, 2014
  20. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    What this is a non-issue since Microsoft fixed there issue with KB3000850: https://community.webroot.com/t5/We...r-exe-using-up-to-300mb-RAM/m-p/173343#M10637 so what other garbage do you want to say? And no they don't have to pass traditional test methodologies that's a farce, Real World testing is more accurate IMO. :rolleyes:

    TH
     
  21. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Please shelve the fanboism, it's nauseating.. Nevertheless, Trend and Norton are fairly reliant on the cloud, but they use the cloud to strengthen their core products - a wise choice.. Who cares how small an installer is when people have terrabytes of storage space, and 50-300Mbps connections? Those are meaningless in the scope of things. So what's the argument here again? Everyone knows Trend and Norton 2015 are strongly reliant on the cloud, and apparently Panda 2015 is as well. Arguing if something is 'full cloud or not' is akin to arguing whether or not a smart car is a real car or not.
     
  22. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  23. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    I am an Emsi user but Webroot is the next best product IMHO.
    :)
     
  24. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Nonsense. Unless if you use Hardened Mode, there is absolutely NO knowledge required. DeepScreen is fully automated and doesn't require ANY user input. Low reputation warnings are also disabled by default in Web Shield.
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Nope. Users with default installations have problems. Our company used to sell Avast but we had to switch (now we sell other AV) because of all the problems.
     
Loading...