BluePoint Security product Q&A

The problems I had were with software that has been on my system for a long time.
I think BPS offers great protection.
But I also think it needs more polishing.
That's not a derogatory statement. Just my opinion.
I'll be looking at it again in the near future.
Hugger

 

just very strange isue,cause i have 2 or 3 programs and looks nice here,also you can disable BPS reboot and all your programs will load after that and check bps will be also enable it works for me,it may work for you,dont give up on bps buddy is a very cool program,imagine having those 2 together Defensewall and blue point security

 

Perhaps I am missing the point, but I still fail to see the conceptual advantage of the security model of BluePoint Security over that used by Norton Internet Security 2010. Keep in mind that Symantec uses information about a “trusted publisher” in its assessment of a security risk, too; and prompts the user when a file’s status is indeterminate at a point in time.

 

I'm not sure how else to explain it guys. NIS 2010 does not prevent unknown code from executing. Period. BluePoint does. We do not allow code to run based upon it's reputation or it's behaviour (NIS 2010 does), as these methods expose you to circumvention.

Allow unknown code to execute behind your back in any way, at any time even it if looks "safe", and malware writers will exploit it.

Our concept is very simple. There are other vendors out there that claim to do what we do but when you put them to the test, they simple don't stop code execution. It's as simple as this, load up BluePoint in a vm and try to run a new batch file, a new vbscript or a newly created executable. It will not run without your explicit permission. Meaning, you will not see the executable show up on task manager at all, 0 lines of malicious code will execute. Test another security app claiming to be similiar to ours in the same vm (without BluePoint) with the same files, were they blocked? Do they show up on task manager but the product tells you it's blocked? That's the difference with our product and that's what matters in the real world as far as preventing malware.

You'd be surprised at how many of our competitors allow code execution (shows up in task manager!) then attempts to block the item after the fact. They are not doing the job properly. Once executable code shows up in task manager, you've already allowed too much.

Get your hands dirty with these products in the lab as I know many of you have, look for the things i've mentioned.

Our model is simply but the devils in the details.

 

well said buddy,well explain makes sense what you said,i also noticed that some vendors says it is block even show theier product in green meaning protected and in real was not,i saw this one day i was testing a product which i reserve to mention it's name,but it is true what you said

 

Yes and that one bothers me the most. Informing a user that a threat has been prevented when clearly several executables are sitting running code in the background is just appalling to me. Why were they allowed to execute in the first place? To me this just highlights the reason vendors need to rethink their security models (those relying upon signatures and heuristics for prevention) that is. Obviously I spend a great deal of time informing everyone about our product but it's bigger than that for me. It's personal. The industry needs to change, there are better ways of protecting people.

Honestly I wish I could name names, because there are truly other solutions out there that do in fact work very very well, meaning they will stand up to nearly any type of fierce real-time attack I can throw at them without issue. Sadly there are others that allow me to bypass them with simple coding tricks in ten minutes and I shut the vm off, testing over. I think the problem is, they are not mainstream solutions, the smaller vendors are beginning to think outside of the box. They are the ones that realize there's an opportunity here to really come up with a solid solution that turns the tides and actually begins to put the malware writers out of work.

 

total agreement here

 

I don't really see why you couldn't name names. Telling the truth is seldom immoral or illegal, so what's stopping you?

 

Pleonasm

Here is a challenge for you. Please get a hold of coolwebsearch and then install NIS 2010 and execute cool web search and see what happens. Not only that NIS 2010 will allow code execution but also NIS 2010 after analysis of the file will tell you that coolwebsearch is a safe file and that it is OK to install it, believe me no kidding. I tested NIS a couple of months back; unless NIS 2010 got its act together you'll probably have the same result if you decide to test it. Do not take my word for it test it and behold.

 

Hi BluePointSecurity

I already tested BPS twice and we have included your product in our official testing schedule. First I would like to apologize to everybody that already contacted me for testing requests. I thought that I was going to be ready last August; however, I had to take some time off work. Now I'm contemplating mid October, sorry.

To me and without any subjectivity, I can say that BPS is a fantastic security product with zero code execution (98% of the time), who can ask for more . However, I have two constructive criticisms to convey:

1) BPS must have strong self protection of its processes such as bluepoint.exe and bp.exe (No, No, No bp is not equal to British Petroleum . At the moment I can say that BPS does not have any self protection at all. I used Process Explorer to successfully terminate all BPS processes without BPS putting up a fight .

2) BPS got fooled by a rogue Anti-Spyware. The rogue was packed inside Braviax installer. Even though BPS monitored the installation; nonetheless, it allowed the rogue to install. Another rogue got installed and BPS believed that setup.exe was from Microsoft and allowed it to install.

I have got to say also that on both of these occasions BPS did prompt me for an action. The first instance BPS could not make a decision so it asked me to decide since BPS rated the threat as low consequently, I executed it just to see BPS reaction.

After these two rogues installed I performed a full scan and BPS deleted them without a hiccup, and I was quite pleased. All in all I can unequivocally state that only BPS and McAfee VirusScan Enterprise 8.7 successfully pass all my tests with no infection left behind .

Right now McAfee VirusScan Enterprise 8.7 is installed on all on my work computers and I can say even further that if BPS enterprise product is as good as its home product then McAfee has a tough fight in its hands. The BPS upstart can only grow. .

Anyway do not let success grows into your head man, listen to wisdom and pay special attention to the wishes and dreams of your customers and you'll continue to be successful.

 

That helps to explain the point, and I see the distinction. However, like Windows Vista’s UAC, won’t a typical user over time be inclined to simply click-through all of these warnings because a warning doesn’t necessarily indicate that the software is likely to be malicious (but only that it is absent from the whitelist)?

In addition, isn’t this technique simply shifting the decision burden from the software to the user? For advanced users, doing so may be a benefit; yet, for the vast majority of “typical users,” how will they know if a batch file or VBScript utility that is flagged by BluePoint Security is malicious?

What information is provided by BluePoint Security to aid in that decision? Does that information change in real-time based upon the experiences of the community of users?

Thank you.

 

I do not doubt your experience. Hopefully, the released version of Norton Internet Security 2010 (as opposed to the beta version that you tested) has this problem resolved. You might want to give it another try?

 

This is, I fear, exactly the sequence of events that many “typical” users might experience, thereby potentially mitigating the prevention capabilities of the tool.

Excellent advice for all anti-malware vendors!

 

Thanks for testing things out and sharing this, great info.

We will have self protection within a week or so, it was put on the back burner as malware is generally put in a catch 22 of not being able to execute therefore unable to terminate BluePoint under most circumstances.

Our weak point at the moment is rogue detection/prevention as a few testers have pointed out. Rogues are tough to deal with as they often blur the lines between a threat and a nuisance and rely heavily on the users decision to allow them. We're adding rogues to our detection database on a dailly basis.

We are actively seeking additional independent testing as of course, we are a bit biased

 

That is a good point, we do depend on the user to make decisions occasionally on code execution and we can't control the human element that's involved there. We try to provide good indications as to the risk rating of the item attempting to execute. Most of our current efforts are going into providing the best feedback to the user as possible as ultimately if it's not a known virus to us, they make the decision based upon the notification we give them. Known malware items are auto handled. Most of the time, a risky type of executable will show that's it high or medium risk which hopefully helps them out to make the call.

Our thinking there is, it's better to let the user know something is going on before harm is done than not telling them anything. Worst case scenario, those that allow items that shouldn't be allowed (say a zero day virus and they ignore the threat rating) will be take care of by our av engine as soon as we discover the threat. I think if a new virus were to hit CNN today (in all their scare tactic glory!) users would be inclined to be very careful about allowing things, if they were given the choice.

The missed coolwebsearch detection above sort of exposes the problem I see out there, they'll add it to there list and it'll take care of it. What happens when the next threat comes along? Same cycle over and over, infection, discovery and cleanup. We're trying to break down that cycle.

 

In the “old days” when signatures were the main defense against malware, your assessment seems to have merit. But, today, the best anti-malware companies are not operating in this cycle. They are focused on prevention, especially for the class of malware that is becoming increasingly more common: polymorphic (unique) instances.

It is “relatively easy” to identify the very common cases in which software is bad or good (e.g., blacklisting Conficker or whitelisting Microsoft Word). The new challenge, however, is all about the “long tail”—the large number of cases with low prevalence that may be either good or bad, and for which user intervention may be necessary. It seems to be that the security model of BluePoint Security doesn’t provide the same level of insight to the user as one which is founded upon the concept of “community reputation.” The higher the quality of information provided to the user in these cases (and, providing information that rapidly improves in real time) seems to be advantageous. I infer (maybe incorrectly?) that BluePoint Security does not equip the user with such dynamic, community-based insights to guide the “safe”/”not safe” decision process. Please let me know if I am mistaken.

Increasing the detection rate at the expense of increased burdens upon the user to make "safe"/"not safe" decisions may not be a step forward in the evolution of anti-malware software, in my opinion.

 

They are focused on prevention, but they are still very much behind the ball and constantly playing catch up. The coolwebsearch example is a good one, I haven't verified the fact that it's missed but it wouldn't surprise me. I read news stories on a daily basis about infections resulting in data being stolen etc. These are quite possibly targeted attacks with custom tools/malware, again these often run without being detected.

Again, I think identifying based upon actions and behavior is a hit or miss affair. Sometimes items are detected, sometimes they are not. We do provide the user with information about the item but it's not derived through user communities. I don't believe relying upon a certain amount of customer infections before informing everyone else is the way to go. We focus our efforts on solid prevention techniques rather than hit or miss types of solutions. Keep in mind there is a huge user base out there that is completely fed up with mainstream av for that very reason, they are quite willing to adopt a new solution that's outside of the heuristic/community/def box.

 

'We focus our efforts on solid prevention techniques rather than hit or miss types of solutions.'

I'm trying this again as suggested by JPM. It's definately an interesting program.
I read the quoted sentence and feel that what Pleonasm said is accurate.
I'm not a tech inclined person by any stretch of the imagination.
And when I see your blue box of curiosity pop up asking me if whatever.exe should be allowed or blocked I probably won't know the answer.
So I'm going to have to guess.
If I had the ability to see what the majority of others are doing with this .exe I'd be able to make a bit more educated guess.
Also, I know this is in the clouds software, but is there a way for me to get BPS to remember what I allow to run on my pc?
Perhaps what I've seen others do, I don't remeber who, would be easy.
'Allow, Allow once, Deny'.
Hugger

 

It wouldn't be a bad idea to show the user that type of information, how many users have clicked allow/deny, I like it. Generally it does give you as much information as possible, the file has been checked by our av engine and the result is shown in the risk rating area of the notification. It's sort of an extra layer that av is missing, yes we've determined that the item isn't known to us as an in the wild threat. The difference is instead of simply allowing execution, we ask permission. That extra layer makes all the difference in prevention. But yes, the human factor exists of course for items the av engine doesn't know about.

It should remember your allow decision, is it not?

 

The best examples I can give is HDTune and Real Temp.
Both reside on my desktop.
I double click them and I get your pop up box to Allow or Block.
Click Allow.
Shut down later and start my pc the next morning and I go through the same thing.
This forgetfulness includes the pop up that has the colored bar graph showing the level of danger. BPS is not remembering my settings.
Hugger

 

One point I would like to emphasize after testing BPS has to do with the fact that BPS needs to sign its processes. So far none of BPS processes were signed and Process Explorer was unable to verify them. It is the least that BPS can do in its fight against malware.

 

things that will be nice to have in BPS:
1)feature to protect the program againts termination/alteration etc
2)password protection againts program setting modification/alteration etc
3)to be able to add safe program in a safe list within BPS avoiding conflicts,etc
4)to be able to see what is running(active procesess runing) task manager like with colors

 

In other words jmonge you want BPS to be CIS like .

 

maybe but it doesnt have to be exactly the same

 

it is very important to have these in place