Detection vs Threat Prevention

Discussion in 'other anti-malware software' started by BluePointSecurity, Sep 10, 2009.

Thread Status:
Not open for further replies.
  1. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    I wanted to open up a thread/discussion about Detection vs Threat Prevention. It seems most of the magazine reviews I read on a weekly basis test products simply based upon removal capabilities. While removal is certainly important, I wouldn't hire a security guard based upon his ability to remove criminals from my business, I hire him based upon his ability to prevent criminals from entering in the first place. In fact, if he were to fail at preventing a single criminal from entering my business and doing damage, he would be fired the next day.

    I'm not trying to start a flame war or a which product is best thread, I'm only wondering why everyone seems to be so focused on cleanup? Why don't we see more reviews focusing on prevention? It seems most people are content with the malware issue and it's just accepted as a normal part of computing. The problem with that is, people are being stolen from, sensitive data is being sold on black markets everyday as a result of these infections, it's not just an annoyance. I've probably cleanup up 100's of computers throughout my career (like many of you I'm sure) with every av product you can imagine, it seems they aren't really working towards a solution, only bandaids. If we work towards prevention, we're working towards actually solving the problem.

    I had some free time in the lab this evening and recorded a quick demonstration of this exact phenomenon occurring, failure to prevent resulting in infection. The product name is censored because that's not the point of the demonstration, the point is, I really feel like there is a false sense of security out there, partially caused by reviewers rating products based upon detection rather than prevention.

    http://www.youtube.com/watch?v=ovybtNeeu_c

    What are your thoughts?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I think you raise an excellent point. That is the whole thrust of my approach. Fact is I don't even run an AV or AS product, and I use the HIPS programs as much to just alert me to what's happening as prevention.

    I mainly rely on virtualization as a prevention approach. All low risk stuff is done sandboxed. Not only prevents but takes care of clean up.

    For high risk stuff, I go to the VM machine, and also virtualize my whole host system with one of the programs discussed here. That way should the VM machine leak(never has), a reboot of the host deals with that.

    Pete
     
  3. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    I think sandboxing and vm's are some of the more bulletproof 100% type of solutions, certainly when compared with mainstream av. With a few notable exceptions, mainstream av products are just terrible at prevention and the average user relies on these type of products for protection. Half the time even when they alert "blocked" "prevented" etc, I check process explorer and there's 10 related exe's sitting there running! I've worked as a system admin / security consultant at various points over the past few years and have been tasked with digging up solutions for corporations malware/spyware/virus/users installing junk problems and after actually heavily testing various solutions came to the conclusion that there really wasn't an effective usable solution out there. I was re-imaging computers on a daily basis that were just trashed (yes we used group policy and users were running with low rights). Strange as it sounds, I formed BluePoint because I was tired of everything else failing to do the job properly. I'm not saying we're perfect, but I can tell you we will make the malware writers start working for a living if I have anything to do with it ;)

    It's never sat well with me that I can bypass 99% of av products by simply compiling up a new threat in a vm and testing it against various av solutions until it's not detected. Doesn't everyone realize that malware writers are often very well funded and certainly capable of loading up the latest heuristics and sig based security products in a vm and changing code until it's not detected? If I've figured that out, they certainly have. I'm quite sure they do this given the detection/prevention failures I see out there.

    I honestly don't even look at solutions that are based upon either signatures or heuristics anymore because of this, if one of my lab created test threats is prevented, I spend an additional 15 minutes changing the source code and viola, prevention failure.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    I'm not sure everyone is focused on cleanup.

    Prevention has always been the cornerstone of antivirus software as far as I know.
    Check out the antvirus products of today. Thay have moved far beyond just being an antivirus product.
    The solution is user education. Not software "bandaids."
     
  5. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    People can argue that HIPS, Sandboxes, VM's etc very annoying.
    I think it's far less annoying using them compared to trying to Restore the pc, Not to mention the files lost or possibly Sensitive information as a result of data theft.


    @Ronjor
    I agree with you! People label Av's as "Detection" While that is correct, It can also be called Protection if it detects and removes the threat before it is able to deliver it's payload.
    I'd just say in general, There are other (Usually) More effective, Though not user friendly methods.
     
  6. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    As far as mainstream magazine reviewers go most of their reviews are focused on cleanup/detection rates. These forums are filled with people testing prevention, but we are sort of in the minority.

    Mainstream av companies have been failing at preventing in a big way for many many years. I've been involved in the cleanup of government institutions, fortune 500 companies down to grandmas computer, all protected with mainstream style av products. My second paragraph above rips a gaping obvious hole in traditional mainstream av solutions and the malware writers are very well aware of it.

    As far as user education goes, good luck. You can't expect everyone to become familiar with computer security practices to be protected. That's what we're supposed to take care of for them. I've actually hosted several security seminars for law firms etc recently and you know what the first piece of advice I give them is? Forget user education, it's not effective, anyone who's been an admin has learned that. It's about taking control of your environment, it's the not employees job to protect themselves, they already have a job to do, it's ours as security professionals. Many best practices documents state "educate users" and I think they are dreaming.

    As far as mainstream av products have evolved/changed? How so? The only real notable improvement is heuristics, which again imho is a fatally flawed security model right from the beginning. It still falls victim to my second paragraph in the post above, they did 5 years ago and they do now. Where's the improvement in prevention? I've tested almost all of them in the past 30 days, I don't see it.
     
    Last edited: Sep 10, 2009
  7. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    Agreed, there are although the average user isn't going to be virtualizing/sandboxing etc. I can imagine trying to teach my family about vmware, lol.

    Sort of agree there, if by "deliver it's payload" you mean 0 lines of code are executed as in the process is never created I fully agree. In the video I posted above though, some of the executables were indeed terminated, the problem with termination is what damage was done "before" the termination. As an experiment about 6 months ago, I crafted up an executable that contained functions that detected av type and simply turned them off in about 5 seconds after execution. That's my worry with allowing then terminating. Quite a few products terminate processes after the fact and I consider that very dangerous. Allow me to run 5 lines of code, and I can do very very bad things.
     
  8. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    They'd get confused which pc is which (VM or not) :D
    What the industry needs is something that can provide the same level protection as a HIPS\VM etc but with the usability of an AV. Tough Job.
    Good luck :D
     
  9. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    I like your point very much.I can't agree more.

    That is why HIPS can be popular in the world.If having excellent rule,it can prevent the most of the viruses.But HIPS is manual,and it is difficult for users to configure.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have put a lot of time into learning about my OS. I have intentionally broken it myself as well as tried to collect samples from computers I have 'cleaned up'. I used to be interested in controlling everything ranging from what was installing into windir to what was phoning home, especially to M$ themselves. Firewalls, HIPS, IDS/IDS, AV, execution prevention. I learned to look into libraries, some dabbling in RE, and in general anything really techno-geek at all.

    I suppose my first computer experience was really the original Apple computer with it's paddles and the first couple games StarWars and Asteroids. Moving through the years with commodore, atari, TI, etc etc until QDOS/MS came along. And of course through the range of windows products. Going from just using it to building the boxes to understanding the OS/coding. One thing I know, someone who really knows about a computer, in almost every circumstance, can easily manage to stay free of problems like malware or virii almost 100% of the time if they are vigilant. I have been, and I have not had a problem that was not intentional or due to a periodic lapse of good practice.

    As I age in this technology, I see that for myself I desire less hand-holding of security software, and want something that will keep me from having to be so vigilant. My practices and knowledge easily allow me to know when something is amiss, and the issue can be taken care of easily. Knowing the hazards that could exist, I use vmWare or SBIE for such sensitive things as banking, understanding that the risk of exploit is very low and not worrying about it at all really.

    However, as so many here are tech support for thier family and friends as I am, I seek for a good solution for them. I would prefer one that I can use as well, so that I can easily talk them through steps over the phone or in an email. But the end goal is for me, to get all those I support into something that is very secure but also is not too technical. As I am sure everyone who does this has found, it seems no matter what you put in place, many people just don't understand or care. They disable it or somehow manage to goof it up.

    Whehter you detect it before invasion or conquer the invasion after it breaches the walls makes little difference to most, as long as it does what it needs to. Using an AV, look at the philosophy of how it works. It is always behind the times, hard for it to keep up. Yet a good AV can be of good use if for nothing else to catch the things that are still floating around that it knows about. Zero Day attacks, what are the average to do? Stay patched true. Is that enough? Use a HIPS that keeps everything under lock and key? lol, it is too much for many. Rely on LUA? It might be the best approach for many, but there is very staunch resistance to it for various reasons, most relating to the inconvenience.

    The more I try to create an approach that is usable by those I support, the more I begin to think there is no solution. Personally I think the solution resides in a restructure of how the groups and permissions are made in the OS. Call me crazy or a renegade or something, but I think a smarter approach to it all could be achieved.

    Take for example that User is forbidden to write into program files. This is safe, but it is the very thing many don't like about LUA. They want to install that new program or update. They don't want to logoff or RunAs. Yes, we know it is little inconvenience really, but it is how they view it. PowerUser was much closer to reality, but still too powerful. IMO there needs to be a new group made which allows Users to install new things, but not have ownership. To not modify existing without explicit permissions. To not modify in windir. Lots of things you could do differently that would loosen the User up a little bit but also provide enough security. At some point one must install a driver, so they must up to admin. But for mundane things like installing mahjong or something why should they be forbidden. It is what many do with thier computers.

    Business environments are very different from the use at home, primarily entertainment. I have yet to find one application that is good for everyone. LUA some will use, AppGuard some seem to like. Believe it or not, as easy as SBIE is, a majority of those I have use it do not like it. They don't understand the file system, don't get virtualization, and just get tired of dealing with it. You can automate recovery and such, but they still seem to dislike it. The geek-ish people I know embrace such things because they take time playing with things to understand.

    HIPS, advnaced firewalls, IDS/IPS, etc, are just overkill for many of these people. The windows firewall they can use. Antivirus they can use. SRP restrictions, they can use, but don't really enjoy it. These people, that I consider the majority of those at risk, dont' want to be bothered by learning anything. They all want to utilize the modern marvel of the internet, do thier banking and purchasing etc, but not be bothered by learning what is really going on.

    So you question, it is a good question. And very relevant to those that know a thing or two. But in my book, if you want to talk about the data theft and dangers thereof, this group is not your prime target. It is those at thier house right now, clicking on whatever they want because they think either thier software/OS will prevent anything from getting in or clean it up if it does. They need help. Educating them would be ideal, but I don't see it happening.

    These are just the ramblings of what I have been thinking and pondering for some time. Disregard them if you like.

    Sul.
     
  11. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    2,175
    Prevention has always been the cornerstone of antivirus software as far as I know.
     
  12. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    Bingo, right on the money imho.

    Highly configurable HIPS products are very capable of providing excellent protection but are out of reach of the common user. That point can be argued of course. The other problem is, if they aren't capable of configuring the product/ruleset they may actually end up less secure then they would be with a typical av product that just does things for them.

    A gap needs to be bridged between mainstream av and highly configurable HIPS products. We've attempted that with BluePoint, meaning out of the box, your certainly much better off than you would be with mainstream av. The issue we're working to improve is providing better information in our notification popups, that's the tough part with antiexecutable/whitelisting solutions. I would much rather hone an AE/whitelisting solution rather than trying to improve a heuristics solution, I think the vendors moving into advanced heuristics just don't get it. Half of the heuristics products are either more difficult to wrangle than ours or slow your computer to a grinding halt while communicating with the cloud. The answer to the malware problem has been clear to me for quite some time, I'm quite surprised others haven't caught on. Stop allowing unknown, untrusted executable code and scripts to run and guess what? You immediately prevent 99.99% of malicious code out there, even if it was released 5 minutes ago. The actual implementation of this technology is the tough part and making it work properly.
     
    Last edited: Sep 11, 2009
  13. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    At Sully, Want a job? :cool:
     
  14. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    That's what UAC should have been
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    lol. What I want is a product or scheme that I can put into place on all the novice users I know as well as mine. I want more time hearing how great thier computer is running rather than how they have ANOTHER problem. Not everyone wants to take the job of being tech support for free for 100 people. For me, I like to teach and enjoy it. When they can call me, and a 10 minute conversation fixes thier issues, it feels great. They think I am some kind of super genius because I actually know by heart where every prompt is, every button on every screen. I don't care about that, but I do care about them spending needless money at the geeksquad or the local store. More times than not they get thier computer back in worse shape, or even wiped and reinstalled.They pay good $$ and get crap back. That is what I dislike and why I strive to help so many.

    Beta testing interests me if the solution is approachable to the novice users though ;)

    Sul.
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    So why bother reading them? I don't know anyone who pays attention to mainstream security stuff. When the latest exploit is discussed, most of it is sensationalized, ("55,000 web sites hacked") rather than calmly discussing the vulnerabilities/exploits and recognizing what needs to be done.

    Example: SQL injection redirecting the user to a site with javascript code to display a fake scan for a rogue security product. Solution: configure javascript per site and the exploit fails.

    If more press focussed on prevention through policies and procedures, the infection rate would drop astronomically. With such an approach, very few security products are necessary.

    I'm sorry you've had bad experiences with this. I and many others have had just the opposite result with home users. When shown properly, they actually respond quite well and can understand the basics of security and adopt sound policies and procedures without having to learn a lot of technical stuff.

    The problem at the corporate level is with the CEOs. Until they decide "enough is enough" and lock down the systems so that only IT and Support can install programs, there will continue to be problems.

    Drastic, you say? Of course, but effective. One example, which I've cited on other occasions:

    http://www.faronics.com/whitepapers/CaseStudy_LAPD.pdf
    A similar approach was taken quite some years ago at an educational institution where I taught, with incredible results. So, I know it can be done. The solutions are there: all it takes is those in authority to decide to implement them.

    There are many excuses not to do this, of course, but that doesn't negate the fact that solutions are at hand. Anything less is just a compromise.


    regards,

    rich
     
  17. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    Rmus,

    Agree, we deal with C levels on a daily basis with our enterprise product. If they've experienced an incident then they're on board with us immediately. They really do need to decide when enough is enough, unfortunatley they often wait until it's too late and they are in the news. I think the slow adoption rate really can be attributed to IT department laziness. I've actually had administrators tell me "I don't need to know what my users are running, we just have too many apps to bother classifying them". Wow. That's their job! Our enterprise console is pretty straight forward, it does most of the work and discovery for them (no creating lists of executables). We often win deals based upon them having issues with users installing garbage left and right rather than malware.

    DeepFree is great from a security standpoint although it really lacks a good centralized management console. We've displaced them a few times, the usual complaint is it's just unmanageable and causes too many headaches because of it, pretty effective though.
     
    Last edited: Sep 11, 2009
  18. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    It seems the security community knows what the solution is, why not adopt it? Products too difficult to use/too cumbersome?
     
  19. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Yes,me too.

    Configuring HIPS manually,we need a lot of knowledge about computers.Sometimes we must know every files in our computer even.Windows OS is so complex.
     
  20. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Before,in order to deal with this situation,I choose to trust the application which updates and give them privilege.Finally I'll modify the rule set before.

    To pop-ups,I have no idea.On comodo,they can be treated as installing program.But after updating,we must modify the rule again to avoid pop-ups.

    Maybe using wildcard to edit the rule is the way to avoid pop-ups.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This back-and-forth occurred a few months ago in another thread between a frustrated IT using AV, and a developer of an Enterprise product.

    It got worse...

    I suspect that this scenario is not uncommon.

    ----
    rich
     
  22. BluePointSecurity

    BluePointSecurity Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    134
    Rmus,

    Very interesting.

    This situation will continue until management decides enough is enough, even if they run 5 av products. I certainly feel his pain as I've been there myself. I think there are quite a few people that are fed up with traditional av tech in the enterprise and consumer market. For our sake, let's hope so! I've personally spoken to customers that feel exactly this same way, they've figured it out that especially on the enterprise side most of the traditional av products are very weak when it comes to prevention.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Prevention
    - On wife's laptop (XP Home SP3): DefenseWall V3 beta, no other security software except keyscrambler free and A2 Free on demand

    - On Son's game PC (Vista64: SP2): UAC + PGS (SRP deny execute) and MSE , plus Vista FW 2-way

    - Own PC (XP Pro SP3): Mamuto + AppGuard + Hitman Pro free 3.5

    Unused lisences: GeSWall Pro, WinPatrol, Malware Defender
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    prevention is always better than the cure ;)
     
  25. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    a few years back when I was a internet newbie I didn't have a clue about how to secure my pc from viruses. I used to not have a router I orginally only had a modem which plugged into the mother board, I used to surf a lot of porn sites loaded with malware. I was always getting infected. there were a couple of times the malware totally destroyed my OS must of been some thing like kill disk viruses lol. there was even a time I remember when a hacker had remote control over my computer. So I started using the old adaware and spybot programs. and I used to scan and clean out all the crap after my browsing session. After a while I got sick of always having to clean out the malware and I started thinking to myself how do I prevent getting infected in the first place?? I started asking the computer repair guys at computer shops, they said just install zone alarm and AVG. that didn't help I was still getting infected with viruses. So I started google ing security sites on the net, which was when I found castle cops and this site wilders back in 07. in 2007 i was a lurker and I saw a lot of people here going on about sandboxie. then eventually in 2008 I created an account. And computer security for me turned into a hobby. I no longer have any scanning cleaning app's nor rely on them. Prevention is better than cure.

    In today's world scanning apps such as anti virus programs still dominate the mainstream security industry. why this is this case is beyond me. maybe because the computer repair guys would loose out on business ? so they only only ever recommend using AV's and 3rd party firewalls. admittedly there are people here in these forums who still rely on AV scanning app's but most of them are new people who don't know anything about HIPS or virtualization image software.
     
    Last edited: Sep 11, 2009
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.