Detection vs Threat Prevention

I'd love to see a mainstream mag do a review of products not really considered mainstream yet, I think they could cause quite a stir when they find through testing that the smaller vendors are able to wipe the floor compared to mainstream av.

 

Late last year when Mebroot/Sinowal re-emerged, a very prestigious on-line security publication wrote this:

(my emphasis)

I wrote and complained about that astounding, misleading, if not erroneous statement, and suggested three solutions guaranteed to block Mebroot: 2 Anti-Execution products and Software Restriction Policies. I sent a screen shot of a PDF exploit successfuly blocked.

The author kindly responded that he would confer with their products editor to see about doing an article on these types of products. Nothing ever came of it.

----
rich

 

that's actually NOT why i came to that conclusion. i came to the conclusion that all preventative measures fail because it is a natural consequence of the axiom that there is no 100% security. ignoring all other forms of malware, this axiom has been formally proven for viruses.

 

Default-Denny is a preventive measure and very effective againts human errors and it doesnt fail

 

afraid i'm not familiar with that one, but if it's anything like default-deny then it fails in the presence of a successful social engineering attack (because then the user doesn't rely on the default action).

it also fails in cases it was never designed to prevent - a program of finite size can only deny a finite number of select behaviours, but there are a countably infinite number of possible ways things can go wrong so you can never have complete coverage.

 

a well configure hips(malware defender) with a default-denny all known exe-cutable files plus in having in place a in the cloud scaner with blocking the unknown(blue point security) in real time plus a strong firewall and carefull dont fall into sosial engeener tricks you are well cover no fear my son

 

ugg, hips, how i hate that ambiguous term. you described an application whitelist. i have described the weaknesses of whitelists at length elsewhere.

so snakeoil has a colour now? blocking the unknown? stop drinking the kool-aid. their site is riddled with inaccuracies and falsehoods. they "deny the unknown" with whitelisting - which, again, has it's weaknesses, not all of which can be mitigated with the integration of a blacklist into the mix.

yeah, as if being 'careful' was all that was required to avoid social engineering.

 

just tell me how many times have you been infected or been trick by sosial engeener or says hack?

 

i think prevention is the cure to so many problems and can be achieve if you want,now detention isalso important in case of let's say just in case as a second layer,1)prevention 2)detention 3)cure are very important aspect of been or at least try to be secure,i agree nothing is bullet proof but can be close to if you want to just find the correct tools to work with

 

never, but there's more to it than simply being 'careful'. i'm currently in the process of enumerating all the ways in which my usage of computers differs from the norm. i'm not sure how long it will take, i take so many behavioural changes for granted since they developed over a long period of time.

 

Very good topic to discuss.

Everyone? Not here.
Prevention will always be my first concern before detection/cleanup.

Good question.
I'd like to see more myself.
There are a few, although not nearly as much as for detection. (scanners)

 

in reality you/us are responsible of or to white list your system how?know what you have or introduce to/or in your system how?get to know your system how?in a clean system white list your current clean system and the rest/unknown is malicious every files you introduce to your system is consider unsafe even if the file is safe that's what i call carefully

 

all files? even html files? how am i supposed to browse the web if i can't download html files? and if i can download html files how can it stop web-borne threats?

and that's just 1 example.

 

anti-executables/sandbox type software

 

the anti-executable is what's blocking all files, is it not? then it's not solving the conundrum i posted.

the sandbox does mostly mitigate the problem, so long as no one removed the file from the sandbox and puts it in the host system.

 

that is why is recomended to use a sandbox and a good antimalware scaner or in the cloud scaner or just try not to introduce any new files to your system if you have that feeling that you will be infected or just run a hips tool to fully control your system in real time,check any unknown procesess and block them or remove them as you wish

 

but since literally ALL files can be a threat, are you supposed to do EVERYTHING in a sandbox? or are you going to cut yourself off from the outside world completely?

we live in a world where useful work often involves the division of labour. that requires us to share things - my output is someone else's input. we HAVE to accept and use files that technically qualify as 'unknown' much of the time.

 

@Kwismer

What do you propose as a sensible method of security? I for one am all for the 'less is more' aspect if it is still 'secure'.

Sul.

 

that is why scaners were invented to be use got to spend some money if you want to introduce new files to your system or just dont introduce none to your pcs,nothing is secure and nothing is imposible,you can get close to perfect secure your system there are plenty of software out there for you or use your system to protect some areas of your system(SRP,LUA,UAC)sandboxes/hips,anti-exe, and more techniques and softwares,DEP,etc,etc,etc
just surf the web normal like every day just make sure you are running at least 1 0r 2 security softwares

 

i don't have a script or cookie cutter-like methodology you can just follow and be secure. i don't think there is such a thing as being 'secure', i don't think it's a binary state but rather a gradient.

i said before that i'm still in the process of enumerating what i do, but at the basic level - i make informed decisions, i use av, whitelists, and sandboxing for prevention, but i accept that i also need to detect when prevention fails, and be prepared for it so i also have tools for examining the system from a known-clean bootable environment, as well as backups and system images.

 

you can create a reference state of your clean system and the rest is at your own risk ofcourse get some sort of protection at least,some thing like bLUE pOINT OR APPGUARD

 

man i need some coffee

 

Not from sandbox, but from virtualization container in case of sandboxing with partial virtualization.

 

it's well known that scanners are no good against new/unknown things.

complete isolationism isn't practical.

plenty of things are impossible. "nothing is impossible" isn't a statement of fact, it's a motivational platitude.

i'm well aware that you can get close to perfect. it's just not as simple as 'use this product' or 'use these products'. you need to understand what things can and cannot do so that you know when to use what.

 

oh boy, here we go again.

i didn't mention virtualization because it's unnecessary. yes there is a container. box == container. if you are doing sandboxing then your physical system is host to a container of some sort. perhaps it's using some sort of virtualization but i wouldn't say it has to.