Google CAMP: Content-Agnostic Malware Protection

Discussion in 'other anti-virus software' started by lordraiden, Apr 17, 2013.

Thread Status:
Not open for further replies.
  1. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,081
    https://www.networkworld.com/news/2013/040913-camp-for-chrome-catches-99-268529.html

    https://www.cs.jhu.edu/~moheeb/aburajab-ndss-13.pdf

    http://www.darkreading.com/security...reputation-to-detect-malicious-downloads.html

    ~ Removed Copyrighted Image ~

    Opinion:
    The end of the anti-malware industry? I hope so, with this and an on-demand scanner for USB and maybe some other security tools like trusteer rapport, ExploitShield, EMET, windows firewall (Windows Firewall Control) more than enough.
     
    Last edited by a moderator: Apr 17, 2013
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Google the white knight of internet privacy comes to rescue :argh:

    Did those 200 million know Google 'tracked' their binaries and 'infringed' their privacy :blink:
     
    Last edited: Apr 17, 2013
  3. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,081
    The privacy implications are the same needed for the "safe browsing" mode that chrome has always had, you can always enable or disable it as everything privacy related in google.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Basically they "invented" Evo-Gen and MSS from avast!... it works on the same principle...
     
  5. AVusah

    AVusah Registered Member

    Joined:
    Dec 24, 2012
    Posts:
    274
    Yeah, ok, everyone's always copying Avast.:rolleyes:
     
  6. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    I could think of far worse vendors to copy than Avast.
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Says a die hard Comodo fan...

    And yes, knowing the technology background, it is what i said. Google does exactly that. Gathers bunch of data, aggregates it and then compares other samples to it and decides based on that.

    And for the record, i never said they copied anything...
     
  8. AVusah

    AVusah Registered Member

    Joined:
    Dec 24, 2012
    Posts:
    274
    Comodo fan?
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Nope. The first article actually mentions a few words from some security vendor member saying that while it protects 99% of downloads at the browser level, it won't protect against 100% of the downloads when getting e-mail.

    Not to mention that one thing is the study, another thing is real life: cybercriminals will adjust, so we'll have to see how it evolves then.

    Anyway, I'm all for new/"new" ways of fighting malware and keep as many users as safe as possible. :thumb:

    The first article also mentions something about CAMP not protecting against exploits... well... that's Chrome's sandbox task. They forgot to take that under consideration.
     
  10. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Comodo or whatever else your message was not great to hear.

    "everyone's always copying Avast" ironic ?

    For this case, indeed it looks like Avast's Evo-Gen / MSR.

    Why posting such a reply ?
     
  11. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Isn't the Windows Smart screen also similar to this approach?
    I guess Smart screen has some kind file reputation system too. It blocks automatically if the file has low reputation or bad reputation.

    Good to see these kind of technologies being implemented at browser/OS level. Reaches broader audiences.
     
    Last edited: Apr 17, 2013
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Reputation system is another thing.
     
  13. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    I really don't care who copies an idea as long as they improve upon it in a positive way. I applaud the initial developer for their ingenuity and I think they should get a percentage of the profits, but copy write shouldn't prevent people from taking an idea and progressing forward. For a company with the power and resources to do so, like Google, to get involved it may not be a bad thing. Almost every company data mines its users to some degree. My only issue with Google is knowing just how blood thirsty they are compared to some others. This doesn't make the company evil. I'd only condemn them if they took a viable idea and drove it into the ground in a manner that turned users off of such applications or intentionally caused lasting harm to the end-user.
     
  14. aero5588

    aero5588 Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    1
    Why would Google need to copy anyone? They have all the data they need from VirusTotal, if you haven't noticed they even raised the maximum file size to 64mb get more data.
     
  15. Hardov

    Hardov Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    23
    can someone please explain how this CAMP works? :p
     
  16. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    How big brother is protecting me against malware

    1. Google Web Crawling
    Google search engine crawls thousends of thousends website per day to add them to their search listing. Websites are analysed on their servers, making a static forensic analysis of that site. This data is enriched with findings of other web infrastructure providers/participants ==> input for first blacklist layer

    2. Google DNS and search engine
    All our internet activity (search requests => keywords) need a translation to domain names and IP addresses. Repeated requests are cached. To this cache a bad/good website flag is added ==> Google safe browsing & safe search first blacklist layer

    3. Using Chrome as a browser
    a) Blacklist
    Downloading stuff also checks the hash of this binaries against blacklist data (as mentioned by aero5588 Google receives VT results of around 1 million VT submissions a week) ==> second layer of blacklist on downloaded binary level, possible first layer of whitelist (clean according to AV's, together with first seen date, adds reliability to this analysis)

    b) Whitelist
    Downloading stuff from the internet, the reputation of both the website your downloading from as the reputation of binary your downloading is examined (like certificates of safe HTTPS/trusted websites and digital signing of software and trusted vendors and the hierarchy of certificates, some certificates are more secure than others, think of Comodo :D errors/practises in the past) ==> Google reputation scoring second white list layer.

    4. Grey list remains
    Like PrevX has options and levels to warn you when a binary has not been seen by the PrevX/Webroot community, Google can track the same usage statistics from its servers/engine/browser worldwide (only with a magnitude of data/much larger community than PrevX/WSA). Avast now also uses reputation scoring (so Rezjor is not quite acurate in "everyone is following AVAST", WSA used community popularity in its heuristics and also has an option to run an unknown binary in a sandbox, as far as I can recal PrevX4 was released before Avast 8 :p ).

    I think CAMP is a refinement of the analysis of 2, 3, and 4 (without actually sandboxing or code emulation as suggested) So a very thorough reputation scoring which will give a 'red' traffic light warning "Possible malware" or a 'yellow/orange' traffi light warning "File with low reputation" or a green light ==> third whitelist/blacklist analysis. CAMP study tuned the metrics of inputs 1,2 and 3 against the algorithme (red, orange, green), to minimize the orange (grey = not safe/not known bad) part and reduce false positives.

    5. Grey rare samples future
    Files with low reputation could also be analysed on a Google server side sandbox like Comodo's Instant malware analysis, GFI (Vipre) Sandbox, Norman Sandbox and Threat Expert (Norton/Symantec) analysis. In this CAMP study Google seams to take the opposite position they won't do that. Problably because it has bought VirusTotal and won't upset the AntiVirus community against it (like Microsoft does with server side analysis and a free AntiVirus). I think they will get those results via VT anyway.

    Down side of this server side analysis is that the first downloaders, automatically are the first victims. This explains the advantage of client side sandboxing. Take for instance Avast's auto sandbox, which runs the file with low reputation in the sandbox and analysis its behaviour. Behaviour plus reputation enables an accurate evaluation of the binary. This explains Rezjor's "been there, done that, got the EVO-GEN T-shirt" reaction. To Avast's credits (and Rezjor ;) ), I have not seen a (free) AV which has perfected this combo of reputation scoring and auto sandboxing and analysis like Avast :thumb: .

    N.B.1 Avast as AV-vendor with the most users world wide, will have problably sufficient user coverage for simular results (combined with local sandbox). Maybe also the reason why Avast is a hybrid (cloud/local) solution (and tells us it will stay hybrid for the time being).

    N.B.2. The numbers game of user community in regards to reputation scoring is problably the reason why Bitdefender licenses its engine to many other vendors AND why it has launched a free cloud solution (to collect samples). 2013 is the strategic window for Bitdefender, because they were best AV of 2012. This year they need to eat market share from other free AV's.

    N.B.3. The numbers game (and gain) and emerging Chinese market is also reason for Avira to provide their Engine to Baidu (also a search engine :cool: , do you get the picture).

    Regards Kees
     
    Last edited: Apr 20, 2013
  17. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Is CAMP already turned on by default in Chrome?
     
  18. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Moreover, is it a part of the Google search engine at this point or is it still in the testing phase?
     
  19. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    http://www.networkworld.com/news/2013/040913-camp-for-chrome-catches-99-268529.html

    However, Lance James, chief scientist at application security vendor Vigilant, said that as an overall security system, CAMP falls short because it does not catch malware that exploits vulnerabilities within the browser.

    Such malware often gets into a computer by email recipients being tricked into clicking on a malware-carrying attachment.

    "[CAMP] may be able to see 99% of malware downloaded through the browser, but they won't see 99% of malware that is never seen by the browser," James said. "There's a big blind spot and that's a problem."
     
  20. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
  21. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Looks interesting.
     
  22. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
  23. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA

    Is it an extension, or default part of Chrome? Do you have to turn it on?
     
  24. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Ya, what he asked.

    Thanks for your input and clarification on this Kees.

    .
     
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    No it is a study, the actual results have to be implemented yet
     
Loading...
Thread Status:
Not open for further replies.