If one cannot detect how it can protect/prevent?

Discussion in 'other anti-virus software' started by StrangerGuy, Nov 26, 2012.

Thread Status:
Not open for further replies.
  1. StrangerGuy

    StrangerGuy Registered Member

    Joined:
    Jun 9, 2012
    Posts:
    18
    The debate on detection rate of antivirus is going every where on all most every tech forum but I cannot understand the conclusion come out of this debate.

    The function of Antivirus Software are:
    1..Prevention
    2..Detection
    3..Removal.

    The various av testing labs test the products and give the result on basis of detection rate and usability.

    I read many forum members and the person(company staff,moderator other) related to the product which generally get poor result explain that their product mainly care about prevention and one will be safe with their product.

    My point is How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system.

    As for example:
    Avast may have not good removal capability and it detect a threat on my system but it cannot remove it I can at least Trust Avast as it warn me about infection and I can take help of other software to remove the infection.

    But in the case I use av which cannot detect the threat say Webroot,I will think my system is safe and I will not take any steps to remove the threat as early as possible.

    Webroot claims that the av will detect threat in few days and system will be back to clean state but in the mean time if I use some sensitive data on my system will they be safe?

    My question is again the same,Product whose detection rate is not as excellent as others,how can prevent an infected file/process/software to stop infect one system.

    Thanks

    Please note this thread not resemble to any specific product but the name of product given are only for examples.
     
  2. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,697
    Location:
    Zagreb, Croatia
    By using internal behavior blocker or sandbox.
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,919
    Even if you have an av with the best detection rate, there is no guarantee that in case of infection it will detect the malware in your comp.
     
  4. StrangerGuy

    StrangerGuy Registered Member

    Joined:
    Jun 9, 2012
    Posts:
    18
    There is no guarantee you will be cured after taking medicine when you are ill but one takes best treatment to get rid of disease,
    It does not mean ill people should not take medicine as death is the real truth of life
     
  5. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,919
    Your example is wrong as detection is not "cure". "Medicine" is removal.
     
  6. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    The way I see it, an AV should be installed on a clean system. if it is not clean then the OS should be re-installed or use an image of it. If these solutions aren't available then the system can only be cleaned (or attempted to) with several scanners, it can be time consuming, and there is no guarantee of a thoroughly clean system in the end (although the OS may function properly).

    At this stage an AV can be installed which will detect and block ideally malware from accessing the system. Most companies are doing a good job nowadays, but to rely only on the AV is wishful thinking, at least another layer is required IMO as well as imaging your system.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    This has been discussed several times in here... i.e. by preventing data leakage by its identity shield module. No malware is yet known to bypass this protection. :)
     
  8. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    i PURPOSELY infected my machine () BUT i can say webroot worked exactly as it should. when testing with a keylogger it did not allow the info to be recorded.
     
    Last edited by a moderator: Nov 26, 2012
  9. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    "My point is How does an av which cannot detect a malicious sample as threat can prevent it from causing infection in system."

    I can only answer for us.

    If an infection is missed at its first execution it may still be stopped if its secondary components are downloaded from blacklisted IPs or if the secondary components are detected. A sample may also be missed but protection could stop its source completely thus the missed sample would never even make it to your system.
     
  10. MADx

    MADx Registered Member

    Joined:
    Jul 18, 2012
    Posts:
    34
    Location:
    United States
    Medicine can only relieve symptoms, it cannot cure anything. Hence, the common cold. Antivirus software acts the same way; however, like a flu shot it may or may not prevent the virus. Like the precautions you may take to avoid a cold or the flu, precaution must be taken to avoid being infected (safe web use). However, most people don't know how to prevent being infected or think they are invulnerable to infection.
     
  11. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Well put MADx. AV can not prevent an infection. It can detect it and it can delete it, but only if it is a known malware. That is why I do not like AVs. It is kind of impossible to get infected these days, just by following basic security rules and above all: IE and Chrome are sandboxed. Email services scan email attachments. Windows has UAC, etc.
     
  12. phyniks

    phyniks Registered Member

    Joined:
    Jun 3, 2011
    Posts:
    258
    Sandbox can be the answer:

    known good file get through
    known bad file is blocked
    and the "SUSPICIOUS" program will be isolated till evaluation

    but we have another kind of antivirus....
    comodo
    As it claims,known good file get inside
    known bad file is blocked(the same protocol till now)
    and "THE UNKNOWN" file will be isolated(sandbox) till evaluation
     
  13. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    well antivirus program these days don't just use a black list.
    Most use a whitelist and a blacklist and then screen any unknown programs.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    In regards to your Avast comment, it is a matter of emphasis between different AV manufacturers. Avast has developed of reputation of being excellent at blocking malware from entering your system. On the other hand as you have personally discovered, its removal capabilities are not at the same level.

    There is currently a heated debate in the AV community if the the traditional AV model, the one that is based on signatures, is going the way the dinosours went. It just can't keep up with the multitude of malware being introduced on a daily basis.

    The other two methods of malware detection are hueristics and behavior. Both were developed to thart the impact of 0-day malware.

    Most tradition AVs incorporate some form of hueristic checking. Hueristics simply explained checks for "patterns" in software code that are of a suspicious nature. As such hueristics suffers from mistaken identity i.e. false positives.

    Behavior detection on the other hand examines what the software actually doing. If it is accessing or attempting to modify protected system software for example, it treats that software as potential malware and blocks it. Some AVs include a basic form of behavior detection. However in most cases, behavior analysis is reserved for HIPS, Host Intrusion Prevention Systems. These usually packaged as part of a comprehensive firewall. Comodo, PrivateFirewall, Online Amour, Outpost, and the like have HIPS components. There are also standalone HIPS.

    One final protection method is isolation. Sandboxing is a example of this. By isolating a process and preventing anything from running outside of the sandbox, the malware cannot do any damaged to the non-isolated portion on the system. Classic exanmples are running your browser within a sandbox.
     
  15. phyniks

    phyniks Registered Member

    Joined:
    Jun 3, 2011
    Posts:
    258

    well,your sentences are all correct,but these are also DETECTION
    (by malware signature,behaivioral,hueristic,.....)

    I think this is the right answer ....
     
  16. true indian

    true indian Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    764
    Location:
    india
    Correct!!!! if it is something like Zeroaccess then no antivirus so far is able to remove it in normal windows enviroment..but:

    Prevention is better than cure :cool:

    and avast has excellent reputation for prevention IMHO
     
  17. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    SBIE or better yet Returnil.
     
  18. tekkaman

    tekkaman Registered Member

    Joined:
    Sep 22, 2008
    Posts:
    164
    I've seen many cases where even if the AV detects the threat it can't delete it. People have to rely that the Av will detect the threat before it finish downloading. Sometimes the AV fails in both and it's party time for all sorts of malware.
     
  19. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Modern medicine is all about diagnosing and treating patients. A lot of the times treatment results in complete recovery or a "cure." For diseases that we have no cure for, we generally try to find preventive measures. That's how we came up with flue shots, MMR and other vaccines. The only part of medicine that deals with symptomatic relieve is for those terminally ill. For example end stage cancer, advanced AIDS, etc. And we even do have cure for certain forms of cancer, especially when caught early on. It could be as simple as surgical removal after which you will be 100% cured or as complicated as radiation therapy. There is for example cancer called choriocarcinoma. Even with distant metastasis to the brain and other organs we can provide patient with nearly 100% cure rate via chemotherapy. Also there was a case recently when patient with AIDS was cured via bone marrow transplant (although still debated). To say that medicine can only relive symptoms and not cure anything is an insult to my field.

    Now going back to this topic. If you want to compare Medicine with Antivirus. I would say you are looking at certain AV programs being more concerned about preventive measures. You can use vaccine analogy from medicine. We give you a Hep B vaccine and you are less likely to get infected. Other AV programs might more emphasize about what happens after you get infected. In such case these AVs assume that everybody will get Hep B and look for the best antiviral solution instead. Now if you ask me which one is more important then I would say both. 1) There will be always someone who claims "but doc I know my body..." and not take the vaccine or 2) The vaccine will fail. In such cases not having plan B can be devastating. So both, good preventive measures and good detection/cure rates are important. Once your preventive measures fail you need to have a good alternate solution to the problem. Hence we got layered security idea here in wilders. In medicine it works exactly the same, or at least we strive as much as we can to make it so.

    Another idea you may want to consider modern airlines. If something breaks, you usually got ~5 back up systems. Any AV that relies on 1x back up and states that others are less important inherently has a problem.
     
    Last edited: Dec 4, 2012
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Other than what's already discussed, an AV can still prevent a malicious sample by blocking its source (website, e-mail, etc.)
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Interesting article even if written by an antivirus company employee
     
  22. tekkaman

    tekkaman Registered Member

    Joined:
    Sep 22, 2008
    Posts:
    164
    I still think it is a waste of money. No matter what brand people still get infected because avs don't detect all the stuff they should detect. For example they should prevent all toolbar installations. But they don't because that will get them in trouble with big friend google and others.
     
  23. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    People do need to not be stupid as well. it is easy to untick a box to not install a toolbar. Antivirus products do protect well But keeping all software up to date and learning not to click yes on everything will help alot. Not all toolbars are bad but I dont like them so do not install them.
    Both criminals and antivirus companies are both getting smarter and it will always be a cat and mouse game.
     
  24. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    They need to come out with more passive security measures. Giving my 80 year old grand mom HIPS and asking whether SVHOST.EXE is trusted doesn't help much.
     
  25. quanzi_1507

    quanzi_1507 Registered Member

    Joined:
    Feb 18, 2009
    Posts:
    320
    Why should they? Toolbars often come with other software installers and will only install if you allow them to do so. Blindly clicking "Next" during every installation (like most people do) is like signing for an insurance policy without reading any terms stated in it, then blame the police for not stopping you from doing so.
     
Loading...
Thread Status:
Not open for further replies.