Is it the AV or the Behavior Method of detection

Discussion in 'other anti-malware software' started by trjam, May 29, 2008.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    A little birdy told me, that in products like Threatfire and I would assume DriveSentry, that the majority of detection comes from the AV engine and not the behavior-based engine. Which all in all, is a great combo. What I want to see is a product that can accomplish their detections rates based on a behavior-based engine alone. Maybe, just maybe, one is on the way.;) :cool:

    ". However, our preliminary testing results indicate that for true behavior-based software competitors, our detection numbers are better than all we’ve tested against."

    Cant say anymore then that for now.;)
     
    Last edited by a moderator: May 29, 2008
  2. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    trjam,

    A very good point and it would be an unbelievable product that could detect using just behavior detection but I personally don't think it will happen.

    Here's my reasons:

    1, If a new virus appears that uses new and unknown ideologies then a pure behavioral product will not be able to determine that the threat is real. This could be a backdoor in Vista that even Microsoft are unaware about.

    2, Viruses don't always attack the system but data for example "ransomware". A behavioral technology would have to prompt if process "X" is accessing your data as it would have no knowledge if it was the correct behavior.

    3, If a program does behave like a virus e.g. an installer then alot of FP could be generated.

    ~interact
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As long softwares can't "think" and only "compare", behavior blockers will always make mistakes and scanners will always have false positives. That's why ThreatFire has "Allow" and "Deny", because programmers are to scared to make that decision via their program.
    A whitelist knows always the right answers : AE always "Deny" and that is the good answer, because the rest is not allowed.
     
    Last edited: May 29, 2008
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry Eric,

    Have some experience with Artficial Intelligence and fuzzy logic. What you say is true, but the knowledge engineering is the key here.

    There are three routes

    1. Individual intrusions can be rewarded bad behavior points
    2. Combo's or patterns of intrusion types (the category in which the above itrusions fall) can be awarded bad behavior points
    3. The nature of attacking origin can be awarded risk points

    Primary safe connect clearly shows which patters and risks they are assessing (e.g. survives re-boot)

    The skill of the development team lays in the bad points rating of the above

    Disclaimer: below is my interpretation when I see those programs in action, by no means do I claim to know how these programs are constructed.

    I personally think TF is the most advanced solution, using at leasts 1 and 2 and assessing the rights of the attacker (a simple form of 3). PRSC/Norton Antibot do follow startegies 2 and 3 more, while Mamutu assesses 1 and 3.

    This also explains their FP rate (PRSC/N-Antibot zero, TF close to Zero, Mamutu more but this is compensated by community voting) and their coverage rate (TF most, Mamuto second, PRSC/NA third).

    As said it is black box interpretation, so I acknoledge it has the same reasoning behind it as predicting the future by looking into a glass ball/bowl

    Regards Kees


    By the way TF has allow or quarantaine, this shows the confidence of the developers in their algorithmes
     
    Last edited: May 29, 2008
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    threatfire is their main competition, but again it is the AV that is doing about 80 percent of the detecting for it. That is now proven.
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    this oe will allow automatic removal of malware or user intervention. You have the option. It wont overrtake Threatfire at the start because it has no AV, but I think if all pans out it will. Works very well with ShadowDefender.;)
     
  7. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    TF developers have always claimed that the behavior of malware is what is detected and that their blacklist is only checked afterwards to determine if the detected behavior originated from known malware. Are you saying that this is inaccurate and that they have been dishonest?
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I am only repating what I was told today. That they discovered the AV detects about 80 percent of the malware. I have no reason to discount that statement because they also have very high regards for the product overall. As I said, they will not be able to compete right out of the 2nd gate,;) because of that, but other things are planned.
     
  9. Cyberhawk Support

    Cyberhawk Support Registered Member

    Joined:
    Oct 26, 2006
    Posts:
    140
    Location:
    Boulder, CO
    On a scan the TF's AV and rootkit are working.
    Any alert from TF is because of behavior. You can take out the black list, take out the AV db and switch off auto-updates, run malware past TF and see for yourselves.
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Well then, I am a lonely bystander. Time to unleash the 60 day trial.

    Go NovaShield
     
  11. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris

    trjam,

    Thanks for the link on NovaShield! I noticed it requires .NET which always makes me nervous. I've put it through my AntiVirus Shodown tests and it detected 3 out of 10 threats. I'm posting some more videos onto YouTube this weekend and will make sure this is included.

    ~interact
     
  12. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    That's what I thought anyway, thanks for confirming.
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes I know what "Artificial Intelligence" is and some programmers are very clever in using the available commands of their computer language in such a way that it looks like A.I.
    The only existing intelligence in "A.I." is the intelligence of the programmer, but he is also limited by the commands of his program language and he can only evaluate a situation by using the conditional commands.
    Some programmers are better in combining these commands, than others and that makes a behavior blocker better or worse.
    I've been a programmer myself, not long, but long enough to know the limitations of a program language. I just didn't like the job.

    I don't need the "Allow" option of ThreatFire, because I work with a frozen system partition, not a normal like most users have and that requires another philosophy.
    My frozen partition contains only Windows + Applications and after a good configuration, it has EVERY OBJECT and setting to do its job properly.
    Any other object is considered as an intrusion and it doesn't matter if it is good or bad, I don't need it.
    In other words, any reported object by ThreatFire is NOT allowed.
    Anti-Executable is more simple than ThreatFire, each unauthorized executable is killed immediately and that's the way I like it in my frozen system. TF is asking too many questions to my taste and requires more carefull clicking.

    I have a few question for you regarding AE and TF, because AE is not a behavior blocker.
    1. If you put executables aside, what does TF more than AE in general ?
    2. Suppose an exploit tries to abuse a whitelisted executable, will TF protect me against this ?
    I'm just looking for good reasons to use TF or not, because AE takes care of executables already. I've seen several TF-screenshots at Wilders, they all contained executables.

    Thanks,
     
    Last edited: May 30, 2008
  14. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Assume i'm a complete computer illiterate(99% is),how making decisions regarding popups from the behavior blocker.I suppose that you have to know quite a lot about computers to make the right choice. ;)

    Can you imagine how large corporate environments deal with BB,it would be a complete disaster.
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Right you are. It strikes me that lots of security softwares are designed for knowledgeable users (minority), while the majority of users are less-knowledgeable. Something isn't right. LOL.
     
  16. Threatfire_Team

    Threatfire_Team Registered Member

    Joined:
    Oct 4, 2007
    Posts:
    11
    Location:
    Boulder, CO
    Precisely why ThreatFire performs the additional checks with its blacklist and AV database before displaying its alerts. In cases where known malware has been detected, we can automatically quarantine the threat so the user doesn't need to make any decisions.

    Again, ThreatFire is purely behavior-based in its detection capabilities (and this is easily tested). Once its behavioral engine triggers on suspicious activity ONLY THEN will it perform the secondary checks with the databases to hopefully simplify the upcoming user interaction (i.e. no need to choose Allow or Quarantine if the threat has already been quarantined for you).

    Of course, in cases of a never-before-seen threat then the user will still have to make a decision between Allow and Quarantine. However, if in doubt, choose Quarantine. You can always Restore later if needed. And remember, we have safeguards against quarantining necessary system processes, so there's no danger there either.

    __________________
    PC Tools ThreatFire Team
    5777 Central Ave., Ste. 130
    Boulder, CO 80301
    USA
    http://www.threatfire.com
    http://www.pctools.com
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Cyberhawk Support says,"On a scan the TF's AV and rootkit are working.
    Any alert from TF is because of behavior."

    But Threatfire Team says, " Precisely why ThreatFire performs the additional checks with its blacklist and AV database before displaying its alerts."

    Am I missing something here. It sounds like alerts are verified against the AV database in real time, not just scanning.

    So anything can cause an alert, but ultimately the determination is made by the AV database. Isnt that what I said.
     
  18. Threatfire_Team

    Threatfire_Team Registered Member

    Joined:
    Oct 4, 2007
    Posts:
    11
    Location:
    Boulder, CO
    Sorry for the confusion if I was unclear.

    What we're both trying to communicate here is that ThreatFire ONLY detects based on behavior, i.e. it makes a determination on whether to display an alert based on suspicious activities alone. I can't be any clearer about that. The additional checks have nothing to do with ThreatFire's malware detection abilities.

    It's in the subsequent user interactions (which type of ThreatFire alert is presented, and what a user must do to respond to the alert) where the AV database comes in to play. We're able to leverage these databases in cases of known malware.

    However, what you need to keep in mind is that ThreatFire will STILL alert even if we were not performing these subsequent database checks. (And this is what Cyberhawk Support pointed out and invited anyone to test out for yourselves to show that it is purely behavioral detection at work.)

    That's the point I'm trying to make. With or without AV database, you'll see a ThreatFire alert.

    But why would we ask a user to Allow or Quarantine something when we have a way to identify whether it is known malware? In those cases, we go ahead and quarantine so the user doesn't have to. It's this extra step that other behavior-based products typically can't do and thus must always have the user make the decision.
     
  19. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Ok , fair enough. A couple of points though. NovaShield does allow the option of the software making the choice automatically. Not the user.

    And I agree with your statement that even without the AV database you will see an alert by Threatfire. But I would wager to bet that it is in about 80 percent of those alerts where as you said," which type of ThreatFire alert is presented, and what a user must do to respond to the alert) where the AV database comes in to play."

    That is all I am trying to say. That in about 80 percent of the type of alert shown, it is based on the AV database. It doesnt matter. Thank you for showing the kindness to help explain all of this.:)
     
  20. Threatfire_Team

    Threatfire_Team Registered Member

    Joined:
    Oct 4, 2007
    Posts:
    11
    Location:
    Boulder, CO
    Thank YOU for your overall interest in behavior blockers. Since it's relatively new technology all vendors can use the exposure and all discussion is good! :)

    As does ThreatFire. See Default Actions section in ThreatFire program Settings. You can configure TF to automatically quarantine, prompt or allow based on alert type. We provide this option because we're very confident in our low rate of false positives. With behavior blockers, while malware detection is obviously a key metric, you must also look at how the program treats legitimate applications.
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I think its is a great way of tuning your behavior diagnistics (top line of FP's cut off by intelligence, bottom line by AV data base).

    So count me in as someone who has great respect of the technology you developed.

    How about giving me any feed back on the assumptions (see previous post)

    regards Kees
     
  22. Threatfire_Team

    Threatfire_Team Registered Member

    Joined:
    Oct 4, 2007
    Posts:
    11
    Location:
    Boulder, CO
    Hello, Kees--

    I hope you will understand that we prefer to not comment publicly on the nature of our intelligence algorithms, even in an indirect way.

    Besides, I actually don't work on the technical side of things (just a mere marketing person) so I don't even know the full technical details myself! I do know that whatever our talented developers are doing works pretty darned good though. :D
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    And just think what could happen if they added a malware guru who knew their stuff on the AV side. A year from now the chant will be, PC Tools Rocks. Trust me on that one.
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Not even a full list in plain user language of what is considered as suspicious behavior, because I would be interested in this o_O
    I don't need to know how you do it.

    Security softwares are already misty enough, I never know against which malware I'm protected.
    I don't have that problem with whitelists, they are always very clear : this is allowed, anything else goes.
     
    Last edited: May 31, 2008
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    As a huge skeptic of not ThreatFire's technique, or any other behavioral blockers for that matter, i harbor a very disquieting concern over a program of this nature's installer size.

    I'm a firm believer that modular is the Lite approach and is not beyond the capabilities of most developers over reasonable time to make such a reduction a reality without sacrificing it's intended purpose.

    Some would agree on this perception as i do, that a behavioral blocker could be trimmed significantly and still be as aggressive as expected.

    You add a AV with a BlackList and you've inflated arbitrarily a behavioral blocker that was never intended in the first place to replace an AV at all IMO, but rather compliment it and/or a HIPS.

    I know this as fact since i successfully combined SSM (HIPS) with then CyberHawk with amazing results.

    JUST SOME FOOD FOR THOUGHT.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.