Is it the AV or the Behavior Method of detection

Today, ThreatFire is a bleeding-edge security app. Few PC users know/use/have standalone (i.e., not being included in their AV or security suite) non-signature security software. Novatix/PC Tools wants ThreatFire to become a mainstream app. Being a mainstream app means asking very little from the end-user. To achieve this goal, you have to keep the number of pop-ups/prompts (no matter if it's real malware or a FP) close to zero. Having whitelists and blacklists (the AV engine) is the answer to this dilemma. The end-user will only see pop-ups from totally new malware variants (i.e., malware bypassing the deepest/most paranoid signature-scanning) or rare FPs from non-mainstream apps (apps not included in the whitelist).

 

I see your point and i also see the base audience they are trying to target, but no matter, today;s mass majority will be all too quick to choose a highly-marketed commercial anti-virus before venturing into this unknown area they have little experience or understanding in.

And therein lies my point for better or worse.

 

The problem here is in that if Threatfire detects a known malware based upon it's AV database, it will automatically quarantine it. No choice is given to the user to stop the file from being quarantined or ignore it altogether if it is a false positive which with a database that doesn't change frequently, will be prone to getting such. The user can always remove the file from quarantine but once it is accessed again, it gets quarantined back since Threatfire will detect it once more.

 

Its a dilemma,their objective is to become mainstream so user action to be a minimum(mainstream=lesser computer literate user)so their idea is understandable.

 

I could only agree up to a certain degree. As I have noticed, applications nowadays which tout to have few user interactions needed from the not-so-knowing computer user tend to dictate that the user should be knowledgeable. Quite ironic IMHO.

 

Yes you are missing something here. Also the sentence: "So anything can cause an alert, but ultimately the determination is made by the AV database. Isnt that what I said." .... is not true either.

Threatfire works in the following way:

It tracks all operations that are done on the computer. Each kind of operation can be awarded a set of predefined points for possible malicious behavior. Since legitimate programs also preform actions that are equally done by malicious programs, like putting itself in the auto start-up section, installing a driver, copy files to certain system locations, etc, Threatfire will not alert you right away if only 1 possible malicious action takes place.

Instead that action will be given a set of points, if another possible malicious action is taken by that same program it will be given another set of points. If these points exceed a certain predefined threshold, an alert is given to the user. These alerts can have 2 possible outcomes. Outcome 1: The program that exceeds the threatpoint threshold is always (malicious or not) checked by the backup blacklist database (the antivirus engine), if the program is a known threat it is automatically quarantined.

BUT.... Outcome 2: if the programs is NOT a known threat, an alert is STILL given to the user. But instead of displaying a message of a known threat, the user is now informed that POSSIBLE malicious behavior has taken place, but it's not a known malicious program, but the program did preform possible malicious actions. The user is now prompted to take action, either allow it or quarantine it.

So in either case the user is informed, for both known and unknown threats. The antivirus engine is only there to check programs that exceed a certain threatpoint threshold. If the antivirus engine doesn't know the program in question and alert is still given to the user. The only difference is that known threats are automatically quarantined because the antivirus engine labeled it malicious, while unknown threats are not automatically quarantined but instead the user most confirm if he thinks the program is indeed malicious or not.

 

I'm not convinced if that part will work for average users, certainly when it's not blacklisted by the AV.
Good and bad programs look alike and perform the same actions, as you already confirmed. How can an average user evaluate this ? If he doesn't see the difference between good and bad programs, he won't see the difference between good and bad behavior either. A bit too shaky to my taste.

 

Well that would indeed be the HIPS side of a behavior blockers, but the only difference is that HIPS will alert a user for every action a program takes, while a behavior blocker will consider the "threatpoint" threshold I mentioned in my previous post. This predefined threshold will at least alleviate most of the negative side of a standard HIPS which bombards the user with popups.

But indeed, for unknown threats the alerts generated by Threatfire may be confusing indeed for less educated computer users.

 

I just did a full scan with TF and it found Nova Shield vista release as a trojan! I downloaded it but haven't got around to installing it yet, I usually scan on weekends and it seems they may be at odds already? Anyone running these two programs together yet?

 

Eric,

There is one strategy which obtains the highest level of security in a seamless execution environment: reducing the attack surface (A through D) and controlling the attack vectors (E and F)

A) a Fire Wall typical reduces the entries (and exits) to a computer
B) a policy management approach based on user rights: running LUA
C) a policy execution approach of trusted using whitelists like AE (allow only trusted)
D) a policy mitigation approach of untrusted using sandboxes like DefenseWall and GeSWall which mitigate internet facing processes (and their children) and the files downloaded by these untrusted programs
E) a filter approach of suspicious behaviour (the intelligent form, e.g TF) vulnarable OS mechanismes (the dumb form, e.g. Antihook)
F) a filter approach on known malware (antivirus solution)

Since you use a FW, DefenseWall and AntiExecutable, I honestly could not think of a reason why you should use TF. Adding the AE data base as a protected resource of DW (add it as a file to system) is probllaby more effective

The other option (less user firendly but theoretically safer) is the virtualise changes approach: image rollback, machine virtualisation, disk virtualisation, application virtualisation. You also have a strong rollback solution in place, so why care?

Regards Kees