New Radio Button Option in Heuristics

The new radio button option that was added in WSA for the direction of the heuristics is confusing me a bit...

I understand that BEFORE places the emphasis on advanced heuristics, and I understand that AFTER places the emphasis first on age and popularity. I am not sure from a practical standpoint which setting is better, but I'm guessing BEFORE is since it is the default consistently between Prevx 3.0 and WSA.

The new setting, "Warn when new programs execute that are not known good" is making me scratch my head. This setting seems out of place here because it seems like a combination of settings. For instance, Isn't that accomplishing the same thing as setting everything to "Maximum?" What does this new radio button option intend to do that setting everything to maximum would not do?

Thanks!

P.S. I am also quite curious about what functional difference BEFORE v. AFTER direction makes. Which one is technically more secure?

 

The Help file says this:

 

I know what the help file says--I read it too--but I am still confused.

The help file doesn't explain the possible use for switching between the settings, i.e. what advantage one gives over another.

And I restate that the new option doesn't seem to fit with the others categorically. It's kind of like...do you want to have a drink before your snack, a drink after your snack, or only eat foods that are gluten free.

 

What I gather from the layout...

New Suspicious: Always warns when not in whitelist

Before: Always warns when not in whitelist, but only when exhibiting suspicious activity

After: Always warns when not in whitelist, but only when exhibiting suspicious behavior and is following the age/popularity filter e.g old, popular progs are left since they would likely be blacklisted.

And that would be the order from greatest security to lower. The trade off: Using 'After' would yield less FPs but more FNs and vice versa.

 

This is close, but instead of it factoring in the whitelist, it factors in the age/popularity.

"Before" says it should first check to see if a file is doing something suspicious (advanced heuristics) before it checks the age/popularity of the file (possibly more FPs but better detection).

"After" says it should first check the age/popularity, then apply heuristics only if it's a new file (lower FPs).

Hope that helps!

 

Thanks everyone for elaborating on that. I definitely understand the difference and pros/cons of changing the direction of heuristic type application, i.e. before v. after.

What I still don't understand is the purpose of the new setting that is added from Prevx 3.0 to WSA. The "New/Not Known Good" setting still seems out of place there to me, since the other two settings are directional.

Another reason I'm confused is this new setting seems to be the same thing as turning all the heuristics to maximum...isn't it? It seems secure but what if I chose that option then turned all the heuristics to low. I don't know...something about it is confusing me.

I can picture that setting being a shortcut to easily configuring maximum protection, where you chose that and it greys the heuristic bars out and automatically sets them all to maximum.

 

The new setting overrides everything else - it effectively says: "if the program is not known good, block it" turning WSA into a whitelist-based protection engine. At that point, the other heuristic settings are just for controlling how heuristics are applied to known-good programs - anything new or suspicious will be blocked automatically.

 

Ah, I see.

It's just confusing because if I chose that setting, than set the age/pop/adv heuristics all to low, it seems that that would be a catch 22 or a counter-setting, if you see what I mean.

 

But let's say I allow an unknown program to run (ignoring the warning)... Will WSA still apply heuristics and and block the unknown program if it performs a suspicious activity? Or am I completely exposed after clicking "Allow"?

 

It still will apply the next layers of logic after allowing it initially.

 

So choosing this new, whitelist option, will essentially override the age and popularity heuristics entirely, assuming you want it ONLY if it's KNOWN GOOD, and then only apply Adv. Heur if you allow it initially?

 

Exactly

 

Wow nice. I can't see much malware getting past that...