New Radio Button Option in Heuristics

Discussion in 'Prevx Releases' started by STV0726, Oct 24, 2011.

Thread Status:
Not open for further replies.
  1. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    The new radio button option that was added in WSA for the direction of the heuristics is confusing me a bit...

    I understand that BEFORE places the emphasis on advanced heuristics, and I understand that AFTER places the emphasis first on age and popularity. I am not sure from a practical standpoint which setting is better, but I'm guessing BEFORE is since it is the default consistently between Prevx 3.0 and WSA.

    The new setting, "Warn when new programs execute that are not known good" is making me scratch my head. This setting seems out of place here because it seems like a combination of settings. For instance, Isn't that accomplishing the same thing as setting everything to "Maximum?" What does this new radio button option intend to do that setting everything to maximum would not do?

    Thanks!

    P.S. I am also quite curious about what functional difference BEFORE v. AFTER direction makes. Which one is technically more secure?
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    The Help file says this:

     
  3. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I know what the help file says--I read it too--but I am still confused.

    The help file doesn't explain the possible use for switching between the settings, i.e. what advantage one gives over another.

    And I restate that the new option doesn't seem to fit with the others categorically. It's kind of like...do you want to have a drink before your snack, a drink after your snack, or only eat foods that are gluten free. :eek:
     
    Last edited: Oct 25, 2011
  4. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    What I gather from the layout...

    New Suspicious: Always warns when not in whitelist

    Before: Always warns when not in whitelist, but only when exhibiting suspicious activity

    After: Always warns when not in whitelist, but only when exhibiting suspicious behavior and is following the age/popularity filter e.g old, popular progs are left since they would likely be blacklisted.

    And that would be the order from greatest security to lower. The trade off: Using 'After' would yield less FPs but more FNs and vice versa.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is close, but instead of it factoring in the whitelist, it factors in the age/popularity.

    "Before" says it should first check to see if a file is doing something suspicious (advanced heuristics) before it checks the age/popularity of the file (possibly more FPs but better detection).

    "After" says it should first check the age/popularity, then apply heuristics only if it's a new file (lower FPs).

    Hope that helps!
     
  6. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Thanks everyone for elaborating on that. I definitely understand the difference and pros/cons of changing the direction of heuristic type application, i.e. before v. after.

    What I still don't understand is the purpose of the new setting that is added from Prevx 3.0 to WSA. The "New/Not Known Good" setting still seems out of place there to me, since the other two settings are directional.

    Another reason I'm confused is this new setting seems to be the same thing as turning all the heuristics to maximum...isn't it? It seems secure but what if I chose that option then turned all the heuristics to low. I don't know...something about it is confusing me.

    I can picture that setting being a shortcut to easily configuring maximum protection, where you chose that and it greys the heuristic bars out and automatically sets them all to maximum.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The new setting overrides everything else - it effectively says: "if the program is not known good, block it" turning WSA into a whitelist-based protection engine. At that point, the other heuristic settings are just for controlling how heuristics are applied to known-good programs - anything new or suspicious will be blocked automatically.
     
  8. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Ah, I see.

    It's just confusing because if I chose that setting, than set the age/pop/adv heuristics all to low, it seems that that would be a catch 22 or a counter-setting, if you see what I mean.
     
  9. phaser

    phaser Registered Member

    Joined:
    May 28, 2010
    Posts:
    35
    But let's say I allow an unknown program to run (ignoring the warning)... Will WSA still apply heuristics and and block the unknown program if it performs a suspicious activity? Or am I completely exposed after clicking "Allow"?
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It still will apply the next layers of logic after allowing it initially.
     
  11. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    So choosing this new, whitelist option, will essentially override the age and popularity heuristics entirely, assuming you want it ONLY if it's KNOWN GOOD, and then only apply Adv. Heur if you allow it initially?
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Exactly :)
     
  13. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Wow nice. I can't see much malware getting past that...
     
Thread Status:
Not open for further replies.