Signature-Heuristic AV programs

Discussion in 'other anti-virus software' started by Franklin, Jan 27, 2006.

Thread Status:
Not open for further replies.
  1. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    If I download a malware - lets say together with a program - I can choose to install that program (+ malware) from the download window and it will be untrusted. If I go via Explorer and install by doubleclick it will be trusted or I can rightclick and choose to install as untrusted.

    Thats user behavior.

    What about malware-behavior - malware downloaded with IE untrusted can they execute themselves from the untrusted zone in a way so that they can influence anything outside the untrusted. Sofar I believe - no they cant.

    So - I am protected from the malwares behaviour - but not from my own eventual less careful behaviour?

    Every new program I download that is not wellknown and from the official site I install as untrusted to se what it executes. If it seems to behave normal I will choose to install it as trusted. DW gives me the choise to do so and I want to have that choise.

    So far you have proved DW is not user-poor-behavior-proof. But is it malware-proof? Need something better on that one.

    But thats me - I also sit in the left front seat when I drive my car to work.

    Best Regards
     
  2. Fernando Villegas

    Fernando Villegas Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    55
    Location:
    Santiago de Chile
    Go Stefan!

    I'm sick of all those crazy claims by people who think they have all the answers to all security woes by just using one security application.

    Whether it is those who believe in DW, Shadowuser, Sandboxie
     
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, first of all, I've just implemented the feature you are so in need :). Now, under the regular mode work all the executable files created by the untrusted processes will be stored within the "untrusted applications" list. Under the "expert mode" the DefenseWAll's behaviour is the same that now. I just thought that I need to implement online update feature first, but if you are so insists..... It was easy. Well, and that is all?

    I'm sorry, but you are wrong.

    I'm sorry, but I've never called myself "security expert". That is you are who claim it. You are wrong one more time.

    And how many serious kernel-mode security applications have you written? I'm a system programmer, I'm not an AV analytic. Or, maybe, you think that Process Guard is written by the AV analitic? :) :)

    OK. Just find it....

    In fact, it is not my homework.

    To reproduce what?

    There is no registry/file system virtualization, that is right. And so?

    Simple? Yes, it is simple in use. That was my aim. But you are still haven't proved that it is not strong in defense.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is not the same, you must have misunderstood my post.
    Prevx collects white objects world-wide in its Whitelist Database and that must be an enormous database indeed.

    My suggestion was to collect only the white objects, which have been installed by OS and legitimate application software on YOUR computer.
    The Whitelist Scanner starts with an empty Whitelist Database, that is filled during the installation of the Whitelist Scanner.
    An uninstaller can even use the Whitelist Database to uninstall the software completely.

    Here is another idea :
    Each legitimate application software could have its own security program,
    - that checks its registry and its possible values.
    - that checks its folder and its files
    Anything that isn't correct can be fixed by this security program, by deleting bad objects, replace damaged objects, etc. ...

    There are other possibilities, than just blacklist scanners, HIPS and virtual protection, if experts are willing to look hard enough for other solutions.
    That is just a matter of using your imagination.
     
    Last edited: Jan 28, 2006
  5. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Erik, the whitelist scanner you are talking about sounds a lot like Anti-Executable that is a partner to DeepFreeze.

    Of course, you have to disable AE to install anything, so I guess that's not exactly what you are talking about, and AE doesn't have an uninstall feature...so AE sounds similar, but a little less flexible that what you are suggesting (if I understand it right)
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't know anything about AE and DeepFreeze, at least not enough.
    I'm just throwing some ideas in the arena and see what other members think about it.
    It's no secret at Wilders, that I don't like the blacklist approach. :)
     
  7. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    If I understand the persumed function of DW correctly - (also based on a thread at CastleCorps);

    Lets say I get a virus into my DW-Sandbox while surfing or e-mailing. It can execute from the box and send itself on to other people in my adressbook as long as I dont hit "the Red Button" or reboot - right?.

    After that Red Button or reboot the virus can do nothing - right?

    During its "visit" to the DW-sandbox it cannot reach out of the box and touch my true C: - right? So my true C. is protected from damage - right?

    (I cannot express myself technically because I am not computer-savvy)

    It seems that for Stefan K thats not protection - or in some mysterious way not protection enough? No damage to the computer - and yet not good enough protection? Come on Stefan - what do you really mean - talk to us laymen and ordinary users in a way that we understand and dont hide behind all the high-tech - AV-expert image - sofar it doesnt seem to convince - at least not me - that you truly have a Proof of Concept when it comes to bypassing DW when its used as intended. What you said about starting from Explorer is like a user not updating his AV and than blame it on the AV if it doesnt protect. Its not a bypass PoC - even a laymen understand that. So, "Go Stefan" - dig deeper into your knowledge-base and come up with something better. We need your contribution. Saying "I will not do your homework" - sound like an escape so that you dont have to show us that you dont have any PoC.

    The fact that whilst in the DW-sandbox the virus can spread is of course not good for my friends - therefor I use a free AV to give my friends some help with protection from the eventual knowns viruses that might "visit" my DW-sandbox.

    For me its about which one security app to pay for.

    A version of DW taking away the possibility to install progs as trusted from Explorer through the double-click seems OK - but it still means that I can - from Explorer - right-click and choose "run/install as trusted" - right?

    Best Regards
     
    Last edited: Jan 29, 2006
  8. Right. You don't want this.

    Okay how? Who recognises what is legimate? The user? Prevx? If not, who else?

    No idea what you mean here. Are you saying for example I'm the programmer of say firefox. So I make firefox itself tells the security program what is legimate?

    So you want every program on the planet to do that? What if the program is evil and lies?

    Actually something like that exists with coreforce, except, users themselves set up rules, then they put it online and share with others.

    Ideally the programmer himself should set up the rules, but it's not really hard for someone who isnt the creator to figure out what accesses are needed and share the rules with others.

    Of course, someone may still knowingly share bad rules but at least other people can spot them too.

    Sure, it's sad that everyone else in the security industry lacks imagination...
    Care to give us a hand with your ideas?
     
  9. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Nice attempt, but doesn't solve the problem. How about the user downloading a ZIP, RAR, 7zip archive, then unpacking it with Total Commander, WinRAR and so on and then launching the inside malware? DW won't block, again.
    And how you want to detect "executables"? You know, there are more executables than just PE-EXE... How about all those containers that can have embedded malware?

    Well, where is the proof? All comments you make here indicate your obvious low level of understanding of malware. So again, how many malware samples did you actually analyse on your own?

    That is important, because:

    You completely miss the point again. So you are admitting that you have no idea about how malware works actually but you are able to write system programs. I bet your customers will be reliefed that you openly confess you have no idea about malware and write *security" programs basing on *theoretical* knowledge. So tell me, how does being a good system programmer but having very low knowledge about malware qualify you to write a security application?

    And of course there are AV experts around that have in-depth system programming knowledge. How you actually want to understand the more complex malware without that? There are papers published by AV experts covering these topics if you would bother to search. Again you show your little understanding what AV actually is.


    Your customers will surely find it interesting that you are not interested in testing your own security application propperly.


    Hmm, so you are wrongly advertising your product and intentionally missleading your potentional customers then:

    "Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications."

    There is no virtual zone being "allocated". The malware just executes, normally. No difference at all to regular execution.

    "In the case of penetration by malicious software via one of the untrusted applications (web browsers etc), it cannot harm your system and may be closed with just one click!"

    Tell me what happens if you execute a trojan that doesn't "install" itself but just corrupts every *.doc file on your computer, steals accounts and send them to a web page online? Does DW block that too?
     
  10. StevieO

    StevieO Guest

    Just for the record, Process Guard was written by AT analyisers as in TDS3.


    StevieO
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.