Twister Antivirus

My friend. When i write, i usually follow a logical chain of thoughts, which by quoting selectively, you alter the meaning of what i write.

For instance, you are trying to make point, but you "forget" what i added, to be MORE CLEAR (i even wrote so, exactly in order to be "more clear"). So i quote the part you forgot again.

"To make myself more clear. HTTP scanner DOES add some more security because as explained by Vlk, there can be an exploit, that can be parsed from the browser, theoretically, in an unpatched system. In this case the real time scanner will intervene only after the execution."

So, there you go, i don't doubt the experts' voice either.

You thought so because you skipped my "more clear" point. Each vendor will praise HIS solution. If you ask Vlk , HTTP is a "must". Go ask Melih, and "HIPS is a must". Go ask Tzuk, "virtualization" is a must. So WHO is the best "expert"?

No, i won't provide any evidence, since nobody has presented evidence to the opposite either. I call it common sense mostly. How many people have you heard being infected by executing something locally and how many executing an exploit through browser in an unpatched system, that their real time scanner (not the HTTP one) couldn't handle? I won't provide "evidence". I will leave it to anyone to think on his own.

No, YOU are talking about HTTP scanners. This thread is about Twister. You want HTTP scanner? At the same fashion i want it to have HIPS! Where's the difference? That you can complain about the lack of a feature and i can't talk about another missing feature? That's nice reasoning! This thread is called "Twister Antivirus" (just a reminder). It's not called "HTTP scanners", as it isn't called "HIPS modules in AVs". So, if you can talk about HTTP scanners, why can't i speak of HIPS of sandobox modules?

Yes, it is a supposition. Like yours that it won't become bloated. My supposition is, that usually, when adding more modules into a product, it becomes more bloated. Then again, may be not, but i would rather not take my chances.

Regards.


P.S: About this "It's perfectly possible and likely that Twister will remain light even with one: just ask NOD32 and avast!." Should i ask for proof that the HTTP scanner doesn't slow down browsing at all? Benchmark or something? Or that resource usage hasn't increased? Or, i will ask NOD 32, ok. (i won't google for "Http scanner slows down internet speed). Can i call this "unproven" and without statistics claim? Can i?

 

Maybe we should ask FilsecLab about a new category here @ Wilders.

I think this thread is losing its originality.

 

So you're not trying to be smart alecky with dismissing the experts anymore. Glad we've got an agreement.

Because you're asking different experts different questions. You're asking vlk "are webshields necessary," Tzuk "are sandboxes necessary?" and Melih "are HIPS necessary?". Not that I get your point in doing so, anyway...

I'll take the liberty to correct you on this: it's not that you won't, it's more that you cannot.

I was responding to bellgamin's comment about web scanners. Following a logical train of thought, you have something to comment on the same topic as well if you quote and respond to my post. If it's HIPS you want to talk about when you reply to my post about web scanners, feel free to; but if you're going to demand that I pay attention to an illogical person's off-topic ranting, I regret to inform you that you're in for disappointment.

You're welcome to subscribe to your own FUD, but why try to peddle it to the public at large?

 

Our difference, is that i read all your post, while you pick one isolated paragraph out of mine and try to alter my reasoning. It's not "anymore". I had written the same thing since the beginning. It's YOU that "forgot" to read the "to be more clear" thingie.

No, i simply say that each "expert", according to the program that he sells, has a different idea of security. It's EASIER to put an HTTP scanner into an AV than to put a hips for exampe. Clearly for an AV vendor, praising the HTTP scanner is the way to go. On the other hand, if you have something like CIS, where the av part is still "immature", it is clear that you 'd better praise D+ as the answer. Someone who uses virtualization will praise his.

It all comes down to you, the user, to see what is really the best protection or protection-bloat ratio. For me, the HTTP scanner solution, is by far the weakest of all in security, because it must still rely on definitions and intercepts traffic. No matter how many people can swear the contrary, when something filters, in my mind it cuts down some speed. And i *think-* an AV expert in this forum has admitted so too. So, if i HAD to add a module to Twister, the HTTP scanner would be the last in my list.

Yes, i don't work in AV industry. But if someone can bring data for the opposite, please, by all means. What i can suggest, is a google search. You can Search how many people you will find infected by an executable and how from the super exploit that the real time scanner wouldn't stop. Or, you can of course not do so and stay happily defending the opposite position, just because i can't bring the data you require. Fine with me. Call it a draw? (Unless you can prove the opposite, in which case, i will admit that people get more infected through the vicious unstoppable by real time scanner exploits more).

Yes, you see, one brings HTTP scanners out of nowhere, another replies, another yet replies and brings also other solutions (as hips or sanboxes) in the discussion (something that actually Bellgamin did too). I guess we are all off topic then, since in Twister there doesn't exist any such module... Maybe a specialized topic would be more appropriate, like the 3 already available. In this way, i couldn't talk of other module types either.

Oh, i don't expect you to pay more attention than you allready did. I am honoured already.

To each, his FUD... One is afraid of bloat. Another of the big bad super exploit that may find him unpatched and won't be stopped by the real time scanner . We should seek data and statistics to prove which FUD is worse, aye? BTW, did you subscribe to my FUD, cause you seem keen to reply to it

 

You might enjoy reading about browser-exploits -- for example, THIS & THAT & THE OTHER -- & many more exploits (do a google) that blacklists simply cannot cope with.

Also, I again ask you to refrain from personal comments about myself and others -- "illogical," "uninformed" etc. Can't you disagree without getting personal?

 

Ah, to support my bloat FUD thesis. I will quote the expert Stefan Kurtzhals:

"Now, if you are using a good HIPS I would say you don't need HTTP scanning. A good HIPS will block the installation/activation attempt of the shellcode. HTTP scanning always slows down surfing, no matter how fast the AV product is."

https://www.wilderssecurity.com/showthread.php?t=184856


And since i don't want my browsing to further slowdown (already in Matousec's perfTCP and UDP test, we see how many firewalls cut down speed), i don't want HTTP scanner. If i HAD to get a new module, i would much more prefer a classical hips module or a sandbox module for the browser. They would take a toll on system speed, but not the internet one and would be definition-independent in doing their job.

 

Unfortunately you can't have it both ways. You cannot have the luxury of sniping snide comments at the experts, and then later try to save your bacon by posting the obligatory grace-saving paragraph agreeing with them, as insurance against being pointed out as the smart aleck that you are. If that wasn't your original premise, then don't post it, because people will tell you in your face what you are.

None of their statements are actually exclusive; because A is important doesn't mean B isn't.

Again, why not just ask them up straight if HTTP scanners are needed? If that's what you want to know, ask them about it, instead of about their own product. By asking each of them different questions you're only giving them - and more importantly, yourself - the opportunity to wiggle away from the issue at hand.

You're mistaken. I'm not claiming that more people are infected because of this or that - that's what YOU'RE doing, and without evidence. I am merely saying that a HTTP scanner, or some similar mechanism, is needed for an antivirus to do what it's designed to do: stop exploits before they activate.

Sadly mistaken (again). The fact that an exploit will activate unhindered by the antivirus without a HTTP scanner is not FUD; it's plain fact that is easily verified by anyone who bothers to test it. What's FUD is your claim; many products have HTTP scanners, and at the same time are known for their small-footprint.

 

There's a difference between slowdown and bloat. Bloat involves, among other things, slowdown to an unacceptable degree. If you add another layer of scanning (webshields), slowdown will inevitably occur; that's simple logic. The problem is that you appear to be claiming that the slowdown will be bloat, or even noticeable at all.

 

You are not here (or in a position anyway) to tell me what to post and what not to. The problem is that you still don't understand that i didn't "later try to...". It was in the same post. If you didn't notice and try now to save what's possible, that's another story. I actually even wrote "to be more clear". The rest is reading comprehension. My english may not be perfect, but i think i analyzed it enough.

The only "people" telling to my face what i am is "you". And as far as i am concerned you can tell to my face that i am whatever you like.

My point wasn't whether http scanners are "necessary" or not, nor do i have any questions for them. Once more, i am not asking different experts, different questions. Each vendor, apparently has his idea of what is necessary security. And according to it, makes his product. One puts http scanner, another beleives in non signature based approach primarily and secondarily in the opposite. Another in virtualization. Necessary is subjective, not something objective. If necessary was the same , absolute truth for everyone, there would be only "AV with HTTP scanner" in the market. Instead we have "weird" products, that range from A2 antimalware to OA with AV to Threatfire, to CIS. Each has different approach to "necessary". And each has different opinion apparently on what is higher danger. According to your thinking, HIPS module is necessary to an AV, to cover the zero day exploits. Because executables not already included in the signatures and not revealable in heuristics, WILL infect you and this is plain fact, not FUD, correct? So, why don't all AVs have HIPS module yet? And why don't they have behaviour analyzer too in case the hips module fails either by itself or by your wrong decision? Then you WILL be infected, right? So, behav module IS necessary , right? Why doesn't Avast have it then? And so on. That's the whole "necessary" story.

Kurtzhals on "necessary"

"Now, if you are using a good HIPS I would say you don't need HTTP scanning. A good HIPS will block the installation/activation attempt of the shellcode. HTTP scanning always slows down surfing, no matter how fast the AV product is."

^This is what CIS is doing. Or what OA with AV is doing. Others yet, follow other way (A2 antimalware). What is "necessary" when you can arrive to the same goal? And WHY is it necessary to cover the exploits threat and not the lack of heuristics for example? Or of HIPS or behav blocker? Are these minor threats (uknown malware that you may happily click on yourself) compared to the browser exploit that can't be caught in real time scanner? Twister has behav blocker, Avast doesn't. So, how should we put it? That Avast MUST put behav blocker ASAP?

I think the sad part in all this is the misunderstanding (other than your behaviour of course). We clearly speak aboud different things then, since i never claimed it didn't stop browser exploits either...

Did i? ""To make myself more clear. HTTP scanner DOES add some more security because as explained by Vlk, there can be an exploit, that can be parsed from the browser, theoretically, in an unpatched system. In this case the real time scanner will intervene only after the execution."

What i said, is that "similar" mechanisms, are Hips modules or sandboxies. They can stop the same dangers, much more efficiently, without relying in definitions and without slowing down the internet itself. So, if such a component is "needed", the HTTP scanner is imho the worst solution, as far as security is concerned. The same job is done better by hips and sandbox. So http scanner isn't "needed" for the particular type of threat. And Twister doesn't have it and i hope it stays that way.

Yes, many sad mistakes here, to the point that i can't follow you anymore. They are known for the small footprint (but Avast withtout the HTTP scanner has even smaller, doesn't it?) and for slowing down browsing. New module, does new job, filters HTTP traffic, the AV has to do more job, the new module slows the internet down (apart the extra resource usage). People don't regard as bloated just the products that "look nice on the task manager", but also those that slow down the PC performance.

Anyway, that falling meteorites if hit you on the head will kill you, is also plain fact, all astronomers say so. So it's not fear, uncertainty and doubt either. We 'd better all buy our helmets.

Thank you for your ever-increasing attention to my posts. You ARE my subscriber after all!

 

My friend, you do realise that "unacceptable degree" is something subjective, don't you? For some people past Norton releases were "bloated" because they were feeling their PC sluggish. Others, millions around the world, kept using it happily. So what's "unacceptable degree" for you? Is it measurable?

To me the av must NOT slow down my browsing. It's simple. And the slowdown, that will "inevitably occur" (how nice) will be the result, of the http module which will increase the impact of the av on the system and specifically on the network performance.
Now, this, is for me bloat. HTTP is NOT the only way to stop such exploits, they aren't even the worst threat (my opinion), so WHY should i consider them "necessary" and live with the "inevitable" slowdown? What's the effect of a bloated software? Isn't it also to slow down things? HTTP does slow down things. Whether you consider it the "necessary" reply to the threat (or to the seriousness of the threat) , is another story, which as i explained i don't consider as the only solution (and neither does Kurtzhals). It's not the slowdown that "will be bloat". It's the "bloated" Twister, aka with the new module which i don't consider the best solution to the problem, that will bring the slowdown.

Thank you for your interest in my posts.

 

Sic 'em, Fuzz!

Meanwhile back at the thread...
Can anyone explain the items highlighted in yellow (from Twister's website) -- the wording is a bit unclear. (Hopefully, Bright from Twister will visit soon & help out in this area -- as he has done previously in THIS & other "Filseclab" posts in the current thread.)

 

Well, Bellgamin, the 1st one, is a bit vague. It sure doesn't mean http scanner. I simply *think* they mean that Twister is regularly updated against malicious scripts and web worms that may infect sites. I can't think of anything else.


About the behaviour, i suppose it means the FDD (warnings about possible threats, independently from the signatures).

About the immunization, directly from the help file.

 

They include the immunity feature (which sounds interesting & useful) in TAV. Then they show me HOW to use it. Then they turn right around & strongly suggest that I NOT use it.

Has anyone here used the immunize feature? If so, and if doing so froze your computer (as TAV's Help file says could happen), I suppose we won't hear from you anytime soon.

But seriously -- I hope someone has further comments about this intriguing "immunize" capability of TAV's.

 

Quoting "Filseclab".

Errr, given that already i have more than enough FP, i think i don't need any more.

I installed fresh windows today, so i don't feel very brave to risk them. The next time before i restore an image, i may try it.

I don't think it will crash. But the problem is, unless you try to get really infected, you won't see it in action, i guess. From what i understand, this kicks in as last resort. The malware has eluded signatures, FDD and reg protection and has changed some files and THEN this kicks in, IF the changed files are amongst the ones that were "fingerprinted".

 

I shall give it a try, also, but not until after this weekend+Monday - on those days, my son is visiting to play RPGs with me on my Playstation. (Glee!)

 

I'm not telling you what to do. I'm telling you what you are. Your problem is believing that by simply including a grace-saving post, you have a free rein to be a smart aleck all you want and then claim immunity. Unfortunately it's not working; your snide comments at how the experts were simply out to preserve their commercial interests by emphasizing the importance of their product is there for all to see. And for someone who purportedly doesn't care what I say you are, you're certainly investing a lot of effort in all this "analysis" as to how you're innocent.

A HTTP scanner is necessary in the context of an antivirus. If you want to claim that Twister shouldn't be making a HTTP scanner (so that their antivirus actually does what it's supposed to) because your HIPS and sandboxes can fill in that blank, why are you applying selective hypocrisy by even using an antivirus at all? If a HTTP scanner isn't necessary because one has HIPS and sandboxes, then by the same logic neither is a file on-access scanner. Again, by the same logic, the whole antivirus package itself isn't needed at all.

Perhaps you should just uninstall Twister, since by applying your logic, it isn't needed on your PC at all.

More unsubstantiated claims. I see this seems to be a specialty of yours. There are a lot of avast! users on this forum, I believe; would you like a poll on whether avast! slows down browsing to be held, to see if your baseless claims (I hesitate to call them "lies" yet; for I know you could be a genuinely misguided soul) concocted solely to serve your argument can hold up to reality?

You have been repeatedly claiming your FUD that a web scanner equates to bloat, using stock-standard rhetoric that appeals to the uneducated newbie so as to make your claims sound pleasing. As I've said before, however, your claims fail to hold together upon closer scrutiny by people who know what's going on.

I realize that there are some people who do this for the sake of the attention they receive - however negative it may be and at any expense to their reputation, any attention is good attention - but it didn't cross me that you were one of them. I'd hate to make you feel bad, though, so do free to hang on to this delusion of yours, if it helps keep you warm at nights.

 

My "x" was never this dramatic. The last sentence of the posts are very enlightening.

 

It's what any reasonable person would define. It's not measurable because it differs from person to person, machine to machine. I used the term because I assumed you would accept its meaning in good faith, to understand the difference an inevitable but nonetheless undetectable (to the human senses) slowdown, or at least a minimal one, between a slowdown that has a noticeable impact on daily PC usage. Apparently I was wrong; you're more interested in an argument instead.

If by your definition "bloat" is a slowdown that cannot be perceived by the human reflex resulting from a function that is required for a product to perform what it was designed for, I see that there isn't much sense in trying to hold a reasonable debate with you any further.

 

Sorry Judge Saberfox.

"If that wasn't your original premise, then don't post it,"

I thought you said not to post, apart the psychological evaluations on my premices of course.

And of course i am a "smart aleck" (btw, thank you for the new word. Never heard "aleck" before. It is not only entertaining but also educating speaking with you). Guilty as charged sir! I surrender! (Careful with that saber).

Rattle your Saber , Judge Saberfox! Tear my immunity to pieces with your saber!

And yet, i gave it my best shot! Dang it!

Of course it's there to see, that's why i posted it. Don't worry. (I know may sound incredible to you, but people who make a job for a living, actually DO prefer to put on the spotlight the features of THEIR product, compared to the competition. This doesn't mean that only 1 solution exists or there would be only 1 type of products around with exactly the same features).

Ok!

"Selective hypocricy". I wish i could speak english like you. You come with so many colourful expressions in every post. Twister COULD make http scanner. But i wouldn't want it to. As i have explained in the previous pages, i use Twister, because i AM NOT PARANOID. Simple as that. Twister is light, cheap and till now has lived along other security stuff fine, without conflicts. That's why. I have Twister with FDD plus Threatfire plus Winpatrol and i am fine. IF Twister should add a new module, then i would prefer it to be a classical hips module, because it would be much more useful compared to the http scanner and wouldn't have minimal impact to internet. I don't know if you are American (prolly), but in Europe we still have ADSL 1 lines and you can still see the difference in browsing between Windows firewall and ANY other firewall, without having to add more filtering in the line.

I told you what the expert Kurtzals said! What else do you want?! Weren't you the one fond of people with yellow names?! The rest about the whole antivirus package is YOUR opinion.

No, i am simply ain't as paranoid as you to want "necessary reply" to every threat. I have Threatfire that can cover browser exploits, thank you. Or i could put Comodo Internet Security , soon freely available and have HIPS and av. What is also different is the degree of risk you take. I consider the "super duper" browser exploit that can't be caught in resident scanner, much minor threat than ALL other unknown malware that ESCAPES from resident scanners.

And you must understand, that i am NOT searching anything more than Twister than what already gives me (that's why i bought it). I followed YOUR logic.

Your logic is:

- "Browser exploits that can't be caught by resident scanner can only be caught by http scanner, hence this is NECESSARY".

I objected, quoting Kurtzhals himself, that this isn't the only way. There are other ways, that don't slow down your internet. And to continue with your logic.

- "Zero day malware, isn't recognized by AV signatures or heuristics. It can be stopped by classical HIPS or behav blockers. HENCE, classical hips or behav blockers are NECESSARY to be incorporated into antiviruses".


Is there any difference with what you say? I don't see it. Then why don't you complain about other avs not covering zero day malware by having classical hips or behav blocker? Is zero day malware less important than exotic browser exploits?

- "No HIPS or behav blocker can catch everything, HENCE sandbox is necessarym to prevent infection. This also holds when the http scanner doesn't recognize the malware from the sig database".

Here is another. So what do you say? Should all avs have a sanbox for at least the browser?

LOL! WAIT A MOMENT! Are you the SAME person who was attacking Bellgamin in the previous page for indicating opinions of "non experts"? Speaking of the "yellow names" as opposed to the "knowledgeable security mavens"?!!! God allmighty! Now you want the "humble" forum members that are Avast users to certify that what the EXPERT Kutzhals wrote is FALSE? I am SHOCKED Judge Saberfox! Shocked i say! BTW, i spoke in general about slow down , i used Avast only for the footprint example, but you missed that too, ok.

I thought you were looking the proof of the experts, not the shout of the "peasants" (anyway, you can google to see if people have troubles or not with http scanners if you don't believe Kurtzhals).

Yes, my lord.

In deed my Lord. But i have a question. Then what all that makes YOU, who despite all that you say, still keep replying to me ? Is it simple masochism and intellectual perversion or is it something deeper? Cause i am having the fun of my life, but you, i don't know, you seem really frustrated and i can't explain that from one side you call me names, try to diminish me etc, state that you won't pay any more attention to me, but , look at you, here you are still now, rattling your saber, teaching me how a reputation is made!

 

P.S.: Since you repeat all the time "i want to hear the experts", "i want data", "i want statistics", "this is your hypothesis", "this is your opinion", just to help you make a reality check, this is PUBBLIC FORUM, where ORDINARY people come to say their OPINION. Under normal conditions, it is redundant to explain such things, but in your case, i thought it may come useful.

If you want everyone to "vote", "prove with statistics", "data" etc , you should seek a Court of Law.

OR, you can join a private forum for "Security experts only", so that you won't have to hear those that ironically you call "knowledgeable tech maves" , that don't have yellow names.

Bye.

 

I was thinking about firing-up some popcorn while reading this thread.

You two would have sorted this discussion out in person in about five minutes. But online, words can be taken out of context, so relax.

I think what I have learned is:

AVs with HTTP scanning provides an additional layer of protection. The trade off, some slow-down.

AVs without HTTP scanning are light and fast, with no slow down... However, these may be better complemented with HIPS/behavior analysis programs. The trade off, no slow down initially, but with the additional program, could produce some slow-down.

It all comes down to personal preference. Some users want link-analysis programs, such as WOT, finjan, to provide even further analysis.

Others will install sandboxie, regardless of how many programs are installed.

It all depends on how much slow-down is tolerated and acceptable (also depends on your system specs). For me, if it's a split-second for that extra protection, and not noticeable, then it stays on. If it's a few seconds for that extra-protection, and definitely noticeable, then it's most likely uninstalled.