Why is my cloud better than your cloud?

Good job Symantec And the fight continues

 

My opinion would be that AS is overrated these days, simply because dedicated protection or signatures/generics etc. are a part of all today's "Anti-Virus" software. Most "Anti-Virus" products today could even more be considered as Anti-Malware tools/software. I would more like to think about some sandbox-type of software.

That is something I wouldn't say before, but after doing some "research" on GeSWall I've changed my mind. The additional steps are definitely not many or complicated in this piece of software, and I definitely feel MUCH safer already.

 

Today, a product which only detected viruses (i.e. an anti-virus product) would be entirely ineffective as it would miss a vast majority of threats in the real world. However, users don't know the word "malware" yet so everyone still calls it "anti-virus".

There are some products which differentiate between their antispyware/antimalware components but I can't see the distinction really... isn't a backdoor trojan the same as spyware in that they both spy on your data?

 

Yep, "malware" is definitely the right word, and Anti-Spyware has probably seen its glory-days. That's not saying SAS and MBAM, etc. is redundant - they're far from it, only that software ONLY focusing on spyware would probably be. The two examples would also be considered "Anti-Malware", regardless of name. "Malware" simply includes everything as a term - rogues as well ("scareware").

 

well yesterday's leading av's have hopped on the bandwagon of av+as+firewall+hips+ whatnot...similarly firewalls have donned a same kind of mantle so to turn the tide to want a pure av or a pure firewall is like looking for the proverbial needle in the haystack. But this aside the argument of the purists does hold ground that in such behemoths of suites some functionality would be compromised...or not? The bottom line is rather should be to kick the b@#tt of malicious software...aka malware prevx does that but for the need to be constantly online which as observed by some is as risk/bottleneck/constraint.

 

We agree that it is and will be changing this in version 4.0, however, for a vast majority of users today, being offline is a rare event and somehow coming across an infection while offline is even rarer.

Also worth noting is that AVs cannot update when offline so if you were to find new malware, you would be equally insecure with any conventional product.

 

Sure, that's just logical - but how much are you protected from at all when running Prevx, and the system has no connection to the internet?

Also, haven't you mentioned previously that that "offline protection" won't be enabled by default, or have the plans kinda changed - cause otherwise the situation remains unchanged even in the new version.

 

You're protected against threats/variants of threats which you've encountered before - however, the fact remains that the average infection today lasts for less than 24 hours and the chance of being offline and being infected is near zero.

We aren't going to try and store the entire database on a user's system, we're just going to store information about pertinent threats by default.

However, users will be given the option to download a larger subset of our database for use offline but it logically does not compete with the protection offered from the community view and is primarily just for use of cleaning an infected system.

 

well behavior blockers/heuristics do take care of this to a degree....don't they?

 

To a degree, yes, but behavior blockers at the cost of requiring user education and heuristics at the cost of still being ineffective against new/mutating threats.

 

That's actually pretty true - there might be some pretty accurate BBs (ThreatFire comes to mind, atleast before - a reason that I used it), but at the cost it requires white-list updates to remain accurate in its detection all the time - and it will always be prone to FPs no matter what, simply because being a BB.

The point where I can't agree completely would be with the statement "being ineffective against new/mutating threats", since a BB works in the way that it monitors behavior which is not permitted to go through.

Malware will not change in the way that it tries to destroy the system, one way or another.

 

Everybody using USB sticks is one thing that comes to mind everytime this answer is brought. Is that something which you're implementing, or have already implemented?

 

I wonder about that tho - malware today tends to not try and destroy the system being that the host computer is valuable to the malware authors (either for spamming/DDoS/etc.)

We very rarely come across malware which tries to do damage to the system these days and most infections are indeed reversible so even if they are missed when the system is offline, they can be cleaned up as soon as the internet is returned and detection found.

 

v4 will have explicit protection for USB sticks using local heuristics tuned to catching USB/CD-borne malware when offline.

However, as shown famously by Conficker, even with updated AVs and an internet connection, USB-borne malware can still slip by (which is why we're focusing on a more policy-based approach because USB malware).

 

well off line pc's usually have risk of infection from removable media..viz. usb etc and new/mutating threats would be a rarity itself for such kind of infection.This with the hope that all d/l from net session have been deemed clean by the security software.Now prevx scans on execution...right so if i d/l something and save it and say execute it some time later in offline mode and its infected then....i assume i am going to be hosed...right?

 

Good point - but I guess using reputation/cloud-tech. bolsters this kind of protection a lot though. Unknown malware or known to the cloud = stopped.

 

Yes, exactly Conficker/similar threats are blocked conceptually because of their attempts to evade detection.

 

Yes, I should've recalled that - those "purposes" are ofc detected by BBs like TF as well, forgot.

 

This is still a pretty stray case (we've never seen a case in the real world where this has happened to the user) but depending on your configuration, Prevx 3 may perform passive scanning in the background of files after they've finished writing and Prevx 4 will build on this feature to scan files shortly after they've been written (not on-write as that provides no actual benefit, but primarily just to get files loaded and scanned quicker when they are accessed).

(P.S. I feel sorry for anyone who has subscribed to this thread as they will be receiving endless notifications )

 

Thinking about it, I would like to call reputation/cloud-tech. a "reverse detection" method - get what I mean?

 

Hehe... luckily I'm not - I'm far too active on forums anyway to get any benefit from that type of notification.

 

Yes, they are indeed reverse detection

 

PrevxHelp, kudos on your professionalism and sportsmanship! When anti-malware companies compete, all users eventually win.

PrevxHelp, how does Prevx determine which threats are “pertinent”?

 

By analyzing the speed which the threats are emerging at and the volume which they're reaching. There is no benefit to the end user if we include signatures for DOS malware from the 1980s.

 

Hehe - I'm wondering if that would be aimed somewhere.