Author Topic: Protection from 0 day malware=cloud technology???  (Read 2999 times)

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 729
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Protection from 0 day malware=cloud technology???
« on: December 06, 2011, 03:03:46 PM »
hey! guys

true indian here...

jus another topic i want to pull attention to...

what about protection against 0-day threats...i mean the avast guys can include some sort of cloud technology to detect unknown malware as in case of heuristics it will make a gues of a file....

why not having a cloud based technology such as MSE...which quries microsoft dynamic signature databas[i think thats what MSE uses.]...another feature of protection???

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20119
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #1 on: December 06, 2011, 03:40:59 PM »
Hi true indian, Sir,

Avast already has that in a sense, cloud computing is still partly just a lot of hot air.
And a lot of the so-called cloud technology driven computer services are just riding on the back of work done for them by other av solutions, it means it is more or less "fake" cloud. I have Bitdefenders Quickscan with "in the cloud scanning technology" on-demand scanner installed in the Chrome browser via Click%Clean, and I haven't seen o-days found up by it yet.

I for one now do a Agics hash scan where I can establish what the OS security risk status is, also a anti-threat technology but just working from the other endof the scale, on the OS.

Do not believe in instant solutions. The only extension that works inside every browser is NoScript because that protects against existing malscripts and those not even invented yet.
When you know how to work NoScripts in Firefox and NotScripts in Chrome you have a extra protection layer inside the browser.

Also like to check up when I get an alert from the Malware Script detector extension inside Chrome, when it alerts for possible XSS attacks.

But if you believe "in the cloud" stands for a cure for all, then you are utterly mistaken, because part of it is pure hype,

polonus
« Last Edit: December 06, 2011, 03:42:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DonZ63

  • Poster
  • *
  • Posts: 470
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #2 on: December 06, 2011, 10:52:42 PM »
I agree with Polonus.

For example, recent test by PC Magazine of Panda Cloud Antivirus 1.5 Free scored it near the bottom in malware blocking capability.

Another example is Prevx which was the first cloud scanner. That company's sucess was so poor, it was acquired by Webroot and is now dying a slow death. Sad since at it's peak, no other anti-malware could come close to it in detection capability.
AMD QUAD 945, 8 GB, NVidia GTS 450, 3 HDDs
Dual boot, MBAM Pro - both OSes, WIN 7 x64 SP1, NAV 2012, IE9; XP SP3, NIS 2011, IE8

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64867
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #3 on: December 07, 2011, 12:01:31 AM »
The cloud myth arises again :)
I've posted in Wilders and they haven't even answered me... They promise much more that they can deliver.
You can cloud some features (signatures, behavior analysis...) but, after all, or the file is scanned locally or you need to upload the file. Cloud? Well, a whitelist and a blacklist... but what more?

The future of avast: http://forum.avast.com/index.php?topic=64382.msg546016#msg546016
At the first post of that thread I've mentioned the wish/necessity of having a better 0-day protection.
The best things in life are free.

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 729
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #4 on: December 07, 2011, 11:54:37 AM »
thanks i now understand cloud protection is more than a failure than success....

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #5 on: December 07, 2011, 12:00:54 PM »
thanks i now understand cloud protection is more than a failure than success....
o yea ?

Eset / Norton / F-Secure / Trend Micro / Panda (and maybe more) have all implemented cloud tecnology....Panda also have a full cloud version

So if it does not work, why do they do it
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Gargamel360

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 2357
  • Gender: Male
  • Memento Mori
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #6 on: December 07, 2011, 12:33:58 PM »
thanks i now understand cloud protection is more than a failure than success....
Thats not accurate either, it has its upside as well as downside.   Like Tech said, its the fault of developers who promise way too much, no fault of the technology itself.

The word "Cloud" itself gets over-hyped is all, as if it is The Final Solution to Everyones Problems.....I keep waiting for someone to say cloud tech can feed the poor or cure cancer, the boasts get so large. ::)
Signature?  But I gots no pen....

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64867
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #7 on: December 07, 2011, 01:54:10 PM »
Panda also have a full cloud version
How the files are scanned? What is in the cloud and what is locally?
- populate the database?
- from-the-cloud scanning (what is being scanned?)
- both send statistics and files to be analyzed remotely (so, upload of files)
- sources of information: all Panda products contribute, as well as malware samples exchanges from within the industry, other channels such as CERTs, online scanners such as VirusTotal, customer submissions, honeypots and honeymonkeys we've deployed in a few continents, and a large etc.: ok, all the "non"-cloud antivirus do that, avast has a 180 million users database...
- Actually the agent does have a signature + heuristic engine which is optimized to work in off-line mode... Hmmm... isn't it the same of other antivirus then? What is in the cloud? ???

At least, they say it's not compatible with other antivirus (the incompatibilities come from the hooks and interceptions they need to perform all over the system (...) it's still an AV and therefore cannot be run alongside other vendors' AVs).

The key of the myth:

Quote
Given that Panda Cloud Antivirus offers the best security when connected to the Internet, what would be the percentage drop in protection when working only with the local cache?
.

Quote
One of the philosophies of the new protection model we've designed is that AVs don't need to detect every piece of malware that has ever existed or will exist, which is the traditional signature model. Basically what we're saying is that, if we have "x" millions of users in the Collective Intelligence community, what Panda Cloud Antivirus really needs to protect against is whatever malware is circulating amongst those users, and protect them even while off-line. For the rest of malware, you can detect it while connected to the Collective Intelligence servers.
Well... less protection then... so, less resources, so the myth...

Quote
This is where the whole "community" aspect of Panda Cloud Antivirus steps in. Whatever Collective Intelligence "sees" out there as circulating in the wild, it creates a small cache version of signatures which detects and disinfects that subset of malware and synchronizes it in every agent for off-line operation. Even while off-line, Panda Cloud Antivirus will protect against all malware that is circulating, against all malware that is "important for you".
So, what is being clouded? Some parts of the signatures for ITW malware... It's a feature not a av in the cloud...

Quote
Another way of putting it is that this AV has been designed for real people, real users, not for testers and evaluators which judge how good or how bad an AV is based on lab isolated tests of millions of samples which have not seen the light of day in months or even years. Unfortunately the multi-billion AV industry is very influenced (and therefore limited) by what magazine and independent comparatives publish, even though most testing methodologies in existance today still do not try to reflect the real life situations of end users. We're very hopeful that the work of AMTSO is going to help a lot in improving testing methodologies and bring them closer to reflect real life scenarios.
Their marketing... :)
Blaming against tests due to the samples used...

Quote
However, it's not quite the same as the traditional signature updates which are always incremental (always adding signatures, not taking them out).
Any vendor revise the signatures, make them generic, improve... Another bla-bla-bla...

Quote
The local cache also includes other types of generic signatures, generic disinfection routines and non-PE signatures. These are used mostly for off-line operation and for certain type of malware. The local cache contains less than 10% of the full knowledge of Collective Intelligence. We believe that as malware becomes more and more dynamic and the number of total malware continues growing exponentially, this % will be reduced over time.
Fully agree, some features and signatures must be in the cloud. Just that the user must know what is going on...

Quote
"Kernel Rules Engine" which is able to generically detect 100% of these types of exploits without any signatures.
Local scanning and features again...

Quote
Behind the initial analysis phase there's a bunch of technologies that are used to extract all type of information from each file, both from static analysis (such as packer information, API calls, functions, multi-scanners, etc.) and dynamic analysis (running in real machines, recording malware actions, dumping memory, etc.). All this information is then processed in the categorization phase, where it is correlated against the entire database of Collective Intelligence files using different techniques, such as graph theory algorithms, grouping algorithms, metaheuristics, rule driven classification and identification, and many more techniques which are too resource intensive that can only be run in a server-farm environment such as Collective Intelligence and not on end user PCs.
Sure... All other serious antivirus do that.

They claim to be "the first truly cloud-based antivirus solution".
Source: http://news.softpedia.com/news/The-Insides-of-Panda-Cloud-Antivirus-111793.shtml#q1


Final note: I'm not against any cloud feature and progress on antivirus market :)
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Starting Graphoman
  • *****
  • Posts: 7803
  • Gender: Male
  • We are supersheep, resistance is futile!
    • RejZoR's little secrets
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #8 on: December 07, 2011, 05:34:11 PM »
MSE brags about special techniques, though in all its existance i haven't seen a single cloud, heuristic or behavior detection done by MSE. I call it load of BS.

Offline DonZ63

  • Poster
  • *
  • Posts: 470
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #9 on: December 07, 2011, 08:45:10 PM »
Well, it all depends on what is meant by cloud scanning.

Comodo's HIPS Defense+ for example will under it's default auto sandbox settings do the following when a suspect application is encountered:

1. Sandbox the executable.
2. Auto upload the application and scan it on their servers. Checks blacklists and uses Virustotal I believe.
3. If application OK, auto delete it from the sandbox and allow it to execute.

The important point to note here is that it is the HIPS functionality that is performing the malware checking.

Is this really effective against zero day expolits? I doubt it. The only thing that will protect you is the other part of HIPS processing that restricts access to sensitive registry areas, system files, and services. Is this "chatty?" Yes and no. The HIPS can be set to auto block or to ask what to do. Auto block will cause the application to fail which could cause all kinds of problems. If ask is the option, most non-technical users answer wrong or just get overwhelmed by the alerts and turn off the entire HIPS.

Such is life in the real world.   
AMD QUAD 945, 8 GB, NVidia GTS 450, 3 HDDs
Dual boot, MBAM Pro - both OSes, WIN 7 x64 SP1, NAV 2012, IE9; XP SP3, NIS 2011, IE8

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20119
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #10 on: December 07, 2011, 08:59:58 PM »
This is avast's view, well ALWIL's Chief Technology Officer, Ondrej Vlcek said this in this interview, http://news.softpedia.com/news/Softpedia-Exclusive-Interview-avast-5-140693.shtml
I quote here from that interview:
Quote
Softpedia: Cloud-computing-assisted malware scanning is a technology some vendors are adopting in order to develop AV applications with improved performance. Is ALWIL considering a similar direction for its future products?

Ondrej Vlcek: Yes, I can confirm that we are working on certain protection features that will actively work with our backend servers (as opposed to passive updates). I’m not a big fan of the term cloud though – I think many people use it in many different contexts, but most users don’t really understand the meaning or the benefits.

Certain problems can be solved more efficiently by means of real-time communication with the backend servers, although by far not all – so we certainly don’t want to use it for things that are better accomplished locally. We will be publishing more details on this in the upcoming months.
Well now you have it from the horse's mouth, from someone who is involved in these developments,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 729
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #11 on: December 08, 2011, 05:15:52 AM »
so atleast we have some hope about new features  ;D

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64867
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #12 on: December 08, 2011, 12:06:15 PM »
1. Sandbox the executable.
2. Auto upload the application and scan it on their servers. Checks blacklists and uses Virustotal I believe.
3. If application OK, auto delete it from the sandbox and allow it to execute.
2. I think they use internal checks and used the old (and dead) DACS.
3. The lack of time between sandboxing and getting the info was never completely solved. They promised 20 minutes if I'm not wrong.
The best things in life are free.

Offline DonZ63

  • Poster
  • *
  • Posts: 470
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #13 on: December 08, 2011, 03:48:17 PM »
quote]3. The lack of time between sandboxing and getting the info was never completely solved. They promised 20 minutes if I'm not wrong.[/quote]
My experience was it took no longer than a couple of minutes at most on a broadband connection. It if took longer than that, it would remain in the sandbox forever.

Also, sandboxing not 100% secure. Malware has "jumped" Comodo's sandbox. I am sure it also done so with Avast's sandbox and Sandboxie. In my book, sandboxing is the only true security environmentshort of a full virtual OS environment. Now a product like Quaresso's Protect-On-Q is the way to go. It opens your browser in a custom virtual environmnet with zero browser add-ons.

AMD QUAD 945, 8 GB, NVidia GTS 450, 3 HDDs
Dual boot, MBAM Pro - both OSes, WIN 7 x64 SP1, NAV 2012, IE9; XP SP3, NIS 2011, IE8

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64867
  • Gender: Male
    • Personal Message (Offline)
Re: Protection from 0 day malware=cloud technology???
« Reply #14 on: December 08, 2011, 04:21:22 PM »
Now a product like Quaresso's Protect-On-Q is the way to go. It opens your browser in a custom virtual environmnet with zero browser add-ons.
1. Not a freeware.
2. SafeZone does exactly the same.
The best things in life are free.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now