Avast WEBforum
Other => General Topics => Topic started by: jisuna23 on October 19, 2009, 09:09:52 AM
-
Im really into this behavior blocking feature, and im happy it will be added to avast 5
But avast 5 wont let you give any option to allow or deny a program (as what i know)
Im not really sure, i only wanted to post this poll to see what behavior of the behavior blocker you prefer... nothing more..
Thanks
-
Sorry, there's always more. ;D
I would like to see an allow/deny option, and a recommendation based on the type of behaviour appended. Or at least a bit more tech info on what the behaviour is likely to mean.
Simply letting the program decide should perhaps be an option in the settings, but should not be default.What if it gets it wrong, and for whatever reason explorer.exe is quarantined, and you reboot before noticing this?
-
I for one would probably have trouble deciding what behavior to allow or Deny.
I would assume avast would most likely have what behaviors to stop etc.
So i voted Let them decide whether if the program will be allowed or denied
Of course people with the Knowledge, would probably know what to deny or accept.
-
Sorry, there's always more. ;D
I would like to see an allow/deny option, and a recommendation based on the type of behaviour appended. Or at least a bit more tech info on what the behaviour is likely to mean.
Simply letting the program decide should perhaps be an option in the settings, but should not be default.What if it gets it wrong, and for whatever reason explorer.exe is quarantined, and you reboot before noticing this?
oh, what i meant about the "nothing more" is that. they dont need to base their decisions through this poll.. i only want to know what is your opinions toward the issue :D
~ i think i should edit my post and put "with recommendations" when choosing the allow/deny options
-
I don't mind Behavior Shield being DENY only for as long as it doesn't make mistakes and if they'll improve it for detection of binaries and not just very specific "entry points" as they call it. Main benefit of using Behavior Shield for everything is that you can seriously boost detection of new malware regardless of how it's obtained.
-
This is the same discussion as to the options on virus detection and letting the user permit known badness into their system because they think they know better.
People with knowledge + experience = Behavior blocking advice
-
I don't mind Behavior Shield being DENY only for as long as it doesn't make mistakes and if they'll improve it for detection of binaries and not just very specific "entry points" as they call it. Main benefit of using Behavior Shield for everything is that you can seriously boost detection of new malware regardless of how it's obtained.
But for me it's kinda impossible if avast wont get a single mistake.. :-\
-
I'm interested by this shield. Anyway, on the first error that it does, I'll stop it once for all. Can't leave an instance of any security program decide what is good or not by itself without making sure it's 100% secure for the system. If it's only 99.99%, I'll ditch it. To make it clear, if it blocks one time something that shouldn't be blocked, I'll stop it from running and won't even bother to try it again.
-
I'm looking forward to the 0.01% error then maybe you will go away.
-
I'm looking forward to the 0.01% error then maybe you will go away.
got a problem with me kenny yo ??? ;D
-
I think they're going for the no mistakes but far less functionality. Like Network Shield. It never made a mistake, but it also had a very limited scope against malware types.
-
I think they're going for the no mistakes but far less functionality. Like Network Shield. It never made a mistake, but it also had a very limited scope against malware types.
huh? that's kinda sad to know.. i want the allow/deny options than having this limitations.. it will help not that much in malware detecting.. :(
-
yeah I've been thinking about the network shield as well and it's true it doesn't make mistakes. But it's watching the network/connections, not the local system.
-
yeah it's true id doesnt make any mistakes BUT i rarely notice it in action..
oh no! behavior blocker having this limitations? how about the thousands and thousand of rogue software and unknown malwares..
haiiz :(
-
that's off topic here, but I've seen the network shield in action not so long ago in avast4: it aborted a connection while I was attempting to click on a web site link already flagged by Google. It works well, that was the second or the third time I saw that. I also see it watching TweetDeck (an external Twitter application) constantly, when the web shield is limited to browsers (as far as I know). Tons of avatars are being temporary downloaded and that's analysed by the network shield. It might not have settings in the UI, but it's a powerful feature I believe.
http://forum.avast.com/index.php?topic=49936.msg422583#msg422583
And I don't think it should be compared at all to the behavior shield. It's not the same purpose at all.
-
that's off topic here, but I've seen the network shield in action not so long ago in avast4: it aborted a connection while I was attempting to click on a web site link already flagged by Google. It works well, that was the second or the third time I saw that. I also see it watching TweetDeck (an external Twitter application) constantly, when the web shield is limited to browsers (as far as I know). Tons of avatars are being temporary downloaded and that's analysed by the network shield. It might not have settings in the UI, but it's a powerful feature I believe.
http://forum.avast.com/index.php?topic=49936.msg422583#msg422583
And I don't think it should be compared at all to the behavior shield. It's not the same purpose at all.
i see :P
-
...i see :P
you see what ???
-
...i see :P
you see what ???
..what you meant :)
-
This is a completely pointless poll because the OP obviously doesn't understand how the behavior shield works. The behavior shield in avast 5 is _not_ what is usually referred to as a "behavior blocker" or HIPS... It is an expert system based on rules, created by real people here in the lab.
An example: in a classic BB/HIPS, you get an alert like this:
Application abc.exe is trying to install global window CBT hook on session 2. Allow/deny?
Now, behavior shield in avast 5 has a definition file (similar to the normal detection engine) that may contain rules like this:
IF
- application is located in Windows directory, AND
- application is packed, AND
- the application is not signed by a trusted publisher, AND
- parent process is NOT xyz.exe, AND
- the last API calls are api1, api2, api3, api4, AND
- the application recently dropped a file called *.dll into the Windows directory, AND
- the dll is now being installed as a global window CBT hook
THEN block the application and submit the associated exe and dll files for analysis to the virus lab.
Thanks
Vlk
-
This is a completely pointless poll because the OP obviously doesn't understand how the behavior shield works. The behavior shield in avast 5 is _not_ what is usually referred to as a "behavior blocker" or HIPS... It is an expert system based on rules, created by real people here in the lab.
An example: in a classic BB/HIPS, you get an alert like this:
Application abc.exe is trying to install global window CBT hook on session 2. Allow/deny?
Now, behavior shield in avast 5 has a definition file (similar to the normal detection engine) that may contain rules like this:
IF
- application is located in Windows directory, AND
- application is packed, AND
- the application is not signed by a trusted publisher, AND
- parent process is NOT xyz.exe, AND
- the last API calls are api1, api2, api3, api4, AND
- the application recently dropped a file called *.dll into the Windows directory, AND
- the dll is now being installed as a global window CBT hook
THEN block the application and submit the associated exe and dll files for analysis to the virus lab.
Thanks
Vlk
Thanks for the clarification Vlk.. :)
I can see how you make the behavior blocker in a very "expert" way.. tnx again! :)
-
VLK, I still find the poll relevant: if one of the assumptions (like in your example) is wrong (hey sh** happens ;D ), and the application is blocked, then what ? I understand that it will ask a lot, ie many conditions are required, until the shield will block a process (app won't be flagged for good I suppose) but still, the best HIPS make mistakes. And still, I find some similarities with HIPS behavior...a bit like Defense + in CIS set on "paranoid" mode, except there the shield will "answer the non-existing alerts" by itself...
-
VLK, I still find the poll relevant: if one of the assumptions (like in your example) is wrong (hey sh** happens ;D ), and the application is blocked, then what ?
Then it will be a regular false positive, which can be reported to the virus lab and fixed by ourselves.
Furthermore, we may also provide some "unblock" features but they are not there yet.
I just don't think we should be asking the users. That is, the rules may be the same as for normal (non-behavioral) detection... I don't see much difference here.
-
VLK, I still find the poll relevant: if one of the assumptions (like in your example) is wrong (hey sh** happens ;D ), and the application is blocked, then what ?
Then it will be a regular false positive, which can be reported to the virus lab and fixed by ourselves.
Furthermore, we may also provide some "unblock" features but they are not there yet.
I just don't think we should be asking the users. That is, the rules may be the same as for normal (non-behavioral) detection... I don't see much difference here.
yeah I think an "unblock" feature would be the best ;) This said there's a major difference with non-behavioral detection (I suppose you refer to the other shields), because those only interfere with the network or a new download...not the system, not Windows. If a connection or a download is blocked and it was an FP and it shouldn't have been blocked, it's always possible to whitelist what was blocked in the settings (exclusion list), and there will be no settings for the behavior shield. Network shield doesn't have any either, but again, aborting a connection is a minor interaction compared to blocking dlls...
-
yeah I think an "unblock" feature would be the best ;) This said there's a major difference with non-behavioral detection (I suppose you refer to the other shields), because those only interfere with the network or a new download...not the system, not Windows. If a connection or a download is blocked and it was an FP and it shouldn't have been blocked, it's always possible to whitelist what was blocked in the settings (exclusion list), and there will be no settings for the behavior shield. Network shield doesn't have any either, but again, aborting a connection is a minor interaction compared to blocking dlls...
Is it? I don't see that much difference, really. But again, it's just taking off. It is a promising technology, but only time will tell what it will evolve into...
-
So until this "unblock" feature is there, if there's an "FP" with the behavior shield, you leave no choice but disabling it...until...until what actually,as a new VPS can't solve such an issue, it's not relevant for a behavior shield.
-
So until this "unblock" feature is there, if there's an "FP" with the behavior shield, you leave no choice but disabling it...until...until what actually,as a new VPS can't solve such an issue, it's not relevant for a behavior shield.
What? What do you mean the new VPS can't solve such an issue? On contrary, Behavior shield is all about the VPS... that's where the rules are stored.
-
... On contrary, Behavior shield is all about the VPS... that's where the rules are stored.
OK thanks for this clarification, I had no idea about that. Thought the rules were implemented once for all in the shield or the program itself.
-
... On contrary, Behavior shield is all about the VPS... that's where the rules are stored.
OK thanks for this clarification, I had no idea about that. Thought the rules were implemented once for all in the shield or the program itself.
Naah, that wouldn't make any sense, would it?
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...
-
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...
??? I guess I'm confused here... So, what is the difference between program update and VPS update?
-
... On contrary, Behavior shield is all about the VPS... that's where the rules are stored.
OK thanks for this clarification, I had no idea about that. Thought the rules were implemented once for all in the shield or the program itself.
Naah, that wouldn't make any sense, would it?
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...
of course that wouldn't have made any sense, that's why I kept posting and asking in this thread here ;) ...this whole new VPS conception is very interesting indeed.
-
Naah, that wouldn't make any sense, would it?
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...
of course that wouldn't have made any sense, that's why I kept posting and asking in this thread here ;) ...this whole new VPS conception is very interesting indeed.
That makes sense in the context of general and rather simplistic understanding of VPS update=static signature database update vs Program update=dynamic program update including engine. However, that won't make sense when we think about heuristic scan and/or how Avast catches generic malware while the program updates are so rare. Interesting? ...What I can say (confess) is that I haven't thought about this. :-[
-
That makes sense in the context of general and rather simplistic understanding of VPS update=static signature database update vs Program update=dynamic program update including engine. However, that won't make sense when we think about heuristic scan and/or how Avast catches generic malware while the program updates are so rare. Interesting? ...What I can say (confess) is that I haven't thought about this.
??? I guess I'm confused here... So, what is the difference between program update and VPS update?
yeah ;D
-
yeah ;D
Living and learning... Tech® . ;) Vlk?
-
The following applies to avast 5:
VPS: the whole AV engine, including all its definitions, signatures, antirootkit module, bahavior shield logic, whitelists, network shield database etc... Updatable on the fly. Updated at least once a day
Program: everything else. The UI, the Shields, the kernel mode drivers etc...
-
That's really good to know. I thought program components (ie engine) are still tied to program update.
So it's good to know that's not the case anymore.
-
Vlk, isn't it called VPX instead of VPS now? ???
-
VPS: the whole AV engine, including all its definitions, signatures, antirootkit module, bahavior shield logic, whitelists, network shield database etc... Updatable on the fly. Updated at least once a day
Vlk, I've made a decision to translate "Virus database and engine" for something like "Virus definitions". I understand the difference, but I think common users won't, i.e., they will only separate "virus definitions" and "program itself". This is like MSE and other antivirus are translated.
If I did a wrong decision, please, let me know. I'll need to correct the Portuguese version of avast.
-
Vlk, isn't it called VPX instead of VPS now? ???
it is called VPX now...just people keep using the old VPS naming.
-
people keep using the old VPS naming.
Vlk is not people ;D
-
Vlk, would it be possible to utilize Behavior Shield for malware that is known to evade standard file scanners by server side polymorphism?
I mean, they can change cryptor and packers, but they cannot really change what that file is doing to the system. And that's where Behavior Shield should kick in. Basically you can create generic behavior detections (that can result in false positives) or exact behavior detections that just have much more strict rules to detect only specific behavior (limited range of detection but much smaller chance of detecting wrong behavior).
-
Vlk, isn't it called VPX instead of VPS now? ???
Where did you hear that?
The setup packages (previously files called *.vpu) are now *.vpx.
But the word VPS (our old name for virus definitions) hasn't changed... but is not officially in use either.
Vlk, I've made a decision to translate "Virus database and engine" for something like "Virus definitions". I understand the difference, but I think common users won't, i.e., they will only separate "virus definitions" and "program itself". This is like MSE and other antivirus are translated.
If I did a wrong decision, please, let me know. I'll need to correct the Portuguese version of avast.
I don't see any problem with that...
Vlk, would it be possible to utilize Behavior Shield for malware that is known to evade standard file scanners by server side polymorphism?
I mean, they can change cryptor and packers, but they cannot really change what that file is doing to the system. And that's where Behavior Shield should kick in. Basically you can create generic behavior detections (that can result in false positives) or exact behavior detections that just have much more strict rules to detect only specific behavior (limited range of detection but much smaller chance of detecting wrong behavior).
Absolutely, that's one of the main things what we're trying to achieve here.
The goal is to really have another module in the engine (as opposed to a generic HIPS) that is able to detect yet-unknown malware (typically, yet-unknown samples from known families).
That's why we want to keep the decision-engine (the expertise) inside, just as we do with the "regular" engine.
-
The setup packages (previously files called *.vpu) are now *.vpx.
But the word VPS (our old name for virus definitions) hasn't changed... but is not officially in use either.
Thanks for the info.
I don't see any problem with that...
Ok.
-
Thanks for the kind explanation, Vlk. Seeing even RejZoR can learn something from the answers, I guess Logos did a good job in asking. ;D
Vlk, isn't it called VPX instead of VPS now? ???
Where did you hear that?
The setup packages (previously files called *.vpu) are now *.vpx.
But the word VPS (our old name for virus definitions) hasn't changed... but is not officially in use either.
I haven't heard it, either, but I saw vpx files being updated through my copy of Avast! 5 Beta update procedure. ;)
-
That's some good and very valuable info there. Thx Vlk.