Author Topic: New improved Blocker idea  (Read 3182 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
New improved Blocker idea
« on: May 24, 2005, 11:18:21 AM »
In current form it's nearly useless. It's design is wrong and it doesn't provide expected protection(and generates way too much warnings). Now i got another idea. You seem to refuse heuristics which is logical. You need extensive knowledge in this area to avoid false positives and to make heuristics effective. But here is the trick. Forget about heuristics for now and focus on Blocker.
It will be much easier to upgrade it (unlike heuristics),plus it will provide higher protection right away without much false positives.

At the moment,Blocker protects files that are usually malware (COM,SCR,EXE) instead of preventig such files to perform actions.
This is what i learn from McAfee VSE8.0i Access Protection and i found it to be extremely effective and with nearly zero false positives.

For example you set such rule:


Now this rule will block all actions performed by .PIF file.
So if PIF file attempts to execute itself,execution will be blocked.
If .PIF file attempts to erase other files PIF file will be blocked from doing that.
It will be also blocked from from creating any other files.
You can specify are to protect and processes that are affected.

Same can be done for any other filetype (like COM,SCR,VBS...).

Only thing that needs to be changes is how to react on such events.

One should be Ask (ask if you allow execution/creation/deletion etc),one should be Silent mode (block and don't warn+log action) and last just log action and do nothing.

I tried McAfee VSE rule blocking and it really worked great. For example PIF files are useless on NT systems,so you can block them all without any problems (PIFs are commonly used for malware).
So PIF files cannot do anything on system.
SCR files for example could have rule that allows them to be executed,but they can't modify or create other files (why should screensaver modify or create new files anyway?). Ask rule for VBS files and so on.

Kaspersky 2006 will also use such technique to proactively protect systems,McAfee VSE 8.0i already use it.

This is a cheap way to increase security while avoid complicated heuristics that require lots of work to impliment them. Blocker is already there,you just need to improve it a bit. If implimented properly,you shouldn't get many false positives too.
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11655
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: New improved Blocker idea
« Reply #1 on: May 24, 2005, 11:20:01 AM »
Let me just say that a similar thing (a bit more complicated) is undere development... ;)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: New improved Blocker idea
« Reply #2 on: May 24, 2005, 11:29:20 AM »
Now thats good to hear. Will it be similar to this one in McAfee? I just hope there will be similar warning as it is now. McAfee says it will warn,but it doesn't. Actions should be displayd as virus detected tags (yellow and red tags above taskbar when in silent or log only mode). I can't wait to beta test it :)
Visit my webpage Angry Sheep Blog

MFB

  • Guest
Re: New improved Blocker idea
« Reply #3 on: May 25, 2005, 06:52:03 AM »
This blocker (if it's finish), will this be available for home edition as well?  It seems that this is a pretty useful tool to have. 

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: New improved Blocker idea
« Reply #4 on: May 25, 2005, 07:33:56 AM »
Blocker will probably be available in both editions. It's now and i doubt they'll change everything to make it Pro only.
Visit my webpage Angry Sheep Blog