Poll

(Solved)What do you want to happen when avast's behavioral blocker detected unusual program behavior??

--
--

Author Topic: A better behavioral blocker (avast! 5)  (Read 18854 times)

0 Members and 1 Guest are viewing this topic.

Offline ~Graven

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 430
  • Gr6v3n
Re: A better behavioral blocker (avast! 5)
« Reply #15 on: October 19, 2009, 12:48:08 PM »
that's off topic here, but I've seen the network shield in action not so long ago in avast4: it aborted a connection while I was attempting to click on a web site link already flagged by Google. It works well, that was the second or the third time I saw that. I also see it watching TweetDeck (an external Twitter application) constantly, when the web shield is limited to browsers (as far as I know). Tons of avatars are being temporary downloaded and that's analysed by the network shield. It might not have settings in the UI, but it's a powerful feature I believe.
http://forum.avast.com/index.php?topic=49936.msg422583#msg422583

 And I don't think it should be compared at all to the behavior shield. It's not the same purpose at all.
i see  :P
MS Windows Vista Home Premium, AMD Athlon 64 X2 Dual Core Processor 4800+, 1GB RAM, NVIDIA GeForce 6150SE, MBAM, SAS, WinPatrol, Avast! Antivirus

~ I've got a barrier for myself, I'll let everything through unless I know the changes it might cause.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #16 on: October 19, 2009, 12:54:06 PM »
w7 - ais7

Offline ~Graven

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 430
  • Gr6v3n
MS Windows Vista Home Premium, AMD Athlon 64 X2 Dual Core Processor 4800+, 1GB RAM, NVIDIA GeForce 6150SE, MBAM, SAS, WinPatrol, Avast! Antivirus

~ I've got a barrier for myself, I'll let everything through unless I know the changes it might cause.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: A better behavioral blocker (avast! 5)
« Reply #18 on: October 19, 2009, 01:05:03 PM »
This is a completely pointless poll because the OP obviously doesn't understand how the behavior shield works. The behavior shield in avast 5 is _not_ what is usually referred to as a "behavior blocker" or HIPS... It is an expert system based on rules, created by real people here in the lab.

An example: in a classic BB/HIPS, you get an alert like this:

Application abc.exe is trying to install global window CBT hook on session 2. Allow/deny?


Now, behavior shield in avast 5 has a definition file (similar to the normal detection engine) that may contain rules like this:

IF
- application is located in Windows directory, AND
- application is packed, AND
- the application is not signed by a trusted publisher, AND
- parent process is NOT xyz.exe, AND
- the last API calls are api1, api2, api3, api4, AND
- the application recently dropped a file called *.dll into the Windows directory, AND
- the dll is now being installed as a global window CBT hook

THEN block the application and submit the associated exe and dll files for analysis to the virus lab.



Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline ~Graven

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 430
  • Gr6v3n
Re: A better behavioral blocker (avast! 5)
« Reply #19 on: October 19, 2009, 01:09:47 PM »
This is a completely pointless poll because the OP obviously doesn't understand how the behavior shield works. The behavior shield in avast 5 is _not_ what is usually referred to as a "behavior blocker" or HIPS... It is an expert system based on rules, created by real people here in the lab.

An example: in a classic BB/HIPS, you get an alert like this:

Application abc.exe is trying to install global window CBT hook on session 2. Allow/deny?


Now, behavior shield in avast 5 has a definition file (similar to the normal detection engine) that may contain rules like this:

IF
- application is located in Windows directory, AND
- application is packed, AND
- the application is not signed by a trusted publisher, AND
- parent process is NOT xyz.exe, AND
- the last API calls are api1, api2, api3, api4, AND
- the application recently dropped a file called *.dll into the Windows directory, AND
- the dll is now being installed as a global window CBT hook

THEN block the application and submit the associated exe and dll files for analysis to the virus lab.



Thanks
Vlk

Thanks for the clarification Vlk..  :)
I can see how you make the behavior blocker in a very "expert" way.. tnx again!  :)
MS Windows Vista Home Premium, AMD Athlon 64 X2 Dual Core Processor 4800+, 1GB RAM, NVIDIA GeForce 6150SE, MBAM, SAS, WinPatrol, Avast! Antivirus

~ I've got a barrier for myself, I'll let everything through unless I know the changes it might cause.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #20 on: October 19, 2009, 01:18:03 PM »
VLK, I still find the poll relevant: if one of the assumptions (like in your example) is wrong (hey sh** happens  ;D ), and the application is blocked, then what ? I understand that it will ask a lot, ie many conditions are required, until the shield will block a process (app won't be flagged for good I suppose) but still, the best HIPS make mistakes. And still, I find some similarities with HIPS behavior...a bit like Defense + in CIS set on "paranoid" mode, except there the shield will "answer the non-existing alerts" by itself...
w7 - ais7

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: A better behavioral blocker (avast! 5)
« Reply #21 on: October 19, 2009, 01:44:28 PM »
VLK, I still find the poll relevant: if one of the assumptions (like in your example) is wrong (hey sh** happens  ;D ), and the application is blocked, then what ?

Then it will be a regular false positive, which can be reported to the virus lab and fixed by ourselves.
Furthermore, we may also provide some "unblock" features but they are not there yet.

I just don't think we should be asking the users. That is, the rules may be the same as for normal (non-behavioral) detection... I don't see much difference here.
If at first you don't succeed, then skydiving's not for you.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #22 on: October 19, 2009, 01:51:40 PM »
VLK, I still find the poll relevant: if one of the assumptions (like in your example) is wrong (hey sh** happens  ;D ), and the application is blocked, then what ?

Then it will be a regular false positive, which can be reported to the virus lab and fixed by ourselves.
Furthermore, we may also provide some "unblock" features but they are not there yet.

I just don't think we should be asking the users. That is, the rules may be the same as for normal (non-behavioral) detection... I don't see much difference here.

yeah I think an "unblock" feature would be the best  ;) This said there's a major difference with non-behavioral detection (I suppose you refer to the other shields), because those only interfere with the network or a new download...not the system, not Windows. If a connection or a download is blocked and it was an FP and it shouldn't have been blocked, it's always possible to whitelist what was blocked in the settings (exclusion list), and there will be no settings for the behavior shield. Network shield doesn't have any either, but again, aborting a connection is a minor interaction compared to blocking dlls...
 
« Last Edit: October 19, 2009, 01:55:54 PM by Logos »
w7 - ais7

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: A better behavioral blocker (avast! 5)
« Reply #23 on: October 19, 2009, 01:54:13 PM »
yeah I think an "unblock" feature would be the best  ;) This said there's a major difference with non-behavioral detection (I suppose you refer to the other shields), because those only interfere with the network or a new download...not the system, not Windows. If a connection or a download is blocked and it was an FP and it shouldn't have been blocked, it's always possible to whitelist what was blocked in the settings (exclusion list), and there will be no settings for the behavior shield. Network shield doesn't have any either, but again, aborting a connection is a minor interaction compared to blocking dlls...

Is it? I don't see that much difference, really. But again, it's just taking off. It is a promising technology, but only time will tell what it will evolve into...
If at first you don't succeed, then skydiving's not for you.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #24 on: October 19, 2009, 01:56:11 PM »
So until this "unblock" feature is there, if there's an "FP" with the behavior shield, you leave no choice but disabling it...until...until what actually,as a new VPS can't solve such an issue, it's not relevant for a behavior shield.
w7 - ais7

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: A better behavioral blocker (avast! 5)
« Reply #25 on: October 19, 2009, 03:00:00 PM »
So until this "unblock" feature is there, if there's an "FP" with the behavior shield, you leave no choice but disabling it...until...until what actually,as a new VPS can't solve such an issue, it's not relevant for a behavior shield.

What? What do you mean the new VPS can't solve such an issue? On contrary, Behavior shield is all about the VPS... that's where the rules are stored.
If at first you don't succeed, then skydiving's not for you.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #26 on: October 19, 2009, 03:02:45 PM »
... On contrary, Behavior shield is all about the VPS... that's where the rules are stored.

OK thanks for this clarification, I had no idea about that. Thought the rules were implemented once for all  in the shield or the program itself.
w7 - ais7

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: A better behavioral blocker (avast! 5)
« Reply #27 on: October 19, 2009, 03:10:11 PM »
... On contrary, Behavior shield is all about the VPS... that's where the rules are stored.

OK thanks for this clarification, I had no idea about that. Thought the rules were implemented once for all  in the shield or the program itself.

Naah, that wouldn't make any sense, would it?
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...
If at first you don't succeed, then skydiving's not for you.

Offline Rumpel

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 953
  • The poster formerly known as - Rumpelstiltskin®
Re: A better behavioral blocker (avast! 5)
« Reply #28 on: October 19, 2009, 03:15:46 PM »
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...
???  I guess I'm confused here...   So, what is the difference between program update and VPS update?

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #29 on: October 19, 2009, 03:22:47 PM »
... On contrary, Behavior shield is all about the VPS... that's where the rules are stored.

OK thanks for this clarification, I had no idea about that. Thought the rules were implemented once for all  in the shield or the program itself.

Naah, that wouldn't make any sense, would it?
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...

of course that wouldn't have made any sense, that's why I kept posting and asking in this thread here  ;) ...this whole new VPS conception is very interesting indeed.
w7 - ais7