Poll

(Solved)What do you want to happen when avast's behavioral blocker detected unusual program behavior??

--
--

Author Topic: A better behavioral blocker (avast! 5)  (Read 18859 times)

0 Members and 1 Guest are viewing this topic.

Offline Rumpel

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 953
  • The poster formerly known as - Rumpelstiltskin®
Re: A better behavioral blocker (avast! 5)
« Reply #30 on: October 19, 2009, 04:00:14 PM »
Naah, that wouldn't make any sense, would it?
In avast5, we even have the whole engine in the VPS so that we can update everything on the fly and be flexible enough to react to the latest threats...
of course that wouldn't have made any sense, that's why I kept posting and asking in this thread here  ;) ...this whole new VPS conception is very interesting indeed.
That makes sense in the context of general and rather simplistic understanding of VPS update=static signature database update vs Program update=dynamic program update including engine.  However, that won't make sense when we think about heuristic scan and/or how Avast catches generic malware while the program updates are so rare.  Interesting?  ...What I can say (confess) is that I haven't thought about this.  :-[
« Last Edit: October 19, 2009, 04:02:24 PM by Rumpel »

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #31 on: October 19, 2009, 04:22:18 PM »
That makes sense in the context of general and rather simplistic understanding of VPS update=static signature database update vs Program update=dynamic program update including engine.  However, that won't make sense when we think about heuristic scan and/or how Avast catches generic malware while the program updates are so rare.  Interesting?  ...What I can say (confess) is that I haven't thought about this.

???  I guess I'm confused here...   So, what is the difference between program update and VPS update?

 yeah  ;D
« Last Edit: October 19, 2009, 04:48:18 PM by Logos »
w7 - ais7

Offline Rumpel

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 953
  • The poster formerly known as - Rumpelstiltskin®
Re: A better behavioral blocker (avast! 5)
« Reply #32 on: October 19, 2009, 05:09:20 PM »
yeah  ;D

Living and learning...  Tech® .  ;)  Vlk?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: A better behavioral blocker (avast! 5)
« Reply #33 on: October 19, 2009, 06:45:58 PM »
The following applies to avast 5:

VPS: the whole AV engine, including all its definitions, signatures, antirootkit module, bahavior shield logic, whitelists, network shield database etc... Updatable on the fly. Updated at least once a day

Program: everything else. The UI, the Shields, the kernel mode drivers etc...
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9271
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: A better behavioral blocker (avast! 5)
« Reply #34 on: October 19, 2009, 10:41:39 PM »
That's really good to know. I thought program components (ie engine) are still tied to program update.
So it's good to know that's not the case anymore.
Visit my webpage RejZoR's Flock of Sheep

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: A better behavioral blocker (avast! 5)
« Reply #35 on: October 19, 2009, 11:28:38 PM »
Vlk, isn't it called VPX instead of VPS now? ???
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: A better behavioral blocker (avast! 5)
« Reply #36 on: October 19, 2009, 11:31:40 PM »
VPS: the whole AV engine, including all its definitions, signatures, antirootkit module, bahavior shield logic, whitelists, network shield database etc... Updatable on the fly. Updated at least once a day
Vlk, I've made a decision to translate "Virus database and engine" for something like "Virus definitions". I understand the difference, but I think common users won't, i.e., they will only separate "virus definitions" and "program itself". This is like MSE and other antivirus are translated.
If I did a wrong decision, please, let me know. I'll need to correct the Portuguese version of avast.
The best things in life are free.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A better behavioral blocker (avast! 5)
« Reply #37 on: October 19, 2009, 11:39:54 PM »
Vlk, isn't it called VPX instead of VPS now? ???

it is called VPX now...just people keep using the old VPS naming.
w7 - ais7

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: A better behavioral blocker (avast! 5)
« Reply #38 on: October 19, 2009, 11:43:08 PM »
people keep using the old VPS naming.
Vlk is not people ;D
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9271
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: A better behavioral blocker (avast! 5)
« Reply #39 on: October 20, 2009, 12:31:56 PM »
Vlk, would it be possible to utilize Behavior Shield for malware that is known to evade standard file scanners by server side polymorphism?
I mean, they can change cryptor and packers, but they cannot really change what that file is doing to the system. And that's where Behavior Shield should kick in. Basically you can create generic behavior detections (that can result in false positives) or exact behavior detections that just have much more strict rules to detect only specific behavior (limited range of detection but much smaller chance of detecting wrong behavior).
Visit my webpage RejZoR's Flock of Sheep

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: A better behavioral blocker (avast! 5)
« Reply #40 on: October 20, 2009, 12:52:32 PM »
Vlk, isn't it called VPX instead of VPS now? ???

Where did you hear that?

The setup packages (previously files called *.vpu) are now *.vpx.
But the word VPS (our old name for virus definitions) hasn't changed... but is not officially in use either.

Vlk, I've made a decision to translate "Virus database and engine" for something like "Virus definitions". I understand the difference, but I think common users won't, i.e., they will only separate "virus definitions" and "program itself". This is like MSE and other antivirus are translated.
If I did a wrong decision, please, let me know. I'll need to correct the Portuguese version of avast.

I don't see any problem with that...

Vlk, would it be possible to utilize Behavior Shield for malware that is known to evade standard file scanners by server side polymorphism?
I mean, they can change cryptor and packers, but they cannot really change what that file is doing to the system. And that's where Behavior Shield should kick in. Basically you can create generic behavior detections (that can result in false positives) or exact behavior detections that just have much more strict rules to detect only specific behavior (limited range of detection but much smaller chance of detecting wrong behavior).

Absolutely, that's one of the main things what we're trying to achieve here.
The goal is to really have another module in the engine (as opposed to a generic HIPS) that is able to detect yet-unknown malware (typically, yet-unknown samples from known families).
That's why we want to keep the decision-engine (the expertise) inside, just as we do with the "regular" engine.
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: A better behavioral blocker (avast! 5)
« Reply #41 on: October 20, 2009, 12:58:43 PM »
The setup packages (previously files called *.vpu) are now *.vpx.
But the word VPS (our old name for virus definitions) hasn't changed... but is not officially in use either.
Thanks for the info.

I don't see any problem with that...
Ok.
The best things in life are free.

Offline Rumpel

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 953
  • The poster formerly known as - Rumpelstiltskin®
Re: A better behavioral blocker (avast! 5)
« Reply #42 on: October 20, 2009, 02:12:56 PM »
Thanks for the kind explanation, Vlk.  Seeing even RejZoR can learn something from the answers, I guess Logos did a good job in asking.  ;D

Vlk, isn't it called VPX instead of VPS now? ???

Where did you hear that?

The setup packages (previously files called *.vpu) are now *.vpx.
But the word VPS (our old name for virus definitions) hasn't changed... but is not officially in use either.
I haven't heard it, either, but I saw vpx files being updated through my copy of Avast! 5 Beta update procedure.  ;)

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9271
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: A better behavioral blocker (avast! 5)
« Reply #43 on: October 20, 2009, 02:16:43 PM »
That's some good and very valuable info there. Thx Vlk.
Visit my webpage RejZoR's Flock of Sheep