Author Topic: Not trolling just really want an honest discussion  (Read 11205 times)

0 Members and 1 Guest are viewing this topic.

gowiththeflow

  • Guest
Not trolling just really want an honest discussion
« on: March 06, 2010, 08:57:56 PM »
I occasionally visit the matousec site to see whether there is any new product worth checking out. Imagine my surprise when I saw avast name appearing on the list ...

http://www.matousec.com/projects/proactive-security-challenge/results.php

I am tech inclined but not enough to evaluate everything they say on that site. Can someone please relate the relevancy of the tests they did over there, to what avast was designed to accomplish? I can't tell for certain if they were comparing apples to oranges when they put avast on the list.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86803
  • No support PMs thanks
Re: Not trolling just really want an honest discussion
« Reply #1 on: March 06, 2010, 09:51:50 PM »
This has been discussed in a number of topics already and by all accounts the matusec tests were run against only the firewall, e.g. they disabled the other components of the avast Internet Security suite, which will remove part of the overall protection. 

The avast firewall isn't sold as a stand alone firewall where such firewall test would hold more water. So to attempt to test it in isolation by disabling other elements of the AIS to me invalidates the results when no user will run the avast firewall in that way but as part of the integrated security suite.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Hermite15

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #2 on: March 06, 2010, 10:13:41 PM »
which tells a lot about Matousec's neutrality  ;D knowing that for Comodo firewall, he (Matousec) considers the HIPS (def+) as belonging to the firewall (  ;D ), which of course leads to brilliant results in leak tests, but prefers to deactivate other components when testing Avast5 firewall  ::)

gowiththeflow

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #3 on: March 06, 2010, 10:51:42 PM »
Okay I read through the other threads. They cleared things up quite a bit ... thank you.

Would I be correct to postulate that avast is excellent at protecting clients' mishaps (e.g. downloading trojans) but does not evaluate actions by servers (e.g. leaktests)?  ???

Hmmm how much difference is there between a HIPS and avast's behavior shield? Or are they different beast all together?

Hermite15

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #4 on: March 06, 2010, 11:06:41 PM »
avast isn't very good at leak tests...yet. The firewall is mainly inbound protection oriented. I can't tell how good it would be at preventing an already (and silently) downloaded trojan from connecting. What I can tell is that there might be a new "HIPS like" module in the future... (called "process control")...I'm not sure about that at all, it's just been mentioned, so I don't know how this would work exactly.
 As to the behavior shield, no it can't be compared to a HIPS. The bs is watching the system and is able to report unusual changes to avast that could take action pretty fast by introducing new parameters in the engine and the database >>> next update. So just don't think of it as a HIPS.   Also, be aware that the bs doesn't have any "rule sets" for 64 bit OS... yet. Might never be the case, browse the forums for more...

Derelict_AZ

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #5 on: March 06, 2010, 11:08:04 PM »
There's a huge difference. Behavior Shield relies on the virus database to react to threats, whereas a good HIPS will put you in full control of the OS. You need to make decisions on what to block or allow. Running one is also a good way to learn about what is going on behind the scenes on your Windows box. You can get into trouble is you block the wrong thing, so some caution is needed until you get familiar with things. I would recommend taking a look at Malware Defender if you're interested. It's a great classical HIPS and is easy to learn and use.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re: Not trolling just really want an honest discussion
« Reply #6 on: March 06, 2010, 11:15:59 PM »
To have a HIPS application running with efficiency in a computer, the user must have discipline and patience, a lot of patience.
If you answer yes for all questions... what you're doing is losing of time answering...
I'm not a man to use HIPS. I'd rather a good antimalware tool running and deciding what is infected and what is not.
The best things in life are free.

Hermite15

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #7 on: March 06, 2010, 11:20:34 PM »
I got the feeling that security software companies are moving towards more and more silent applications, and sophisticated enough to avoid the need of a HIPS, while being able to bring an equivalent level of protection... but that's just a feeling (from someone who's been an addict of Comodo Def+ and very shortly a user of System Safety Monitor)...new techniques are coming it seems, relying on online reactions, and the HIPS concept might be already an outdated thing.

Derelict_AZ

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #8 on: March 06, 2010, 11:33:14 PM »
I agree and for the vast majority of end users having someone else decide what's a good or bad action to allow is going to be welcome. I guess I'll be a holdout and keep using a HIPS and making the decisions myself. :) Hopefully, avast! will continue to offer a modular installer if they go this route, so that the end user can pick and choose which components to install.

It is also true that a HIPS demands a level of patience and discipline to use. However, this is at the beginning of use until you've created a good ruleset for your system. After the initial period, your alerts will be few and far between. The exception to this is during a new install, but that is what the HIPS is for. What if the install was being conducted by malware and not the end user?!

gowiththeflow

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #9 on: March 06, 2010, 11:33:50 PM »
I would recommend taking a look at Malware Defender if you're interested. It's a great classical HIPS and is easy to learn and use.

So the optimal setup would be avast free with all shields active, comodo free with only the firewall enabled, and malware defender for the HIPS?

Wait ... can malware defender's HIPS be run without their firewall?

I'm not a man to use HIPS. I'd rather a good antimalware tool running and deciding what is infected and what is not.

For this to work ... doesn't it mean someone needs to first report a finding so that a signature can be generated?  :P

I got the feeling that security software companies are moving towards more and more silent applications ...

I use comodo but with def+ disabled. If only I can figure out how to allow WinFF to run new cmd scripts, so it won't require me to click on the def+ popup each time ...

sded

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #10 on: March 06, 2010, 11:46:54 PM »
Avast! actually sends up rules as well as plain old signatures as part of the database updates.  So what you can do with BB and Network Shield (advertised as a light IDS) activated has never been explored by Matousec.  I don't know either, BTW.  ;)  Of course the first thing a conventional HIPS like Comodo tells their users who find they have problems with their own leak tests is "you are in the wrong mode, dummy".  Like they tell Matousec, don't use the default (quiet) mode if you want good leak protection.  Think of this test scenario:  You have a product set up to maximize the number of situations that generate popups for unknowns.  You are told before the test that all of the popups are malware.  Question of the day (Security for Dummies):  What do you need to do to maximize your score?  (hint: The developer part is to add more popups to get one for each of the test cases).   Harder question of the day (where the work is moving):  How can you do this silently?  e.g. how do you automate your HIPS without a godzillion FPs and still catch everything.  You can count on whitelists, etc. but you still need to deal with the residue.
And in spite of all these good intentions, and tests against questionable threats, you had better have an imaging program and backup regularly, because the malware community is usually a step ahead of the security community.  :)  
« Last Edit: March 07, 2010, 12:05:10 AM by sded »

galooma

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #11 on: March 07, 2010, 12:31:05 AM »

And in spite of all these good intentions, and tests against questionable threats, you had better have an imaging program and backup regularly, because the malware community is usually a step ahead of the security community.  :)  

This reflects my opinion as well . Sam Spade`s opinion still holds true for me http://samspade.org/d/firewalls.html

regards

Derelict_AZ

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #12 on: March 07, 2010, 12:52:26 AM »
So the optimal setup would be avast free with all shields active, comodo free with only the firewall enabled, and malware defender for the HIPS?

Wait ... can malware defender's HIPS be run without their firewall?

You can't separate out the firewall during the install, but you could create an "allow all" type of network rule if you're going to rely on another firewall for application network protection. I'm running MD alongside Jetico PFW and there is some overlap regarding the network rules (I have rules set in both apps and don't use an "allow all"). MD's network protection fails Comodo's Leak Test Suite's DNS test, but it can be supplemented with a good firewall to overcome that. A free one that I know is pretty good is Softperfect Firewall and if memory serves me right when I tested the two together it passed the DNS test.

I use comodo but with def+ disabled. If only I can figure out how to allow WinFF to run new cmd scripts, so it won't require me to click on the def+ popup each time ...

You can create wildcard rules with MD that would cover these cmd scripts.

YoKenny

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #13 on: March 07, 2010, 12:55:57 AM »

And in spite of all these good intentions, and tests against questionable threats, you had better have an imaging program and backup regularly, because the malware community is usually a step ahead of the security community.  :)  

This reflects my opinion as well . Sam Spade`s opinion still holds true for me http://samspade.org/d/firewalls.html

Please watch the 2 10 minute videos:
http://www.besttechie.net/2008/08/20/malwarebytes-developer-interview <== software firewall discussion starts about 8 minutes into the first video

sss

  • Guest
Re: Not trolling just really want an honest discussion
« Reply #14 on: March 07, 2010, 08:58:20 AM »
Thanks Cloussau & Yokenny for the links.
That article (& the link given on the article's page) & the two videos leaves users something more to think about.
The articles are old but the arguments there seem relevant to the present situation.
The view expressed in the videos which are much newer is very much consistent with the article.