Poll

Do you want automatic sandboxing (virtualization) to increase avast protection?

Yes. Make it available (on by default, i.e., for all users).
Yes. Make it available (off by default, i.e., for advanced users only).
No, I think the "default allow" policy (signatures, rules, etc.) is enough.
I don't understand the difference (please, post your doubts).
Other (please, post your opinion and why).

Author Topic: The future of avast protection  (Read 138629 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
The future of avast protection
« on: September 26, 2010, 10:22:28 PM »
I'm not friend of long posts  8)
But let's make an exception as I think the subject worths.

Nowadays, avast virus analysts receive more than 50.000 samples per day!
Although a lot of work is automated, signatures, behavior analysis, code virtualization... aren't being enough.

The avast policy is "default allow" (as all other legacy antivirus), i.e., what is not blacklisted, allow; what is not blocked in the signatures and rules (behavior shield) is allowed to run.

I'm asking for a double behavior or, in other words, a "default deny" policy, i.e., what is not whilelisted, block; what is not in the trusted list of avast should be denied.

This could be achieved by the sandbox technology of avast 5.
Whatever not in the whitelist of trusted sources (an executable file, an installer, a script, etc.) could generate a question to the user in order to allow or deny.

The scheme would be:

file > scanned by avast antivirus > if it is a malware, proceed to the automatic actions set (like it is today).
                                                    > if it is not in the whitelists, automatic sandbox to protect the computer.

The drawbacks (cons) of the generated popups could be reduced:
a) the whitelists could be updated frequently, new clean files added.
b) the cloud (community) technology could be used for populate these whitelists.
c) pre-scanning of avast could mark the "unknown" files (and upload for analysis).
d) it could be, of course, an optin setting of avast and any automatic sandboxed file could be "removed from sandbox" if the user wants/needs.

I understand the sandbox is part of the paid (pro) antivirus.
Maybe the automatic sandbox (only) could be available for free users (just not the on demand sandbox like it is now only for pro). The sandbox is highly configurable and the automatic one could be a simpler version of the on demand (actual) one: more or less as a "run as limited user", avoiding infecting of unknown malware.

This could be an improvement of zero-day detection and be the solution of missdetection (as no antivirus is perfect...).

avast team suggestions/critics are (also) welcome!


Edited: I've changed the name of the thread from Do you want automatic sandboxing and cloud to increase avast protection? to a more comprehensive one due to the discussion.
« Last Edit: October 10, 2010, 08:08:16 PM by Tech »
The best things in life are free.

Offline disPlay

  • Sr. Member
  • ****
  • Posts: 240
  • DISPLAY!
Yes. Make it available (on by default, i.e., for all users).

Why I chose it?
b) the cloud (community) technology could be used for populate these whitelists.

Avast have a big user database why not use this to their favor?
"The quieter you become, the more you are able to hear."

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
Thanks disPlay. Seems that the poll is not popular... Too many views of the thread and few posts.
But, never mind, the important is some advanced users posts and, also, avast team posts.
The best things in life are free.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
 I would be tempted to talk like Bob >>> "oh no...not another Comodo" thread ;)...because that's what it is basically. You're purely and simply referring again to CIS, and to the fact that it's free.

 ;D just about the automatic sandboxing of unknown processes/apps, I already suggested it here on Avast forums almost immediately after trying Comodo 4.0, so of course that's needed, and I'm almost sure that the devs @ Avast have already planned it.
 Running apps sandboxed constantly is useless imo, unless you browse bad sites...purposely...or stupidly...and constantly. So again the automatic sandboxing of unsigned/unknown stuff remains the only interesting aspect.

 This said Tech, I'm quite happy that Avast is Avast and Comodo is Comodo, and I really don't want to see Avast work, feels, sound...like Comodo. They (Avast) will do it their own way, they're watching the competition too, so I won't bother voting here ;)As well as they probably got their own idea of the cloud, to be introduced in 5.1, and don't need to mimic Comodo.

ps: I mean "default deny" etc... this is all Comodo vocabulary, desktop bloated with popups and uneeded security software behavior >>> like you're ending up, after a new install, having to tell a hundred times that you trust the applications you've been using for a few years...or let them get sandboxed ;D The filter needs some work apparently ;D That's what Comodo Internet Security does. That makes the fans feel secure...the time wasted is not a problem because the kids are playing...so at least while they keep answering Comodo alerts, they're not bored ???

 One last thing, I doubt Avast would make anything sandbox related available in the free version, not even "just" an automatic sandbox :D
w7 - ais7

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3624
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Ofcource Tech is referring to the Comodo Default Deny security policy ;)

But Avast already has a huge whitelist they internally test their updates against. So the idea is very interesting. I think I have to support it :)

Greetz, Red.
« Last Edit: September 27, 2010, 01:12:37 AM by Rednose »
OS: Win 7 x64 SP1 / Ubuntu / Qubes OS / iOS
Real Time: Avast Premier Beta + AMS for iOS Beta WinPatrol Plus Unchecky MCShield  HOSTS File: MVPS + MDL
On Demand: MBAM SUMo
Backup: Win 7 Image
Proxy: ASL VPN's Socks 5 Tor

Offline sded

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1718
  • Me llamo Ed
I'll throw in my $.02 also ;).  I don't like sandboxing because it just defers the decision and seems more suitable for hobbiests than those who actually use their computer for things.  You still need a source of additional information without making it too much of a nuisance.  "Default deny" is just propaganda as a slogan.  A security system is actually a sieve or processing-it allows by default anything that can't be eliminated by the current layer of the sieve so the next layer can attack it.  It looks at signatures, be they ports&protocols, AV signatures including behaviors, whitelists, blacklists, HIPS signatures (the actions by a process that should cause an alert-see attachment for an example from OA) until it eventually gets down to a process that doesn't match anything in your library.  Prevx, for example, does additional heuristics based on Program age and Popularity at this point.  The reason all of these things are important in terms of evaluating protection is that eventually you get down to some processes that go to a user but have no information from all of the signatures and processing you have done.  A very cursory evaluation indicates that the user will make errors as a percentage of those processes that get this far.  The more residue, the more errors.  So the idea that the sieve (AV) has no value because you can always catch it in the HIPS or sandbox is nonsense.  Even the "security as a hobby" users like us have problems discriminating whether the rare events (uncharacterized alerts)  are FA or Detection.  And the "tests" (actually demonstrations) run as scenarios where all the popups are known to be malware do not really show anything about performance in the field either for the interested user or the hobbiest.  The latest thing Comodo has done with their incessant propaganda is tempt me to try NIS .  I credit Melih for finding OA, Softpedia, COU, etc.  and now possibly NIS for me by the incessant raving on his site.  Even MRG has become useful and interesting since the Comodo fiasco.
« Last Edit: September 27, 2010, 01:56:13 AM by sded »
Windows 7 x64HP-SP1-No UAC, Opera 11.51, Avast! Internet Security 6.0.128, Webroot SecureAnywhere latest beta, Windows FW off, MVPS HOSTS, SAS/MBAM offline, Macrium Reflect just in case ;)

Offline superhumanbean

  • Poster
  • *
  • Posts: 414
Isn't that what the Secure Desktop feature that's coming out in 5.1 is? And yeah, this sounds an awful lot like Comodo ::)
Windows 10 Pro 64-bit / Intel Core i7-7700HQ CPU / 16 GB RAM / Avast Ultimate / MBAM Free

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3624
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Isn't that what the Secure Desktop feature that's coming out in 5.1 is?

Mmm no ;)

About the Secure Desktop, from Petr :

Quote
it will allow you to execute e.g. web browsers in more secure mode than in 5.0, it’d be executed in the seperated desktop  - with no icons, under our alternative shell (i.e. own explorer.exe), own taskbar, etc. This alternative desktop will be protected from keyloggers, screen captures and keeps your browsing activity isolated from other processes running on the normal desktop. This feature might be integrated into most common web-browsers as a plugin: e.g. if you go to www.abnamro.nl or www.dnb.nl sites (online banking), avast will open this page in the secured desktop automatically and protects your surfing from other applications.

Greetz, Red.
« Last Edit: September 27, 2010, 02:43:01 AM by Rednose »
OS: Win 7 x64 SP1 / Ubuntu / Qubes OS / iOS
Real Time: Avast Premier Beta + AMS for iOS Beta WinPatrol Plus Unchecky MCShield  HOSTS File: MVPS + MDL
On Demand: MBAM SUMo
Backup: Win 7 Image
Proxy: ASL VPN's Socks 5 Tor

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
just about the automatic sandboxing of unknown processes/apps, I already suggested it here on Avast forums almost immediately after trying Comodo 4.0, so of course that's needed
Ok then, thanks.

and I'm almost sure that the devs @ Avast have already planned it.
Good. I never heard about it (yet).

so I won't bother voting here
It's up to you :)

ps: I mean "default deny" etc... this is all Comodo vocabulary, desktop bloated with popups and uneeded security software behavior
If you can't understand, just admit. Don't worry :)
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
So the idea is very interesting. I think I have to support it :)
Thanks Rednose for the support. This is what I meant: technology improvement.
The best things in life are free.

Offline MasterTB

  • Jr. Member
  • **
  • Posts: 78
I think the good approach would be to allow the user to run any unidentified process in the sandbox. I mean, for any process that is allowed to run once it has passed all of Avast!'s shields the user should be given the option to run it in the sandbox and thus maximizing security.
That way users are not forced to run processes in the sandbox but if they want to -because it is a new process or some rogue process that by some clever technique bypassed Avast!'s shields- they can run it sandboxed just in case.

Martin.-
Running Avast! IS on a Windows 7 Ultimate x64 PC
Phenom II x6 1090T @4.05 GHz.
Asus Crosshair V Formula
8GB Kignston DDR3 @1638 MHz.
2x Sapphire HD 6870 OC CrossfireX
Creative X-Fi Fatal1ty Extremegamer Pro
LG 24" LED Monitor
OCZ Vertex 2 SSD
2x 1TB WD Caviar Black HDD
ASUS DVD-RW Drive

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
So the idea that the sieve (AV) has no value because you can always catch it in the HIPS or sandbox is nonsense.
sded, I respect your opinion. But I'm not saying the AV has no value. It's not my opinion.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
About the Secure Desktop, from Petr :

Quote
it will allow you to execute e.g. web browsers in more secure mode than in 5.0, it’d be executed in the seperated desktop  - with no icons, under our alternative shell (i.e. own explorer.exe), own taskbar, etc. This alternative desktop will be protected from keyloggers, screen captures and keeps your browsing activity isolated from other processes running on the normal desktop. This feature might be integrated into most common web-browsers as a plugin: e.g. if you go to www.abnamro.nl or www.dnb.nl sites (online banking), avast will open this page in the secured desktop automatically and protects your surfing from other applications.
Very good idea for banking security. Although it's not an automatic sandbox for all unknown applications but just for sites, am I wrong?
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
I think the good approach would be to allow the user to run any unidentified process in the sandbox. I mean, for any process that is allowed to run once it has passed all of Avast!'s shields the user should be given the option to run it in the sandbox and thus maximizing security.
Precisely, that's the idea!
The best things in life are free.

Offline sded

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1718
  • Me llamo Ed
So the idea that the sieve (AV) has no value because you can always catch it in the HIPS or sandbox is nonsense.
sded, I respect your opinion. But I'm not saying the AV has no value. It's not my opinion.
Sorry Tech, I did not intend to make my comments specifically for your opinions-just to suggest that there is a lot of self-serving propaganda out there that needs to be carefully evaluated as to accuracy and motivation.  As in threads like  "Is the AntiVirus biggest fraud in the security world?".
« Last Edit: September 27, 2010, 03:44:52 AM by sded »
Windows 7 x64HP-SP1-No UAC, Opera 11.51, Avast! Internet Security 6.0.128, Webroot SecureAnywhere latest beta, Windows FW off, MVPS HOSTS, SAS/MBAM offline, Macrium Reflect just in case ;)