The future of avast protection

[Vlk]

So, basically it will work in a similar way as firewall auto allow/deny behavior. Just for binaries and not network connections with end result, files being run inside sandbox. Makes sense. I think Kaspersky 2011 is working in a similar way, though i haven't tested it yet. Or shall i say, inverted Comodo Sandbox. It restricts applications but not all by default but those that are suspicious.

Correct. But of course, the success of all this depends on the heuristics engine and its efficiency.

BTW I don't think Kaspersky 2011 is doing this, at least I haven't heard about it doing this.

[Hermite15]

wanted to ask something but reading the last paragraph of your post that I stupidly skipped first, I see that this is already answered. Yeah I couldn't imagine the heuristic engine behave differently in the "free" version that doesn't have a sandbox, and you're saying that the core functionality of the sandbox will be moved to the "free version" so I got my answer. Off topic here: I suppose that this also means that "on demand sandboxing" will remain a "pro-feature". Doesn't bother me...just saying.

[Vlk]

wanted to ask something but reading the last paragraph of your post that I stupidly skipped first, I see that this is already answered. Yeah I couldn't imagine the heuristic engine behave differently in the "free" version that doesn't have a sandbox, and you're saying that the core functionality of the sandbox will be moved to the "free version" so I got my answer. Off topic here: I suppose that this also means that "on demand sandboxing" will remain a "pro-feature".

Yes, correct.

[Lisandro]

Thanks for coming Vlk.
My hope was almost at the end... Seems we can still hope... Really, it was almost at the end.

This thread is becoming quite bloated but that only demonstrates that topics like this are popular here. Which is a good thing.

I didn't intend that.

We just doubt that the outcome of implementing these changes would be good.

Any technical reasons? I mean, the implementation of an automatic sandbox will bring technical issues - besides the well known false positives and user interaction - that will make it unworthy in terms of security?

Anyway, maybe it's a good time now to share some of the upcoming avast product plans with you (at least those changes relevant to this thread).

Thanks for sharing.

New stuff in the Behavior Shield - but none of these features are that related to the topic of this thread).

Can you open a new one regarding to this? I mean, the behavior shield?

V5.1's main feature is the central administration (i.e. a feature not really interesting to end users) - and it will also be marketed this way (as a corporate product, essentially).

Good.

Now, with Avast 6.0 (which is coming sooner than you may think)

Avast 6.0 will feature the in-the-cloud heuristics based on the age/prevalence data (as suggested above by sded) as well as new stuff related to the use of our sandbox. But, instead of using the "default deny" paradigm that Comodo is trying to advertise so much, avast will work differently. It will rely on its heuristics engine to make decisions whether an executable file should run sandboxed or not.

Wow... It's not bad. So, regarding to the behavior, the program will run sandboxed automatically?

Let me explain this in a bit more detail. Currently, the outcome of the scan is pretty much binary - either the file is called "clean" (and is allowed to run), or it is flagged as "infected" (and appropriate actions are applied - and the file isn't allowed to run). This also applies to heuristics detections. Now in avast 6.0, the outcome could also be "potentially infected, use extreme caution" and this case, when talking about an on-exec scan, will (by default) be handled by sending the file into the sandbox.

Perfect! That's a very good thing.
Probably better than what I was proposing from the beginning.
If the rules for that (i.e., for the behavior shield to take this decision) are good enough, this will increase the protection against zero-day attacks.
Thanks!

If the program is legitimate, it has a good chance of running OK inside the sandbox (and of course you, as a user, can always override the decision and run it normally). And if it's really malware, avast has just saved your butt.

Great!

What may be of special interest, also, is that this is how it's going to work even in the free version (which means that the core functionality of the sandbox will likely be moved to the free AV).

Wow! Another dream is coming true!
Thanks again! Fantastic movement...!

[Lisandro]

But of course, the success of all this depends on the heuristics engine and its efficiency.

Sure, that's the point.
I suppose that proactive tests will test this technology. Am I wrong?

[Lisandro]

I suppose that this also means that "on demand sandboxing" will remain a "pro-feature".

Yes, correct.

Fantastic movement. Really appreciate.

[RejZoR]

Vlk, i think Kaspersky is doing more like Comodo, than full sandboxing. It just restricts the access rights of the suspicious files. I'm sure i've seen that somewhere hm...

[Lisandro]

Vlk, i think Kaspersky is doing more like Comodo, than full sandboxing.

On access or just on demand?

It just restricts the access rights of the suspicious files.

Basically what CIS automatic sandbox does: restricts access rights.

[Hard_ROCKER]

Thanks for the info Vlk, yet again i am impressed with your approach(avast!'s). This all sounds very interesting, cannot wait to test avast! 5.1 but especially 6.0.

[Vlk]

Thanks for coming Vlk.
My hope was almost at the end... Seems we can still hope... Really, it was almost at the end.

I'm actually on holidays in Greece, hence my slow reaction times.
Additionally, Igor, Pavel and kubecj (among others) are in Vancouver at the VB conference...
So much for the apology for our recent absence here.

We just doubt that the outcome of implementing these changes would be good.

Any technical reasons? I mean, the implementation of an automatic sandbox will bring technical issues - besides the well known false positives and user interaction - that will make it unworthy in terms of security?

Yes, very good reasons for that.

I believe that one of the key drivers of avast's success is its relative autonomy and unobtrusiveness. You have to realize that with the 100M+ userbase, your users are no geeks. In fact, they are people who assume avast would do its job (= keep the machine clean from malware) but also that it wouldn't mess with anything the user does. Introducing quite radical measures such as running all unsigned/unknown binaries in a sandbox would admittedly generate a lot of confusion and is generally not compatible with our vision of transparent security.

At least that's what my intuition tells me.

Avast 6.0 will feature the in-the-cloud heuristics based on the age/prevalence data (as suggested above by sded) as well as new stuff related to the use of our sandbox. But, instead of using the "default deny" paradigm that Comodo is trying to advertise so much, avast will work differently. It will rely on its heuristics engine to make decisions whether an executable file should run sandboxed or not.

Wow... It's not bad. So, regarding to the behavior, the program will run sandboxed automatically?

Either automatically or (more likely) give a recommendation to run sandboxed, with the user being able to override this decision.

Perfect! That's a very good thing.
Probably better than what I was proposing from the beginning.
If the rules for that (i.e., for the behavior shield to take this decision) are good enough, this will increase the protection against zero-day attacks.

Yes, that's the point.
The new heuristics for this is actually quite powerful, as it's taking into account a lot of things happening on the PC. I would call it "full context heuristics" (sorry can't disclose too much details without helping the competitors ).

What may be of special interest, also, is that this is how it's going to work even in the free version (which means that the core functionality of the sandbox will likely be moved to the free AV).

Wow! Another dream is coming true!
Thanks again! Fantastic movement...!

This goes hand in hand with our "promise" of keeping all the core protection features even in the free product. If the sandbox technology is needed to tackle the zero-day malware problem, then it needs to be also in the Free AV.


Thanks
Vlk

[Lisandro]

Introducing quite radical measures such as running all unsigned/unknown binaries in a sandbox would admittedly generate a lot of confusion and is generally not compatible with our vision of transparent security.

So, basically, the biggest argument as usual, i.e., the usability of the software.
My hope was the option was there "for advanced users" (or optin)

Either automatically or (more likely) give a recommendation to run sandboxed, with the user being able to override this decision.

This is perfect (with the limitations of full automatic sandboxing).
Will it have a sensitivity level? I mean, will be the user set how "sensitive" should be the behavior block to suggest a sandboxing?

The new heuristics for this is actually quite powerful, as it's taking into account a lot of things happening on the PC. I would call it "full context heuristics" (sorry can't disclose too much details without helping the competitors ).

I can't wait for avast 6

This goes hand in hand with our "promise" of keeping all the core protection features even in the free product.

I was thinking precisely on that when the concept of "same protection" come in my mind about automatic sandboxing.

If the sandbox technology is needed to tackle the zero-day malware problem, then it needs to be also the Free AV.

I'm proud of not having lose the hope!
Thanks Vlk. Well done. I'm really proud of the future plans, your policy and behavior.

[Lisandro]

Vlk, what I can say is that the reaction to your post was immediate.
I've received a lot of IMs congratulating your attitude and policy, thanking avast to move forward.
I'm happy to be participate in this and will try to keep my policy also: learning and improving, moving forward.
A very happy avast day for all of us and waiting for next versions

[Jack 1000]

I'm not sure.  My doubts are how much would this slow down system RAM and speed?

Jack

[Lisandro]

I'm not sure.  My doubts are how much would this slow down system RAM and speed?

Jack

There will be always a compromise: higher protection, more resources are necessary.
But I think they are aware of this and won't compromise the performance.
In fact, there will be only some others "verifications" and a popup from time to time when a weird behavior occur.

Now, for me, is time to go to Prevx (thanks sded for the suggestion) and learn something about heuristics on the age and popularity of the sample

[Lisandro]

As far as zero day attack, I like the way Prevx handles it with heuristics on the age and popularity of the sample.

Hmmm, I've thought it was a full trial for 30 days and then become free with limited features.
Is it a shareware? What happens at the end of the trial period?