Poll

Do you want automatic sandboxing (virtualization) to increase avast protection?

Yes. Make it available (on by default, i.e., for all users).
Yes. Make it available (off by default, i.e., for advanced users only).
No, I think the "default allow" policy (signatures, rules, etc.) is enough.
I don't understand the difference (please, post your doubts).
Other (please, post your opinion and why).

Author Topic: The future of avast protection  (Read 163491 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Polonus, the on demand sandboxing of browsers is a protection measure.
But with automatic sandboxing we're trying to get protection for the zero-day attacks, unknown/undetected malware.
About n00b and advanced users: at least the user has a final possibility (an alert) to block the malware (allow/deny). Right now, the malware could pass the antivirus protection and the user get infected anyway. With the alert, at least, 50% of chance to block the malware :)
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
avast has lack of Whitelist in someway. if it had a whitelist beside their blacklist, it was much easier for them to collect 'unknown' files. I mean, when I scan a folder with a nice antimalware, in the scan result it says (For example) "We Scanned 100 files, 33 Known Clean, 33 Malware and 34 unknown files" and give me options to send these 34 unknown files to their Analysis desk with my comment.
You've got the point. That is what I (we) want.

I know such thing will need many many resources. also same for Firewall or any other components. a Firewall may have an option that use predefined rules do default allow or dent per program depending on the whitelist or blacklist...
Well, the avast firewall does not ask frequently. But it is based on what? I mean, the whitelist, why an application is allowed to connect or blocked? Seems that only 'infected' files are blocked (by the antivirus) and not by the firewall. Seems that outbound protection is decided by the antivirus and not by the firewall (or user).

when I say a well programed Sandbox I mean every sandbox being customizable like their access to hard drive, internet etc. or run windows services normally or... (Sandboxie cannot run services must of times). so with that quality of sandbox you can run your bowser in a isolated place, isolated like a Virtual Machine which even every kind of sites or plugin don't be able read even 1 bit of your hard drive.
For sure we need customization and not a complete sandbox that avoid using the program. Automatic sandbox should just reduce the access rights, drop/execute some files, etc.

some times Sandboxes cause more problem than having benefits like additional popup from them or fail to run programs or....
Of course we're not talking about a bad sandbox or bad implementation/usability of the software.

but after a while you will list most of them and you will just need to works for newly created files from now on...
Yeah. The whitelist improvement using the cloud (community) can make it less intrusive and annoying.
The best things in life are free.

Offline Bellzemos

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 621
I didn't take time and read all the posts, so I have one question - is it possible that this sandboxing function (if it will be implemented) could cause trouble if user is using another sandboxing program with Avast! (like me for example, I use Sandboxie)? Thank you.
Intel Core i7 Q 740 @ 1.73 GHz, 6 GB RAM, Windows 7 Ultimate x64 SP1, Avast! Free Antivirus, Malwarebytes Anti-Malware (free version) and Sandboxie (paid version).

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
I didn't take time and read all the posts, so I have one question - is it possible that this sandboxing function (if it will be implemented) could cause trouble if user is using another sandboxing program with Avast! (like me for example, I use Sandboxie)? Thank you.
Yeah. That situation must be studied. There must be an exception in one of the programs.
But, look, the automatic sandboxing are for new (unknown) programs and not for the ones already sandboxed on demand with other sandbox programs.
The best things in life are free.

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Hi Tech,

Good that you are trying to bring up some new ideas. Here is my take at it, I have tried to look at in all angles, might have missed some ;):

Power, Delay and Area are the main constraints in any integrated chip(IC). They are the three corners of a triangle. If you want a good IC, place your circuit design at the centroid of the triangle - you will have a balance with all the three. Same is the case with any software. Protection, Delay and Memory are the three main constraints with any anti-virus. Right now avast is almost at the centroid of the triangle(at least the free version which I use, don't know about other versions). You try to add anything new, for eg, the sandbox thing, it increases protection, I agree, but at the cost of delay and memory. You try to increase one thing, you will get one or both of the other parameters affected. So think what you want ;)

Next,

I can see an option to vote for "all users" For this to be in reality, people who design, need to extensively do research work how effectively they can do it -they may have to setup new automations to detect the "right" thing  etc. Otherwise the zbot FP which once had occurred will happen often.

I can see an option to vote for "advanced users only" - I will not assume that you mean paid users. In fact, if you think a bit more, you will observe that advanced users seldom need such a thing, unless they don't know what they are doing, for which there is the normal sandbox option.

I really dont know how many layers avast guys are using to detect the file wether it is legitimate or not. So I really cant comment on this. But I can give you setup files(thousands) and exes(infinite) which don't have a signature. So decide which you want ;)

I have all these things in my mind, the pros and cons. I may need help, if, I really want the new sandbox thing - If avast does it, I think I will need it, else I think its just fine. Finally, I haven't got an infection from the day have been using the PC with avast!.

Offline Bellzemos

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 621
Yeah. That situation must be studied. There must be an exception in one of the programs.
But, look, the automatic sandboxing are for new (unknown) programs and not for the ones already sandboxed on demand with other sandbox programs.

Well, in short I'd say it's a good idea, but there must be an option in Avast! AV to turn it's sandboxing function off (for anyone who doesn't want/need it).
Intel Core i7 Q 740 @ 1.73 GHz, 6 GB RAM, Windows 7 Ultimate x64 SP1, Avast! Free Antivirus, Malwarebytes Anti-Malware (free version) and Sandboxie (paid version).

sded

  • Guest
I actually do use a couple of (sort of) sandboxes currently.
One is Google Chrome.  It generates a new process for each tab, so that individual websites do not bring down the whole system.  I haven't found any downside to that one yet.
Another is Online Armor Run Safer, that reduces the privileges of a process to local user, and will do it automatically for new processes if you choose.  Downside is that when you want to use a browser for upgrades or installations, for example, you need to up the privileges again or do it from Windows Explorer.
Do these count as automatic sandboxing?  The question covers a lot of territory, and the answer mostly depends on the trade of security vs impact on your normal operations-how you use your system, as usual. And the features and quality of the design.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Good that you are trying to bring up some new ideas.
Many thanks. Hope other users can think/feel the same.

Protection, Delay and Memory are the three main constraints with any anti-virus. Right now avast is almost at the centroid of the triangle(at least the free version which I use, don't know about other versions). You try to add anything new, for eg, the sandbox thing, it increases protection, I agree, but at the cost of delay and memory. You try to increase one thing, you will get one or both of the other parameters affected. So think what you want ;)
You're fully right. We all know that protection requires resources.
But I need a technical answer from avast team. Maybe Vlk or Igor, or pk (the sandbox developer).
As avast is weak on binaries detection (there are a lot of complains regarding to this and comparing avast with Avira), the automatic sandboxing could increase protection for executables. We need to know if the sandboxing could be implemented in a reasonable way to not make the system bloat...

I can see an option to vote for "all users" For this to be in reality, people who design, need to extensively do research work how effectively they can do it -they may have to setup new automations to detect the "right" thing  etc. Otherwise the zbot FP which once had occurred will happen often.
Because of this, there is the second option for advanced users :)

I can see an option to vote for "advanced users only" - I will not assume that you mean paid users.
I can't ask avast to make the sandbox present in the free version.
So I'm asking them to release a "smaller/simpler" version of the sandbox, just to increase protection of the free version. The on demand and full sandbox could be only for paid users.

In fact, if you think a bit more, you will observe that advanced users seldom need such a thing, unless they don't know what they are doing, for which there is the normal sandbox option.
After the whitelist is well adopted and spread, we can think in releasing the technology for everybody.

I really dont know how many layers avast guys are using to detect the file wether it is legitimate or not.
Digital signatures and a whitelist of trusted manufacturers.

So I really cant comment on this. But I can give you setup files(thousands) and exes(infinite) which don't have a signature. So decide which you want ;)
An initial scanning of the system could reduce this (upload and checking).
Also, the list of manufacturers isn't infinite.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
But there must be an option in Avast! AV to turn it's sandboxing function off (for anyone who doesn't want/need it).
Sure, sure, sure.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Online Armor Run Safer, that reduces the privileges of a process to local user, and will do it automatically for new processes if you choose.
Wow... Maybe it is similar of what I'm looking for... Although I'll need to change avast firewall for Online Armour :-\ :-[

Downside is that when you want to use a browser for upgrades or installations, for example, you need to up the privileges again or do it from Windows Explorer.
I'm looking for protection, i.e., new/unknown files and not for on demand sandboxing. For that, there is sandboxie :)

Do these count as automatic sandboxing?
More or less. We need a whitelist... not all the "new" processes are "unknown" processes in terms of security.
The best things in life are free.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86803
  • No support PMs thanks
But there must be an option in Avast! AV to turn it's sandboxing function off (for anyone who doesn't want/need it).

Well that function is already there for the existing module surely, through the add remove programs, change and uncheck the sand box module to completely remove it.

Or Stop it in the Real-time Shields, Process Virtualization. Of course that would probably place an exclamation mark ! on the avast icon. In which case you would have to stop monitoring it in the avast Settings, Status Bar, components monitored section.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
I haven't played around with the sandbox enough to even know what to say here, but I believe that if they automatically sandbox programs, it will likely cause problems with certain software, and beginner users won't know how to fix the problems.

However, for people that know what they're doing it would be a great addition to the program, provided that it gives full control to the user so that they can whitelist / blacklist whatever they want.
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

CharleyO

  • Guest
***

After reading all the posts above, I voted for "Yes. Make it available (off by default, i.e., for advanced users only)."

In the hands of a person who does not know/understand the implications of sandbox usage, it could present problems with "on by default."


***

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Hi Tech,

We speak about many things Tech. But implementing it in the "right" way is a pain in the rear - viz, but not limited to, money for research work, setup new automations etc. All of a sudden nothing can be done - I know you don't expect that to happen. But a step approach is a better way of thinking(which people at avast are already thinking- might be :-\): Better behavior shield, Avast community - which might add up to the process of setting up this new approach indirectly.

We have to only hope, may be, that this topic gives some motivation to developers.:)

spg SCOTT

  • Guest
I have only a basic knowledge of the sandbox in general and what they are capable of...

For me, I would think that (at least) the option to default to sandbox everything new/unknown would be adding another layer of protection...

I like the idea of a sandbox and what it does, but before I think I can decide on whether it should be an option or just on by default I would have to know more about it...and also how this option would affect newer users to computers...

For instance, how does it cope with malware as it stands now?

Does the behaivior shield monitor the sandbox, and does it watch for things like it does normally on the pc.

I think that would be a great use of the sandbox, to when running unknown files to watch what they do and what they try to change.
So if you were to run a file that was undetected by scans in the sandbox, but would be caught by monitoring what is modified and changed, so if it tried to modify a system file, it would prevent/block this before it happened, as opposed to running the file and the doing a scan and seeing the Win32:patched later on after the fact.

Although I could simply be grasping at straws here and completely missing the point of the sandbox...

Scott