The future of avast protection

[Lisandro]

Re "b) the cloud (community) technology could be used for populate these whitelists."
I don't think it's a good idea to rely on a collective opinion so-called "cloud" to determine whether or not a file is sandboxed, especially in regard to identifying true "zero-day" malware.

Please, Vladimir, it's NOT opinion, the cloud is the source of files to get whitelisted by avast team...

"Whatever not in the whitelist of trusted sources (an executable file, an installer, a script, etc.) could generate a question to the user in order to allow or deny."
Say I'm the first in the world (lucky me!) to see a particular brand-new previously unseen malware flagged by avast! I'm given the option. I choose not to run it in the sandbox. It is added to the "cloud" whitelist. For the next avast! user who comes across the same file, (1) my input is of no benefit because avast! devs wisely consider a representative sample of one to be inconclusive, or (2) "benefits" from my input by having his/her PC infected, just like mine.

C'mon... I advocate that security is for specialists and not polls. Cloud is source, analysis is for specialists.

more thoughts soon...
[/quote]

[Lisandro]

Basically i agreed with your ideas, but again we should consider for beginner or common users which is not really advanced in term of technical problem.

But the common user will have, at least, the final question to allow or deny.
Without it and without avast detection, the user - advanced or not - gets infected without having a chance...

It would become obstacle for avast team in term of providing support to avast user, and i keep choose awareness of users to run and operate this feature with avast if the user understand and realize how to operation this features.

A single page of a help file will tell how it works. We manage tons of other technical problems/issues of avast to help users.

I don't agree with automatic sandboxing, because if some application blocked by automatic sandboxing it would be looking very strict antivirus system and for users who do not understand about this features they won't like to use avast in the future and blame avast as highly false positives antivirus like other brands.

It's a real point. The user could take the popups as false positives... but, indeed, they are just 'unknown' files (not yet classified as clean or infected).
But, look, which are these other brands? False positives are common in brands that do not use "deny default" policy, on contrary, false positives are huge when we have aggressive heuristic analysis.

[Lisandro]

Yes, recognized antivirus might do the trick. A legacy is what you have after someone has died.

I'll try "signature antivirus". Legacy is a depreciative word indeed (http://en.wikipedia.org/wiki/Legacy_system).

Yes they do. And their situation colours even the most well-intentioned vision, leading to development and implementation of techniques that may well enhance the usability of their own product, but will not necessarily be of similar benefit (and may indeed be detrimental) for users of another security product, especially one with 'spadeloads' of usability, like avast!

It's another technology, maybe the users need to get used to.

That said, if avast! were to have any sort of automatic sandboxing of unsigned/un-whitelisted files, the idea of having different options or settings for "noobs", advanced users, etc, could be addressed something like this.
Logging in as a user with Admin or Power User privileges, avast! would prompt to say,
"Unsigned/un-whitelisted files will be virtualized by default. Tick the box to switch this feature off."
Logging in as Standard User, no prompt, no default virtualization. Limited user privileges should (at least on Windows 6 & 7) be sufficient to protect the system.
Any comments?

I liked this idea very much. I don't think avast should aware the users, but, indeed, it (the sandboxing) could work only in admin accounts. Very good point.

[Lisandro]

NO!

Why not? Don't you want to be at least alerted when you get a zero-day infection?

[AdrianH]

NO!

Why not? Don't you want to be at least alerted when you get a zero-day infection?

I just do not think that adding more and more features is necessarily a good thing . avast! works very well as it is, I like most people have at least one other application running to double check content and feel no need for anything else.  Make the free version too complicated , have too many features to set/check/understand and you loose users. If I wanted a suite of tools I would go for a security suite but having used several of these previously and seen the problems they can can cause I want a good reliable but simple AV which at present avast! is.

Keep it simple, do one thing well not many things poorly.

[Lisandro]

Ok Adrian. But... are we talking about being simple and get infected? Does it worth?

By the way, RejZor's comment about automatic sandboxing in Comodo forum:
https://forums.comodo.com/news-announcements-feedback-cis/cis-does-well-against-nis-t62591.0.html;msg442385#msg442385

[Lisandro]

As per the semi-annual security report of a German security vendor G Data, the amount of new malware applications made a record for H1-2010 with more than a million registered in just six months alone.

The report reveals that during H1-2010, G Data detected 1,017,208 new malware, an increase of 51% over the H1-2009. Strong growth should result in the emergence of more than 2 Million new malicious codes in the complete 2010.

http://www.gdatasoftware.co.uk/uploads/media/GData_MalwareReport_2010_1_6_EN.pdf
http://spamnews.com/The-News/Latest/First-Half-of-2010-Records-More-Than-Million-New-Viruses-2010092213782/

[AdrianH]

Ok Adrian. But... are we talking about being simple and get infected? Does it worth?

By the way, RejZor's comment about automatic sandboxing in Comodo forum:
https://forums.comodo.com/news-announcements-feedback-cis/cis-does-well-against-nis-t62591.0.html;msg442385#msg442385

No, simple but effective. I have 3 machines running 24/7/365 here and in the last 27 months have seen no malware of any description make it on to a drive.

Common sense also has to be a big part of internet use. Thinking that if you have an AV system means you can go anywhere,open anything is the reason for the majority of problems.

[Hermite15]

NO!

Why not? Don't you want to be at least alerted when you get a zero-day infection?

I don't get zero day things but I still wouldn't mind the auto-sandboxing as an option, more a geek like feature than a necessity to be honest. Average Joe would never use that...and in  automatic mode, average Joe would be lost if the sandboxing messes with programs...which can happen at startup, bringing new problems that only an advanced user can solve.

[Lisandro]

No, simple but effective. I have 3 machines running 24/7/365 here and in the last 27 months have seen no malware of any description make it on to a drive.

Sure. You're personal experience is infection-free. That does not change avast detection rate and protection level though...

Common sense also has to be a big part of internet use. Thinking that if you have an AV system means you can go anywhere,open anything is the reason for the majority of problems.

Sure again. Other of us live a little bit more dangerously

[Lisandro]

Average Joe would never use that...and in  automatic mode, average Joe would be lost if the sandboxing messes with programs...which can happen at startup, bringing new problems that only an advanced user can solve.

Average Joe gets infected

[Hermite15]

Average Joe would never use that...and in  automatic mode, average Joe would be lost if the sandboxing messes with programs...which can happen at startup, bringing new problems that only an advanced user can solve.

Average Joe gets infected

very probably yeah, I won't deny that...and you won't get him/her use a sandbox, not mentioning that a sandbox must be managed... those who can't run NoScript (just an example) won't run  an Avast sandbox either...for management reasons mainly, they won't be aware of and don't want to be bothered with either. Now I don't dismiss the benefits of sandboxing, at geek level exclusively as third party apps (Comodo or Avast) offering it can fail, and do fail very often. The only acceptable and viable sandboxing future (for everyone) will go through the full inetgration of virtualization in Windows by Windows, i.e. most likely introduced by Microsoft themselves in Windows 8, or whatever it will be called.

[Lisandro]

and you won't get him/her use a sandbox, not mentioning that a sandbox must be managed...

That's the "automatic" part of the solution
See here http://forum.avast.com/index.php?topic=64445.msg544785#msg544785 a recent failure of avast.
Even the samples were submitted to them and nothing. I heard a lot of reports of avast failure here in Brazil.

Now I don't dismiss the benefits of sandboxing, at geek level exclusively as third party apps (Comodo or Avast) offering it can fail, and do fail very often.

Where is it failing?

The only acceptable and viable sandboxing future (for everyone) will go through the full inetgration of virtualization in Windows by Windows, i.e. most likely introduced by Microsoft themselves in Windows 8, or whatever it will be called.

A way to use Windows to get rid from Windows

[Hermite15]

The only acceptable and viable sandboxing future (for everyone) will go through the full inetgration of virtualization in Windows by Windows, i.e. most likely introduced by Microsoft themselves in Windows 8, or whatever it will be called.

A way to use Windows to get rid from Windows

I would be tempted to return the compliment, if you can't understand...

[Vladimyr]

That said, if avast! were to have any sort of automatic sandboxing of unsigned/un-whitelisted files, the idea of having different options or settings for "noobs", advanced users, etc, could be addressed something like this.
Logging in as a user with Admin or Power User privileges, avast! would prompt to say,
"Unsigned/un-whitelisted files will be virtualized by default. Tick the box to switch this feature off."
Logging in as Standard User, no prompt, no default virtualization. Limited user privileges should (at least on Windows 6 & 7) be sufficient to protect the system.
Any comments?

I liked this idea very much. I don't think avast should aware the users, but, indeed, it (the sandboxing) could work only in admin accounts. Very good point.

Glad you liked it.

For many people who just want to, or have to, use a PC, effective AV protection is proportional to their threshold of annoyance/patience. If they think the AV is making their PC slow down, or boxes with questions they don't understand keep popping up, they'll just click anything to get rid of the message or turn the protection off.
 
Like everything devised by human beings, AV protection is a compromise. User friendliness and the quest for usability will generally result in a level of allowable risk being tolerated. Sandboxing by default aims to reduce this risk by taking more responsibility away from the user and putting it in the hands of a what is essentially a glorified IF, THEN, ELSE engine, albeit a highly developed and multifaceted one. Such an idea might seem attractive at first, especially if your product has a reputation for annoying popups (insert CIS experience here ) but in the end it may turn out to be just as frustrating for the user as the cryptic warning popups it was supposed to diminish.
As for avast! users who are not accustomed to their PC seesions being interrupted by questions from their AV, the implementation of such a measure would need to be faultless.
A false sandboxing is an FP, a legit program that may not work properly sandboxed.