The future of avast protection

[MAG]

I'm not paticularly geeky - but I always sandbox Firefox. It gives me a warm and secure feeling after reading forums like this, and installing Secunia PSI, which tells me that programs I have always thought safe (like Firefox and Flash player) are actually incurably vulnerable!

Virtualisation of Firefox gives me some problems (Flash player doesn't always work, program/add-on updates fail unless I exit sandbox, and sometimes it doesn't sandbox even though I tell it to. Even though I'm a bit of a noob I find the trouble worthwhile - and it is diminishing - at one time the sandbox used to BSOD the machine every time I closed Chrome or tried to run Flash in Firefox.

[RejZoR]

The automatic sandboxing approach like done in Comodo would require a massive overhaul of the entire avast! product which i don't see happening in the near future. However it would be imo possible to upgrade avast! Sandbox in a way that avast! would be monitoring behavior inside Sandbox and give that feedback to user in a more understandable manner. So basically a behavior analyzer inside Sandbox. So users can run it like an on-demand scan and get some basic figure if the file executed is malicious or not. Because to be honest, even if you run it in the sandbox, it may look like it hasn't affected the system, yet it has installed something nasty in it. Pretty much like Comodo's CIMA, Norman Sandbox or ANUBIS online systems which tell you what the file is doing. I don't know, this seems like a more possible thing to happen as it would be built on top of existing tech and not something completely new.

[Jahn]

Hello Tech, I voted Yes. Make it available (off by default, i.e., for advanced users only).

While I've never used the Avast Sandbox, I would agree in principle that automatic sandboxing could be another useful layer of defense against malware for some users. Personally, I find sandboxes annoying because of the additional step(s) required to deem "wanted" files as safe so they will actualize on my hard disks. I already use Comodo HIPS on most systems (5 of 6), so sandboxing may be redundant, which is primarily why I don't use the Comodo Sandbox, either. Also, as mentioned elsewhere I use a Chromium based browser (Comodo Dragon), in which all TABS are virtualized, anyway.

Jahn

[Dch48]

I would be totally against any form of automatic sandboxing. The only way it would work is if there was an extensive whitelist that worked in every case so that essential files of things like games would not be prevented from doing what they need to do. Most games run in full screen so any alerts would not be seen if saved games were being sandboxed and then lost when the game was exited. The game mode would have to be revamped to shut off the sandboxing when in full screen . The problem there is that many people do not play the games in full screen mode but rather in a window. They do this to allow easier minimizing of the game to look things up on the net or to check for messages or mail that may have come in while they were playing. Making people have to manually turn off parts of your security app to do what they want to do on their machines is not the way to go.

To me the second most important thing any security application can do is stay out of your face and not interfere with or limit in any way what you can do with your computer. I spent a year dealing with and suffering through using Comodo as a gamer. The biggest thing that made me stop using CIS was the introduction of the automatic sandboxing that turned what had been a hassle for gamers into an absolute nightmare. I also had grown very tired of the HIPS alerts for totally safe things. I have had it with the default deny approach and never want to go back to using it.

If you could guarantee that there would be a large enough whitelist and a gaming mode that worked in every case then automatic sandboxing might be okay. I don't have much confidence that either of those things would be possible.

[essexboy]

I feel the biggest problem is that when novice users try to save files to disk and then lose them when the sandbox closes, may very well tempt them to disable it

[pk]

I feel the biggest problem is that when novice users try to save files to disk and then lose them when the sandbox closes, may very well tempt them to disable it

@essexboy: Are you sure? Since avast sandbox detects what the user saves in the sandboxed apps and exclude them from virtualization automatically (see "Automatically detect..." checkbox in Expert Settings). This works quite nicely - I like it. Also, most web browsers are supported and their download locations are detected & excluded.

[Gargamel360]

So, I read up a little on this idea.  I answer no. 

It seems a very secure idea.  But it also seems like actually placing my security system ahead of my OS in priority, is that even a good idea?  I mean, noob I may be, but that seems like screwed up priorities there, taking security a single step too far. 

If some full-on Cyber War broke out I might be happy to have a system idea like CIS's, like hiding in a bunker when bombs are falling.  But unless Avast! could develop the greatest whitelist ever known (and keep it that way, indefinitely), I will continue to take my AV as-is.

[essexboy]

I feel the biggest problem is that when novice users try to save files to disk and then lose them when the sandbox closes, may very well tempt them to disable it

@essexboy: Are you sure? Since avast sandbox detects what the user saves in the sandboxed apps and exclude them from virtualization automatically (see "Automatically detect..." checkbox in Expert Settings). This works quite nicely - I like it. Also, most web browsers are supported and their download locations are detected & excluded.

Err no to be honest I have not used a sandbox function for years as it annoyed the hell out of me..  But I will play with it now 

[Rednose]

The automatic sandboxing approach like done in Comodo would require a massive overhaul of the entire avast! product which i don't see happening in the near future. However it would be imo possible to upgrade avast! Sandbox in a way that avast! would be monitoring behavior inside Sandbox and give that feedback to user in a more understandable manner. So basically a behavior analyzer inside Sandbox. So users can run it like an on-demand scan and get some basic figure if the file executed is malicious or not. Because to be honest, even if you run it in the sandbox, it may look like it hasn't affected the system, yet it has installed something nasty in it. Pretty much like Comodo's CIMA, Norman Sandbox or ANUBIS online systems which tell you what the file is doing. I don't know, this seems like a more possible thing to happen as it would be built on top of existing tech and not something completely new.

Although RejZoR describes it in more details, we have the same idea

http://forum.avast.com/index.php?topic=52933.msg448936#msg448936

Greetz, Red.

[Rednose]

About the Secure Desktop, from Petr :

it will allow you to execute e.g. web browsers in more secure mode than in 5.0, it’d be executed in the seperated desktop  - with no icons, under our alternative shell (i.e. own explorer.exe), own taskbar, etc. This alternative desktop will be protected from keyloggers, screen captures and keeps your browsing activity isolated from other processes running on the normal desktop. This feature might be integrated into most common web-browsers as a plugin: e.g. if you go to www.abnamro.nl or www.dnb.nl sites (online banking), avast will open this page in the secured desktop automatically and protects your surfing from other applications.

Thanks Rednose, for the informative quote.

It is always difficult to decide what you can share and what not. As it answers your question, and we are close to a 5.1 ( BETA ) release, I hope Petr doesn't mind

Greetz, Red.

[Lisandro]

Like everything devised by human beings, AV protection is a compromise. User friendliness and the quest for usability will generally result in a level of allowable risk being tolerated.

Sure. I think it is a balance. But, right now, I think we need to shift the balance a little toward protection and new technologies.

Sandboxing by default aims to reduce this risk by taking more responsibility away from the user and putting it in the hands of a what is essentially a glorified IF, THEN, ELSE engine, albeit a highly developed and multifaceted one.

I'm not removing the protection of an antivirus. In the very first post of this thread I say about a way to achieve that "after" the antivirus has done its part.

Such an idea might seem attractive at first, especially if your product has a reputation for annoying popups - nsert CIS experience here ), but in the end it may turn out to be just as frustrating for the user as the cryptic warning popups it was supposed to diminish.

The popups shouldn't be cryptic.
By the way, we're thinking in automatic sandboxing, not manual one.

As for avast! users who are not accustomed to their PC seesions being interrupted by questions from their AV, the implementation of such a measure would need to be faultless.
A false sandboxing is an FP, a legit program that may not work properly sandboxed.

Sure. The implementation is crucial.

[Lisandro]

The automatic sandboxing approach like done in Comodo would require a massive overhaul of the entire avast! product which i don't see happening in the near future

A whitelist approach as a massive overhaul? Why?

However it would be imo possible to upgrade avast! Sandbox in a way that avast! would be monitoring behavior inside Sandbox and give that feedback to user in a more understandable manner.

In an on demand sandbox, why would you want to be alerted of sandboxed items/processes?

So basically a behavior analyzer inside Sandbox.

Again, in an on demand sandbox, what the behavior analyzer will add to protection?

So users can run it like an on-demand scan and get some basic figure if the file executed is malicious or not.

But the user will need to run it on demand...

Because to be honest, even if you run it in the sandbox, it may look like it hasn't affected the system, yet it has installed something nasty in it. Pretty much like Comodo's CIMA, Norman Sandbox or ANUBIS online systems which tell you what the file is doing. I don't know, this seems like a more possible thing to happen as it would be built on top of existing tech and not something completely new.

Ok... The user will know that he should have sandboxed that nasty thing... Thanks God he did it on demand...

[Lisandro]

Hello Tech, I voted Yes. Make it available (off by default, i.e., for advanced users only).

Thanks for your participation, regardless the vote itself.

While I've never used the Avast Sandbox, I would agree in principle that automatic sandboxing could be another useful layer of defense against malware for some users.

Precisely.

Personally, I find sandboxes annoying because of the additional step(s) required to deem "wanted" files as safe so they will actualize on my hard disks. I already use Comodo HIPS on most systems (5 of 6), so sandboxing may be redundant, which is primarily why I don't use the Comodo Sandbox, either.

Redundant? Why? If the malware was not detected at first, which will be redundant?

[Lisandro]

It seems a very secure idea.

Thanks.

But unless Avast! could develop the greatest whitelist ever known (and keep it that way, indefinitely), I will continue to take my AV as-is.

Ok, it could be for advanced users

[Lisandro]

Although RejZoR describes it in more details, we have the same idea
http://forum.avast.com/index.php?topic=52933.msg448936#msg448936

What you forget is that virtualization can be used for malware detection as well. Say Avast! finds a suspicious file, it can execute it in the virtualization module and safely analyses it's behaviour. I am no expert ( and I don't know if/when this will be implemented ) but a combination of virtualization and behaviour analyses could be very powerful to detect malware.

Ok, but to work like this, to "find a suspicious file", avast should have a sandbox on access and not on demand... Do you agree?