I'm not friend of long posts
But let's make an exception as I think the subject worths.
Nowadays, avast virus analysts receive more than 50.000 samples per day!
Although a lot of work is automated, signatures, behavior analysis, code virtualization... aren't being enough.
The avast policy is "
default allow" (as all other legacy antivirus), i.e., what is
not blacklisted, allow; what is not blocked in the signatures and rules (behavior shield) is allowed to run.
I'm asking for a double behavior or, in other words, a "
default deny" policy, i.e., what is
not whilelisted, block; what is not in the trusted list of avast should be denied.
This could be achieved by the
sandbox technology of avast 5.
Whatever not in the whitelist of
trusted sources (an executable file, an installer, a script, etc.) could generate a question to the user in order to allow or deny.
The scheme would be:
file > scanned by avast antivirus > if it is a malware, proceed to the automatic actions set (like it is today).
> if it is
not in the whitelists, automatic sandbox to protect the computer.
The drawbacks (cons) of the generated popups could be reduced:
a) the whitelists could be updated frequently, new clean files added.
b) the cloud (community) technology could be used for populate these whitelists.
c) pre-scanning of avast could mark the "unknown" files (and upload for analysis).
d) it could be, of course, an optin setting of avast and any automatic sandboxed file could be "removed from sandbox" if the user wants/needs.
I understand the sandbox is part of the paid (pro) antivirus.
Maybe the
automatic sandbox (only) could be available for free users (just not the on demand sandbox like it is now only for pro). The sandbox is highly configurable and the automatic one could be a simpler version of the on demand (actual) one: more or less as a "run as limited user", avoiding infecting of unknown malware.
This could be an improvement of zero-day detection and be the solution of missdetection (as no antivirus is perfect...).
avast team suggestions/critics are (also) welcome!Edited: I've changed the name of the thread from Do you want automatic sandboxing and cloud to increase avast protection? to a more comprehensive one due to the discussion.