The future of avast protection

[Lisandro]

pk, as being the developer, what do you think of all about this after all?

[Rednose]

Yeah Petr, I am curious too

Or what about RejZoR's sugestion ( and mine)

Cheers m8, Red.

[Vladimyr]

As far as I recall, first use of the term "sandbox" in regard to PC security, was indeed to do with the idea of providing a defined safe but apparently real "playground" in which to allow unverified or otherwise suspicious files to "play" so that their behaviour could be observed, analysed and halted if deemed necessary.
It's still a great idea but there remain at least a couple of drawbacks, admittedly more-so, the closer the sandbox is to being the first line of defence.

1. Such a real-looking "playground" requires real CPU cycles. (Which is why offloading this task to some sort of "cloud" is seen as an attractive option.)

2. Let's say a previously unseen file is run in the sandbox, its behaviour analysed, its found to be re-writing registry values. Is it malware or is it carrying out a procedure the PC user has initiated? He/she will have to asked.

[superhacker]

I choose "Yes. Make it available (off by default, i.e., for advanced users only)."Why?
Because not all malwares could be detected by avast so answer three is not logic,and if we make it for all users may some good programs will not work 100% so the newbie will make problems to us to help him.
Sandboxing is so good for new programs that come from the web,flash memories,.....
And i wish if we can customize what to sandbox like the unsigned programs,suspicious programs...

[Lisandro]

and if we make it for all users may some good programs will not work 100%

Yeah. A real point for beginners.

Sandboxing is so good for new programs that come from the web, flash memories,.....

Can you imagine how good could it be for USB drivers infections? It's powerful

[Lisandro]

file > scanned by avast antivirus > if it is a malware, proceed to the automatic actions set (like it is today).
                                                    > if it is not in the whitelists, automatic sandbox to protect the computer.

Continuing to develop protection, what about avast cloud scanning (or paranoid or installation mode started on demand)?

1. A file starts to be executing.
2. It is scanned by the antivirus (signatures, heuristics and behavior). If it's clean, it's passed on; if infected you'll get a warning.
3. It's checked against local whitelist/trustedlist (digital signing, trusted manufacturers). If it's good, it's passed on; if it's not on local list it will get sent to the cloud.
   Special settings could protect the bandwidth and throttle it: check and analyze files while idle.
4. If it's found good in cloud, it will be allowed to run and cloud "updates" the local whitelists; if not found it's automatic sandboxed and alert the user.

pk? Vlk? Any thoughts?

[Lisandro]

Automatic sandboxing is 'good enough' security with a minimum of alerts, suitable for the majority of users.
It's not thought to provide the highest even possible level of security (full sandboxing).

Unknown software could have access rights limited, i.e., this software couldn't:

• Drop (download) files in protected folders.
• Get admin privileges (elevation).
• Get Internet without asking permission.
• Inject code into non-sandboxed applications in memory.
• Other UAC restrictions.
• Protect the system (avoid exploiting of Windows, COM interfaces, etc.).
• Work like a keylogger or screen capture.
• Write to existing clean files or protected areas of Windows Registry.

All these ideas come from here.

[Lisandro]

Very recent posts in the forum...
http://forum.avast.com/index.php?topic=64493
http://forum.avast.com/index.php?topic=64494

I really think avast users need better protection.

[Dch48]

A security application, being something that people install because they need to rather than want to, should be as minimalist as possible. It should stay out of your face and not be a drain on not only your personal machine's resources, but also the resources of the entire internet structure. I am a fan of neither virtualization nor cloud based scanning for those very reasons. I have never willingly chosen to use either one.

[Lisandro]

It should stay out of your face and not be a drain on not only your personal machine's resources, but also the resources of the entire internet structure.

I'm absolutely sure that the resources taken to scan a file with the possibility of being wrong (missdetection) are higher than to block them by HIPS and, in this case, by automatic sandboxing.

I am a fan of neither virtualization nor cloud based scanning for those very reasons.

Cloud is a second stage, done when the computer is not stressed.

[Dch48]

It should stay out of your face and not be a drain on not only your personal machine's resources, but also the resources of the entire internet structure.

I'm absolutely sure that the resources taken to scan a file with the possibility of being wrong (missdetection) are higher than to block them by HIPS and, in this case, by automatic sandboxing.

I am a fan of neither virtualization nor cloud based scanning for those very reasons.

Cloud is a second stage, done when the computer is not stressed.

HIPS and sandboxing require a form of scanning just the same as a traditional AV. They all check the files against some sort of a list.

Whenever cloud scanning is done, it still consumes bandwidth and resources of the entire internet structure to do it's job.

[Hermite15]

HIPS and sandboxing require a form of scanning just the same as a traditional AV. They all check the files against some sort of a list.

Whenever cloud scanning is done, it still consumes bandwidth and resources of the entire internet structure to do it's job.

a sort of list yeah...right I wouldn't want to deprive my neighbors of a few MB/s, so I'll refrain from using cloud AVs and HIPs from now on. Acting so thoughtlessly could make the whole Internet structure collapse, and I will not risk this. Thanks for the tips

[Lisandro]

HIPS and sandboxing require a form of scanning just the same as a traditional AV. They all check the files against some sort of a list.

But with less resources than the signatures/behavior scanning of antivirus.

Whenever cloud scanning is done, it still consumes bandwidth and resources of the entire internet structure to do it's job.

Sure. It could be optional, i.e., the user joins of not the cloud. Don't you think?

[Dalewyn]

When I downloaded and installed Avast, I came looking for a minimalist, light, non-intrusive, effective piece of anti-virus software and nothing more, nothing less. I did not come looking for anti-virus+sandboxing, the latter (sandboxing) of which has really nothing to do with virus protection at its core. I'll be blunt, but if I require sandboxing I will go and find a piece of software that focuses on that area just as Avast focuses on virus protection.

Thus, I vote for: No, I think the "default allow" policy (signatures, rules, etc.) is enough.
Keep Avast unbloated and true-to-the-point like it currently is, please. :x

[ImWarm]

Automatic sandboxing is 'good enough' security with a minimum of alerts, suitable for the majority of users.
It's not thought to provide the highest even possible level of security (full sandboxing).

Unknown software could have access rights limited, i.e., this software couldn't:

• Drop (download) files in protected folders.
• Get admin privileges (elevation).
• Get Internet without asking permission.
• Inject code into non-sandboxed applications in memory.
• Other UAC restrictions.
• Protect the system (avoid exploiting of Windows, COM interfaces, etc.).
• Work like a keylogger or screen capture.
• Write to existing clean files or protected areas of Windows Registry.

You just copy and pasted from the Comodo moderator's post on their forum