The future of avast protection

[DavidR]

But calling him a "system and overall performance" drag... is, sorry, a non sense.

If it's not a system and performance hindering application than why does it slow down your system
Maybe you haven't used it lately
On access sandboxing  meaning when you use the application to run it sandboxed. It still requires the intervention of additional system resources therefore slowing down your system.
Unless you've found a way to do this without using resources??? Maybe it's another Comodo trick we don't know about  

Sorry but I agree with Bob - You simply can't add another function without having a system resources overhead. To sandbox an application requires additional processing power and RAM that otherwise wouldn't be being used.

How much of a drag that is going to be is dependant on a) the sandboxing software/function, b) how many applications are sandboxed and c) the users system spec.

[Lisandro]

You simply can't add another function without having a system resources overhead.

And who is saying that? You guys.
I'm just saying it is not a resource hog.
It takes less resources than deep scanning.
An on demand scanning of avast takes much much resources than a HIPS tool.
That it is what I'm saying.
Of course it takes resources... All feature or application takes.
It is NOT a resource drag or hog. It's a light, very light, feature.

To sandbox an application requires additional processing power and RAM that otherwise wouldn't be being used.

Of course. We're not saying that. Of course...
Just that on access (auto) sandboxing uses very little resources compared to scanning.
Or, it won't take more resources than just running the program outside of the sandbox... A little, perhaps, but not a resource drag.

How much of a drag that is going to be is dependant on a) the sandboxing software/function, b) how many applications are sandboxed and c) the users system spec.

Sure... How much resources does running a program inside and outside the sandbox will be the difference.
Here I'm saying that the protection achieved by auto sandoxing is NOT a resource hog.
On contrary, a lot of on access scanning could take more resources than that.

[DavidR]

It is common sense, you can't run a program or function with zero overhead, it is a physical impossibility.

So us guys who are saying it will use more resources have just as much of an idea of how it will work as you do, so our comments are just as valid as yours. How you can say it will be light and not a resource hog is not based on any specification as you/we don't know how it is to be implemented (guesswork), but there really is no way round it you don't get something for nothing, there has to be an overhead.

To isolate the application from the system requires additional disk space, processing effort to run and manage that application within the virtual space/sandbox that wouldn't be required if you aren't using a sandbox it really is as simple as that.

Protection has nothing to do with the equation when we are talking about the resources used, do you really thing there will be no avast on-access scanning within the sandbox. I feel you are in for a surprise.

Sandboxing isn't the be all and end all to security, we have got by without it for many, many years and I don't see that changing in a hurry, it is still very much a niche market.

If avast were to force default always on sandboxing, it would be a very sad day as some people simply couldn't handle it on their systems not to mention acting autonomously, puts peoples noses out of joint. The one thing that many people like about avast is its configurability.

So I'm done trying to put it to you that sandboxing has a resource overhead as you clearly don't get it, so I shan't waste any more time on it.

[Lisandro]

It is common sense, you can't run a program or function with zero overhead, it is a physical impossibility.

Of course!
Who is saying against that?

How you can say it will be light and not a resource hog is not based on any specification as you/we don't know how it is to be implemented (guesswork)

You can compare with other HIPS applications... Or other sandbox applications...
Although, it's common sense that HIPS takes less resources than scanning to achieve the protection.

To isolate the application from the system requires additional disk space, processing effort to run and manage that application within the virtual space/sandbox that wouldn't be required if you aren't using a sandbox it really is as simple as that.

And so? Who is saying anything against that?
To get infected and have a feature that takes resources (less than the ones avast is already taking... by the way), I'd rather see avast protection increased...

Protection has nothing to do with the equation when we are talking about the resources used, do you really thing there will be no avast on-access scanning within the sandbox. I feel you are in for a surprise.

Protection has everything related to this thread.
This thread is not about detection, but protection.
You need to read the first post...

Sandboxing isn't the be all and end all to security, we have got by without it for many, many years and I don't see that changing in a hurry, it is still very much a niche market.

Because 50.000+ samples of malware per day.
Because avast isn't protecting a lot of users (for instance: http://forum.avast.com/index.php?topic=64122.msg547768#msg547768)

If avast were to force default always on sandboxing, it would be a very sad day as some people simply couldn't handle it on their systems not to mention acting autonomously, puts peoples noses out of joint. The one thing that many people like about avast is its configurability.

There is an option, in the poll, to release it only for advanced users...

So I'm done trying to put it to you that sandboxing has a resource overhead as you clearly don't get it, so I shan't waste any more time on it.

Don't lose time to convince what both of us are already convinced...

[firzen771]

i hope avast NEVER goes down the path of auto sandbox...

[Lisandro]

i hope avast NEVER goes down the path of auto sandbox...

It won't... as Vlk has already stated...

[Hrad 472]

I have to agree with most of your Post, Omid.

My only concern with sandboxing is when a program say Firefox or IE8, does automatic security/program updates how will the program update whilst it is within a Sandbox?

If I am away for a time and forget to take a program out of the sandbox, will the Program still update? Will I remember to check later?

Now if you could just run certain "trusted" web sites, say your bank, in a sand box and delete the sandbox after leaving that Site, leaving behind no traces of your activities, that would be great! As long as it is not used to cover any illegal activities of course!

[bob3160]

Now if you could just run certain "trusted" web sites

The problem arises when the "trusted" website of today becomes the infected site of tomorrow.
Unfortunately this happens all the time.

[Lisandro]

My only concern with sandboxing is when a program say Firefox or IE8, does automatic security/program updates how will the program update whilst it is within a Sandbox?

Generally, they won't work. You need to run the program outside of the sandbox in order to upgrade it.

If I am away for a time and forget to take a program out of the sandbox, will the Program still update? Will I remember to check later?

Probably they will check for updates. But the updates won't be applied...

Now if you could just run certain "trusted" web sites, say your bank, in a sand box and delete the sandbox after leaving that Site, leaving behind no traces of your activities, that would be great! As long as it is not used to cover any illegal activities of course!

Generally the browsers allow that (InPrivate browsing).

[Lisandro]

I'm cross-posting a very good and logical explanation of Lukor about whitelisting:

You would probably like to see some features in the firewall that would supplement the antivirus and provide 100% zero-day protection against such threat, but as I said in my reply, that there are no such features that would check for malware in the sample and if the antivirus had no objections - as it was turned off - was must assume that the application in question was clean from any infection and the firewall should decide accordingly. Also there is currently no such superhuge whitelist on which every allowed application must be found. Some other firewall suites use this approach but we thought that having indexed all available applications on the Internet is beyond our reach and that the number of unknown app popups would simply be to large. The whitelist is there, there are metadata and rules that can be retrieved from the list for many apps but the firewall allows connections for apps not on the whitelist as well.

[Lisandro]

Avast 6.0 will feature the in-the-cloud heuristics based on the age/prevalence data (as suggested above by sded) as well as new stuff related to the use of our sandbox. (...) It will rely on its heuristics engine to make decisions whether an executable file should run sandboxed or not. Let me explain this in a bit more detail. Currently, the outcome of the scan is pretty much binary - either the file is called "clean" (and is allowed to run), or it is flagged as "infected" (and appropriate actions are applied - and the file isn't allowed to run). This also applies to heuristics detections. Now in avast 6.0, the outcome could also be "potentially infected, use extreme caution" and this case, when talking about an on-exec scan, will (by default) be handled by sending the file into the sandbox. If the program is legitimate, it has a good chance of running OK inside the sandbox (and of course you, as a user, can always override the decision and run it normally). And if it's really malware, avast has just saved your butt.

Vlk, I was reading about SONAR:

SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious.

An algorithm is used to evaluate hundreds of attributes relating to software running on a computer.

The main use of SONAR is to enhance detection of zero day threats. Symantec claims SONAR can also prevent attackers from leveraging unpatched software vulnerabilities.

http://en.wikipedia.org/wiki/SONAR_%28Symantec%29

Can you compare both technologies? I mean, will be avast behavior shield on avast 6 similar to SONAR?

[Lisandro]

http://www.infoworld.com/t/malware/microsoft-ban-sick-pcs-the-internet-945

Many security experts have talked about quarantining infected computers.
...
However, such policies rely on the Internet service provider to be the enforcer and cut off customers from the Internet. The problem is customers then require support, which raises the ISP's costs tremendously.
...
In Japan, more than 70 ISPs have partnered with the government to create the Cyber Clean Center, which covers 90 percent of Internet users in that country.

What avast, as a security corporation, could participate on quarantining infected computers and help the full Internet security and safety?

Microsoft suggests a four step policy:

Microsoft is calling for a four-step plan to implement a health policy for the Internet.
First, we must develop a way to define and demonstrate "good health," perhaps a combination of active client-side defenses and a lack of malicious data from a system.
Second, a trusted system of health certificates must be created to avoid spoofing a health system.
Third, Internet service providers need a way to request and accept health certificates and take action.
And fourth, a legal and regulatory framework that supports the model must be created.

Can't avast participate or help on steps 1 and 2?

[Gargamel360]

It seems a good idea for the internet's health.......but a bad idea for my wallet.

I would be shouldering part of the cost from all my ISP's users problems, I imagine?

Small loss to the internet, but......I will sincerely just abandon owning an internet accessible pc if this comes to pass, I refuse to shoulder any more financial burden for the irresponsible actions of others, taxes and my ISP bill are enough "fun" as it is.

Maybe I am reading this wrong, but it seems MS is trying to pass the Hot Potato that they themselves cooked to begin with?   If that is the case, I for one will not put my hands out to catch it,  it will be left to fall to the floor.

 

 

[Lisandro]

Ok, MS is involved... but it's not the Internet owner.
Others should participate...

[Gargamel360]

Ok, MS is involved... but it's not the Internet owner.
Others should participate...

Yeah, no doubt.  Multiple groups (AV companies included) really need to put their heads together for any progress to be made. 

Therein lies my anxiety, since the only thing that brings separate, profit-driven companies together......is furthering profit.  And I only see that money coming from one source, the end-user.  If MS wanted to charge me more for Windows to make it safer, ($100 price increase or more even) I would go for that.  But kicking the cost to others (whom I know will simply pass the cost on to me, while skimming the middle) is not acceptable to me.  Too much potential for abuse, with no guaranteed positive outcome.

Forgive the (possibly) paranoid rant, but it seems a flawed idea with noble intentions.