Author Topic: Aavst 6 - automatic sandbox improving in future builds??  (Read 6192 times)

0 Members and 1 Guest are viewing this topic.

Parabel

  • Guest
Aavst 6 - automatic sandbox improving in future builds??
« on: February 28, 2011, 09:30:43 PM »
Hello,

I have tested the Avast 6 Free Antivirus in VirtualBox. It don't asked the user every time an unknown malware is executed, only in some cases.

Sorry for my English.

Offline danny96

  • Malware Fighter
  • Advanced Poster
  • **
  • Posts: 668
  • No-malware!
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #1 on: February 28, 2011, 10:05:27 PM »
Of course It cannot detect everything it's just first version of 6.
Real-time protection and Firewall: COMODO Internet Security 12.0.0.6810 -- Additional Protection: Web Of Trust, Ublock, NoScript, Malwarebytes Premium, Avast! Online Security, Hitman Pro -- OS: Windows 10

Offline =SKY=

  • Super Poster
  • ***
  • Posts: 1605
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #2 on: March 01, 2011, 10:58:25 PM »
It don't asked the user every time an unknown malware is executed, only in some cases.
+1  ???
Win11 Home [x64] @ Windows Defender | FF ESR |
My oldest darling: W2k Pro SP4 & UR1 @ avast! Free Antivirus 8.0.1497 | Palemoon & K-Meleon [BOTH MODIFIED for W2k] |

Parabel

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #3 on: March 18, 2011, 02:16:20 PM »
In comparison to Comodo IS, which sandbox every file that isn't in trusted vendors list, Avasts is more like a gimmick.






doktornotor

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #4 on: March 18, 2011, 02:25:26 PM »
In comparison to Comodo IS, which sandbox every file that isn't in trusted vendors list, Avasts is more like a gimmick.

You mean the "trusted" vendors list that includes malware authors added there by the "entrepreneur of the year" and that cannot be modified by users? Ah...  ::) ;D

http://forums.comodo.com/wishlist-cis/provide-an-option-to-remove-allselected-ctrlclick-trusted-software-vendors-t62449.0.html

Quote
Thanks to the trusted vendor list, a trojan dropper signed by trend micro inc. was able to work successfully (good job Comodo!). When you add a trusted vendor list, all it does is provide one giant security hole for droppers which are falsely signed

Way to go.  ::)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11815
    • AVAST Software
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #5 on: March 18, 2011, 04:55:29 PM »
I have tested the Avast 6 Free Antivirus in VirtualBox. It don't asked the user every time an unknown malware is executed, only in some cases.

Well, it's the same as saying that the antivirus doesn't detect every piece of malware out there, just some of them (which is true, there are unknown malware files).

Sure, that's how it is and how it always will be - there's no magic to achieve 100% detection, no matter if for "ordinary detection" or autosandbox heuristics.
The difference between autosandbox and ordinary detection is that the autosandbox heuristics is "more generic" - marks more files. Sure, marking more files brings more false alarms - but they are not that "bad" in this case; the file is not reported as infected, not removed automatically... the user is just offered to run the executable in sandbox, which shouldn't hurt even if the file is OK/clean.
But - you probably wouldn't be very happy if for every executable you started (clear or not), you were asked whether you want to run it in sandbox, right? So, there always will be files that are not autosandboxed, and yes, some of them could be malicious. Nothing is 100% in the AV area, I'm afraid.

Yes, the heuristics will definitely be improved in the future - and it will be done via virus definition updates, i.e. no need for program updates in this case. But again, if you're expecting 100% efficiency, you're expecting miracles.

nettodo

  • Guest
Re: NO NEED to use the trusted vendors list in COMODO.
« Reply #6 on: March 19, 2011, 04:11:48 PM »
I just had to post here because I use COMODO Firewall alongside avast! (and well, other things). First of all, you can delete entries from the Trusted Vendors List, but there is no option to select all >:( . To bypass this so-called "Trusted Vendors" list, go to Defense+ settings in COMODO > Sandbox Settings > then uncheck "Automatically detect installers/updaters and run them outside sandbox" and also uncheck "Automatically trust files from trusted installers". Also if you want, set you sandbox level to "Limited". If you choose to delete from the trusted vendors list, give yourself 1-2 hour(s) and 5 cups of coffee. Just a bit of advice.

doktornotor

  • Guest
Re: NO NEED to use the trusted vendors list in COMODO.
« Reply #7 on: March 19, 2011, 04:21:48 PM »
I just had to post here because I use COMODO Firewall alongside avast! (and well, other things). First of all, you can delete entries from the Trusted Vendors List, but there is no option to select all >:( . To bypass this so-called "Trusted Vendors" list, go to Defense+ settings in COMODO > Sandbox Settings > then uncheck "Automatically detect installers/updaters and run them outside sandbox" and also uncheck "Automatically trust files from trusted installers". Also if you want, set you sandbox level to "Limited". If you choose to delete from the trusted vendors list, give yourself 1-2 hour(s) and 5 cups of coffee. Just a bit of advice.

<OT>
Well, just a couple of notes:

1/ Disable completely != remove particular vendor(s)
2/ When I last tried, they get re-added back on updates, I have no time for such stupidity
3/ The way I would like to use it is exactly opposite to they way it is programmed (i.e., empty by default, I add whatever I trust). Again, this wasn't possible last time I tried.
4/ Not checking anything and adding any vendor there just because they've paid $$$ to Melih for certificate is outright retarded. They have added some many "trusted" vendors that the only option would be to wipe the list and start from scratch, whitelisting only reputable well established vendors after quite a bit of checking. Not gonna happen I'm afraid, since the situation looks like this:

Code: [Select]
less popups marketing + $$$$ for certificates >> actual concern about users' security.
5/ Have they stopped storing just about everything in registry, causing Windows to halt for a couple of minutes when rewriting the tens of megs registry blob whenever you change some rules after couple weeks of usage? I guess not.

Sorry, not seeing myself going back to CIS anytime soon.
</OT>

nettodo

  • Guest
Re: NO NEED to use the trusted vendors list in COMODO.
« Reply #8 on: March 19, 2011, 04:39:57 PM »
I just had to post here because I use COMODO Firewall alongside avast! (and well, other things). First of all, you can delete entries from the Trusted Vendors List, but there is no option to select all >:( . To bypass this so-called "Trusted Vendors" list, go to Defense+ settings in COMODO > Sandbox Settings > then uncheck "Automatically detect installers/updaters and run them outside sandbox" and also uncheck "Automatically trust files from trusted installers". Also if you want, set you sandbox level to "Limited". If you choose to delete from the trusted vendors list, give yourself 1-2 hour(s) and 5 cups of coffee. Just a bit of advice.

<OT>
Well, just a couple of notes:

1/ Disable completely != remove particular vendor(s)
2/ When I last tried, they get re-added back on updates, I have no time for such stupidity
3/ The way I would like to use it is exactly opposite to they way it is programmed (i.e., empty by default, I add whatever I trust). Again, this wasn't possible last time I tried.
4/ Not checking anything and adding any vendor there just because they've paid $$$ to Melih for certificate is outright retarded. They have added some many "trusted" vendors that the only option would be to wipe the list and start from scratch, whitelisting only reputable well established vendors after quite a bit of checking. Not gonna happen I'm afraid, since the situation looks like this:

Code: [Select]
less popups marketing + $$$$ for certificates >> actual concern about users' security.
5/ Have they stopped storing just about everything in registry, causing Windows to halt for a couple of minutes when rewriting the tens of megs registry blob whenever you change some rules after couple weeks of usage? I guess not.

Sorry, not seeing myself going back to CIS anytime soon.
</OT>

Ok doktornotor, I see your point there, there, and there.

Parabel

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #9 on: March 19, 2011, 10:00:12 PM »

Yes, the heuristics will definitely be improved in the future - and it will be done via virus definition updates, i.e. no need for program updates in this case. But again, if you're expecting 100% efficiency, you're expecting miracles.

Thanks for explanation. No, I'm not expecting 100% malware detection nor sandboxing. But I have to admit that I'm perhaps a little Comodo infected in the past ;D and compared it to close with Avast. I don't use Comodo anymore, because it's a system hog and many many false detections.

Quote
Thanks to the trusted vendor list, a trojan dropper signed by trend micro inc. was able to work successfully (good job Comodo!). When you add a trusted vendor list, all it does is provide one giant security hole for droppers which are falsely signed

I don't knew it. I agree.




Dch48

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #10 on: March 19, 2011, 10:19:39 PM »
My experience with Comodo was different. I abandoned it because the whitelisting wasn't extensive enough and I kept getting needless alerts for perfectly safe things. I never deleted anything from the Trusted vendors list, I had to add things to it to make the program have better usability.

Personally, I'm not a fan of sandboxing in the first place and really see no need for it. Avast! should just tell you that something looks suspicious and ask if you really want to run it or not. If it's something you know is okay you allow it,if not you don't. Why run something unknown in a sandbox? What's the point? The behavior shield is enough in my opinion.

doktornotor

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #11 on: March 19, 2011, 10:24:42 PM »
If it's something you know is okay you allow it,if not you don't. Why run something unknown in a sandbox? What's the point?

Well, the point is, like 95% of users suck or better said utterly fail when guessing whether it's OK or not. No harm will be done in the sandbox when your guess fails.

Dch48

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #12 on: March 19, 2011, 10:28:51 PM »
If it's something you know is okay you allow it,if not you don't. Why run something unknown in a sandbox? What's the point?

Well, the point is, like 95% of users suck or better said utterly fail when guessing whether it's OK or not. No harm will be done in the sandbox when your guess fails.
You don't even have to guess. If it's something you know that you installed and know is safe then it should be okay. If it's something you don't recognize, it might not be so you don't run it. No guesswork involved there.

doktornotor

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #13 on: March 19, 2011, 10:31:23 PM »
You don't even have to guess. If it's something you know that you installed and know is safe then it should be okay. If it's something you don't recognize, it might not be so you don't run it. No guesswork involved there.

OK, so you know all software you install? Well, I don't and most people don't, they keep trying new things.

Parabel

  • Guest
Re: Aavst 6 - automatic sandbox improving in future builds??
« Reply #14 on: March 19, 2011, 10:36:42 PM »

Personally, I'm not a fan of sandboxing in the first place and really see no need for it....

Most infections today are drive by download or java exploit. If a site is infected by a java exploit your java plug-in in your browser downloads other malware if your antivirus don't detect it.

A browser used with Sandboxie for instance can't harm anything of your real machine. All bad things aren't able to bypass the sandbox. A far as I know. Therefor sandboxing is useful in my opinion.