The future of avast protection

I’m not friend of long posts 8)
But let’s make an exception as I think the subject worths.

Nowadays, avast virus analysts receive more than 50.000 samples per day!
Although a lot of work is automated, signatures, behavior analysis, code virtualization… aren’t being enough.

The avast policy is “default allow” (as all other legacy antivirus), i.e., what is not blacklisted, allow; what is not blocked in the signatures and rules (behavior shield) is allowed to run.

I’m asking for a double behavior or, in other words, a “default deny” policy, i.e., what is not whilelisted, block; what is not in the trusted list of avast should be denied.

This could be achieved by the sandbox technology of avast 5.
Whatever not in the whitelist of trusted sources (an executable file, an installer, a script, etc.) could generate a question to the user in order to allow or deny.

The scheme would be:

file > scanned by avast antivirus > if it is a malware, proceed to the automatic actions set (like it is today).
> if it is not in the whitelists, automatic sandbox to protect the computer.

The drawbacks (cons) of the generated popups could be reduced:
a) the whitelists could be updated frequently, new clean files added.
b) the cloud (community) technology could be used for populate these whitelists.
c) pre-scanning of avast could mark the “unknown” files (and upload for analysis).
d) it could be, of course, an optin setting of avast and any automatic sandboxed file could be “removed from sandbox” if the user wants/needs.

I understand the sandbox is part of the paid (pro) antivirus.
Maybe the automatic sandbox (only) could be available for free users (just not the on demand sandbox like it is now only for pro). The sandbox is highly configurable and the automatic one could be a simpler version of the on demand (actual) one: more or less as a “run as limited user”, avoiding infecting of unknown malware.

This could be an improvement of zero-day detection and be the solution of missdetection (as no antivirus is perfect…).

avast team suggestions/critics are (also) welcome!

Edited: I’ve changed the name of the thread from Do you want automatic sandboxing and cloud to increase avast protection? to a more comprehensive one due to the discussion.

Yes. Make it available (on by default, i.e., for all users).

Why I chose it?
b) the cloud (community) technology could be used for populate these whitelists.

Avast have a big user database why not use this to their favor?

Thanks disPlay. Seems that the poll is not popular… Too many views of the thread and few posts.
But, never mind, the important is some advanced users posts and, also, avast team posts.

I would be tempted to talk like Bob >>> “oh no…not another Comodo” thread ;)…because that’s what it is basically. You’re purely and simply referring again to CIS, and to the fact that it’s free.

;D just about the automatic sandboxing of unknown processes/apps, I already suggested it here on Avast forums almost immediately after trying Comodo 4.0, so of course that’s needed, and I’m almost sure that the devs @ Avast have already planned it.
Running apps sandboxed constantly is useless imo, unless you browse bad sites…purposely…or stupidly…and constantly. So again the automatic sandboxing of unsigned/unknown stuff remains the only interesting aspect.

This said Tech, I’m quite happy that Avast is Avast and Comodo is Comodo, and I really don’t want to see Avast work, feels, sound…like Comodo. They (Avast) will do it their own way, they’re watching the competition too, so I won’t bother voting here ;)As well as they probably got their own idea of the cloud, to be introduced in 5.1, and don’t need to mimic Comodo.

ps: I mean “default deny” etc… this is all Comodo vocabulary, desktop bloated with popups and uneeded security software behavior >>> like you’re ending up, after a new install, having to tell a hundred times that you trust the applications you’ve been using for a few years…or let them get sandboxed ;D The filter needs some work apparently ;D That’s what Comodo Internet Security does. That makes the fans feel secure…the time wasted is not a problem because the kids are playing…so at least while they keep answering Comodo alerts, they’re not bored ???

One last thing, I doubt Avast would make anything sandbox related available in the free version, not even “just” an automatic sandbox :smiley:

Ofcource Tech is referring to the Comodo Default Deny security policy :wink:

But Avast already has a huge whitelist they internally test their updates against. So the idea is very interesting. I think I have to support it :slight_smile:

Greetz, Red.

I’ll throw in my $.02 also ;). I don’t like sandboxing because it just defers the decision and seems more suitable for hobbiests than those who actually use their computer for things. You still need a source of additional information without making it too much of a nuisance. “Default deny” is just propaganda as a slogan. A security system is actually a sieve or processing-it allows by default anything that can’t be eliminated by the current layer of the sieve so the next layer can attack it. It looks at signatures, be they ports&protocols, AV signatures including behaviors, whitelists, blacklists, HIPS signatures (the actions by a process that should cause an alert-see attachment for an example from OA) until it eventually gets down to a process that doesn’t match anything in your library. Prevx, for example, does additional heuristics based on Program age and Popularity at this point. The reason all of these things are important in terms of evaluating protection is that eventually you get down to some processes that go to a user but have no information from all of the signatures and processing you have done. A very cursory evaluation indicates that the user will make errors as a percentage of those processes that get this far. The more residue, the more errors. So the idea that the sieve (AV) has no value because you can always catch it in the HIPS or sandbox is nonsense. Even the “security as a hobby” users like us have problems discriminating whether the rare events (uncharacterized alerts) are FA or Detection. And the “tests” (actually demonstrations) run as scenarios where all the popups are known to be malware do not really show anything about performance in the field either for the interested user or the hobbiest. The latest thing Comodo has done with their incessant propaganda is tempt me to try NIS . I credit Melih for finding OA, Softpedia, COU, etc. and now possibly NIS for me by the incessant raving on his site. Even MRG has become useful and interesting since the Comodo fiasco.

Isn’t that what the Secure Desktop feature that’s coming out in 5.1 is? And yeah, this sounds an awful lot like Comodo ::slight_smile:

Mmm no :wink:

About the Secure Desktop, from Petr :

it will allow you to execute e.g. web browsers in more secure mode than in 5.0, it’d be executed in the seperated desktop - with no icons, under our alternative shell (i.e. own explorer.exe), own taskbar, etc. This alternative desktop will be protected from keyloggers, screen captures and keeps your browsing activity isolated from other processes running on the normal desktop. This feature might be integrated into most common web-browsers as a plugin: e.g. if you go to www.abnamro.nl or www.dnb.nl sites (online banking), avast will open this page in the secured desktop automatically and protects your surfing from other applications.

Greetz, Red.

Ok then, thanks.

Good. I never heard about it (yet).

It’s up to you :slight_smile:

If you can’t understand, just admit. Don’t worry :slight_smile:

Thanks Rednose for the support. This is what I meant: technology improvement.

I think the good approach would be to allow the user to run any unidentified process in the sandbox. I mean, for any process that is allowed to run once it has passed all of Avast!'s shields the user should be given the option to run it in the sandbox and thus maximizing security.
That way users are not forced to run processes in the sandbox but if they want to -because it is a new process or some rogue process that by some clever technique bypassed Avast!'s shields- they can run it sandboxed just in case.

Martin.-

sded, I respect your opinion. But I’m not saying the AV has no value. It’s not my opinion.

Very good idea for banking security. Although it’s not an automatic sandbox for all unknown applications but just for sites, am I wrong?

Precisely, that’s the idea!

Sorry Tech, I did not intend to make my comments specifically for your opinions-just to suggest that there is a lot of self-serving propaganda out there that needs to be carefully evaluated as to accuracy and motivation. As in threads like “Is the AntiVirus biggest fraud in the security world?”.

Don’t worry. My opinions, of course, are just my opinions.
Nobody is intended to take things personally.

We always need to separate what is fanboyism, what is exaggeration, what are personal opinions.
Filter things, remove the bad, but keep the good.
I’m interested in technology, in increase avast protection. For me and for all users. That’s my intentions.

Well i somewhat like what Comodo is doing with the sandbox but i’m also aware of the problems. For avast! i’d just want a full fledged Behavior Shield that would work like ThreatFire. That would be enough not to need sandbox the way you are asking for.

Automatic sandboxing feature can be a troublemaker in some countries: we have to use IME to input Japanese, but some sandboxing software (ex. Comodo ::)) isn’t compatible with IME, so we can’t input Japanese while sandboxing. :-
Even the “Protected mode” in IE7 has some trouble with IME (user-based dictionary doesn’t work in this mode due to privilege), automatic mode can lead more trouble…

Although this feature is good for security, I think this option should be advanced users only.

Someone wants to run a software which has not yet whitelisted and it doesn’t work due to sandboxing, he/she have to whitelist it on their own… it’s painful for beginners.

avast! is not for skilled people, but for all users. :slight_smile:

if I can’t understand what Tech ??? and admit what??? what is it that you could teach me? You’re purely and simply copying and pasting stuff found in hundreds of posts on Comodo forums and you mean that you did understand something that I didn’t? What is it? I’m just curious. I mean look, I was a regular poster on Comodo forums during years (misc accounts…), long before you even knew their name, you only started to go there on a permanent way very recently…praising Avast there, and praising Comodo here. Avoiding advising those knowing much better than you do in a general way might be a good idea…whatever the topic is btw, chances are that I’ll beat you ;)…been using their firewall and HIPS since the beginning, so excuse me if I pretend to know what I’m talking about, and I pretend that you don’t…again, you’re stupidly copying and pasting other posters descriptions of the software, especially Melih’s and posts :smiley:
You’re still in luck here because people post in your thread (s) when you praise Comodo on Avast forums…just because you’re an old poster here…seems that you’re hardly noticed when mentioning Avast on Comodo’s forums…seems that you just join the herds there, and became just of of them…a bit light to come up here and play the guru, the Comodo guru isn’t it? ;D

I have a similar setup to sded and agree with most of his Post #5 (excluding the NIS part).

However, I have a technical question: What would happen if a person was to use a SB in one software that also had it in another software? Would this then cause a conflict? We talk about security software and conflicts that they may cause, and this came to mind. Does anyone know the answer?

I therefore would want to have the option to enable/disable the SB in a software during installation and in the GUI, whether it was Free or paid because of this since many more security software are moving in this direction of SB and other features not mentioned here (I do not want to hijack the thread). Thank you.