why the wait for cavs 3 makes sense

[Guest]

[Luketan]

They're trying to add almost all good files so you get less pop-ups. I think in CAVS there will be far less pop-ups than in D+.

Xan

Aren't they already trying to add all the good files for D+? Oh sure i have no doubts that CAVS will have less pop-ups cos D+ monitors a lot more than just binary files running, but i'm actually hoping for one that is actually an antivirus (you know what i mean), not one that just uses watered down D+ features and declares themselves as kings of antivirus cos of that.

Sadly i suspect comodo will do this very thing, from the way the winds are blowing with all this hype on whitelisting and the bashing of traditional antivirus technologies.

Because realistically speaking, companies new to the antivirus field, have a HUGE disadvantage cos they lack the samples for creating signatures for blacklisting... So one strategy is to not try so hard, and then try to brainwash users into thinking that whitelists is the be-all and end all of security and that they are the only ones to actually try this.

[eXPerience]

Aren't they already trying to add all the good files for D+? Oh sure i have no doubts that CAVS will have less pop-ups cos D+ monitors a lot more than just binary files running, but i'm actually hoping for one that is actually an antivirus (you know what i mean), not one that just uses watered down D+ features and declares themselves as kings of antivirus cos of that.

Sadly i suspect comodo will do this very thing, from the way the winds are blowing with all this hype on whitelisting and the bashing of traditional antivirus technologies.

Because realistically speaking, companies new to the antivirus field, have a HUGE disadvantage cos they lack the samples for creating signatures for blacklisting... So one strategy is to not try so hard, and then try to brainwash users into thinking that whitelists is the be-all and end all of security and that they are the only ones to actually try this.

Why use technologie from the old ages ? Why use only blacklisting, if there are 2 new virusses a day, then I agree. But there are like hundreds, thousends new virusses released every day. Why use technologie that doesn't do anything, except when it's to late ? Now take a look at these stats here most antivirusses don't even get 50 % off all virusses released that month !!!!!!!!

So I believe in this
Look at this article.
and this

This is how I think it will be.

A file is opened : CAVS scannes in the whitelistdatabase, if it's not in there it's scannes in the blacklist (=signature) database. If not, it's prompted to you. This will lower the prompts and make you the securest possible

Xan

EDIT : Change of order after short explanaition of Melih

[Melih]

Actually this is false. As much as the output of malware writters is increasing, there are still way more programmers producing legitimate programs and files obviously. Even if the malware writters produce more on average, they are still swamped by their small percentage (less than 5% - i'm being generous here).

Maybe less false is

1) The number of "goodies" used by EACH user is less than the number of baddies encountered by EACH user

or

2) The number of "goodies" used by the TYPICAL user is less ....


The problem with (1) is that while each user uses say 100 goodie programs, their 100 goodies are mostly different.

(2) is the strongest argument for whitelisting. But so far no centralized whitelist i know including comodo (which does not even include popular antivirus like antivir), is efficient enough.

 

One thing you are not taking into consideration is: To generate a baddie, one does not need to program. Simply re-pack!! Whereas for goodies they always have to program.

Your statement would be true if I had said: unique baddies, however we both know the amount of variants (re-packed) out there multiplying at a huge rate and each variant is a baddie!

thanks
Melih

[Melih]

Why use technologie from the old ages ? Why use only blacklisting, if there are 2 new virusses a day, then I agree. But there are like hundreds, thousends new virusses released every day. Why use technologie that doesn't do anything, except when it's to late ? Now take a look at these stats here most antivirusses don't even get 50 % off all virusses released that month !!!!!!!!

So I believe in this
Look at this article.
and this

This is how I think it will be.

A file is opened : CAVS scannes for virusses, if not found it's scannes if it's in the whitelist database. If not, it's prompted to you. This will lower the prompts and make you the securest possible

Xan

Excellent Xan....

Slight change of the order:

A file is opened, check if its in the whitelist, if not, then scan, if still uknown ask the user.

this way for all the whitelisted apps u don't need to waste CPU time by scanning them..

thanks
Melih

[Luketan]

One thing you are not taking into consideration is: To generate a baddie, one does not need to program. Simply re-pack!! Whereas for goodies they always have to program.

You are kidding right? You can generate a goodie with exactly the same method!

Also i think we need to make a distinction between the theoretical number of goodies and baddies that *can* exist, and the ones that do exist and the user will encounter.

Unless a user is constantly packing malware and then running it, an average user will encounter more goodies than baddies easily.

Your statement would be true if I had said: unique baddies, however we both know the amount of variants (re-packed) out there multiplying at a huge rate and each variant is a baddie!

Define *huge*.

[Luketan]

Why use technologie from the old ages ? Why use only blacklisting,

I say use BOTH. But i suspect CAVS will only have a small effort at blacklisting. Cos they don't have the resources to do it.

[Luketan]

Excellent Xan....

Slight change of the order:

A file is opened, check if its in the whitelist, if not, then scan, if still uknown ask the user.

this way for all the whitelisted apps u don't need to waste CPU time by scanning them..

thanks
Melih

I have no beef with this (also some products like PCtools,prevx do this as well). but only if the blacklisting part is as good as the average antivirus. If it isn't, then it's pointless,

[panic]

You are kidding right? You can generate a goodie with exactly the same method!

But who does that with legitimate software?

Also i think we need to make a distinction between the theoretical number of goodies and baddies that *can* exist, and the ones that do exist and the user will encounter.

Unless a user is constantly packing malware and then running it, an average user will encounter more goodies than baddies easily.

Which would seem to make whitelisting a good idea.

Define *huge*.

They probably define *huge* using similar methods to every other AV vendor that says there are *huge* numbers emerging. I'm not aware of any that say the problem is diminishing.

[eXPerience]

But i suspect CAVS will only have a small effort at blacklisting. Cos they don't have the resources to do it.

^{(****** that I'm even answering this).}d Well, as you may probably not know, CAVS 1 had about 25-30% in tests, CAVS 2 in the beginning had 50 % and is now running at 75% and more. So I think they really are trying to do that. You must know, new samples come in all day. Normal companies like Kaspersky, avira, etc. only need to add them. But Comodo has to add the old ones to !!! This takes time, if you see their progress, I think their on a good way.

I say use BOTH.

That's what their going to do. Check whitelist, not there --> check blacklist, not there ---> ask user (and ask to send it)

Xan

[Melih]

You are kidding right? You can generate a goodie with exactly the same method!

Also i think we need to make a distinction between the theoretical number of goodies and baddies that *can* exist, and the ones that do exist and the user will encounter.

Unless a user is constantly packing malware and then running it, an average user will encounter more goodies than baddies easily.


Define *huge*.

The point you are missing: How many re-packed MS word executables have you seen in the wild?
how many zlob variants you have seen re-packed?

Nobody has a reason to re-pack a goodie and distribute, but now even a 10 year old kid can spread malware by simply repacking. The barrier to introduce baddies have been reduced drastically.

Melih

[panic]

The point you are missing: How many re-packed MS word executables have you seen in the wild?
how many zlob variants you have seen re-packed?

Nobody has a reason to re-pack a goodie and distribute, but now even a 10 year old kid can spread malware by simply repacking. The barrier to introduce baddies have been reduced drastically.

Exactly my point when I said

Quote from: Luketan on Today at 10:50:01
You are kidding right? You can generate a goodie with exactly the same method!

But who does that with legitimate software?

Ewen :-)

[Melih]

Exactly my point when I said

But who does that with legitimate software?


Ewen :-)

snap...

you are right Ewen.. sorry missed your post.

Melih

[Elvis_Maximus]

The point you are missing: How many re-packed MS word executables have you seen in the wild?
how many zlob variants you have seen re-packed?

Nobody has a reason to re-pack a goodie and distribute, but now even a 10 year old kid can spread malware by simply repacking. The barrier to introduce baddies have been reduced drastically.

You raise a good point, however I disagree that whitelisting is the "only way" of the future. Think about the end user. Not the end user that posts on this forum, mind you, the end user that has CAVS 3 installed on their system.

You may have a large whitelist compendium, yes, but you won't have everything. Say binary xyz.exe pops up, the end user doesn't know what it does and blocks it. Whoops, xyz.exe was the process for their new fancy game launcher (or some such thing). Well crap, now they have to dig through the program to try and whitelist that.

Many programs, when updated, actually do repackage their executable. Not everybody uses a perfectly modular format (sadly), if the end user updates their program and doesn't recognize the updated process name (lets face it, some of the process names really don't indicate what they actually are) under whitelisting they're supposed to block it. But once again, when they figure out it doesn't work, they'll have to go in and manually add it to the whitelist.

Now, lets take it a step further, the end user isn't going to know how/isn't going to want to do this themselves. What they will most likely do is make a quick stop here and post either ranting or asking for help on something that will seem very obvious. Or, they'll simply deinstall CAVS 3 and install another product.


The real method of AVs in the future isn't simply white listing. Whitelisting is a great approach, but by itself is only semi-effective. The future is in fact a combination of white listing and heuristics combined with black listing.

The heuristic should be used to analyze a file that the whitelist or blacklist doesn't know of, it should be a "fuzzy logic" (yay 90's buzz words!) heuristic. That is, it should give a result with a degree of certainty. For something that comes back somewhere around 90% or above, it should be automatically blocked (as its PROBABLY just a repackage of another virus), for something that comes back below that, it should have a recommendation that you should block the program from executing (i.e - high risk). For something around 50% it should give no recommendation about blocking or not, but it should warn the end user that the file is of medium risk and recommend submitting it for further inspection from Comodo (where you could then forward it to a lab if you're using some sort of licensing on that end). Below that, it should indicate that it is low risk and can most likely be allowed to execute (but still pop up the dialog, just in case).

There are a few ways this could be done. If you're simply looking for repackages with your heuristic (which is honestly what you'll most likely find the most of), you can most likely use a relatively simple document searching AI (possibly using the semi-standard lexicon approach, I'm not an expert on the development of AIs however, I've just taken some classes in them) as these inherently provide "degrees" of matching, this can be used as your guidelines for allowing something to run, etc.


If you really, really, REALLY wanted to be evolutionary (pun intended); one approach that could potentially be used (although it might be fairly expensive in terms of both money and time) is evolving a genetic algorithm to detect virus. While I'm not all that up on my genetic algorithms, I know that they have a very high success rate in terms of tasks that have definable and trainable sets of data (such as designing airplanes, which Boeing uses one for, also one notable example has been used to design signal amps with great success). One professor who I know has been contracted to do work of this sort (genetic AIs to do specific tasks) is Professor L. Darrell Whitley (whitley (at) c s. col ostate  . e  du TAKE THAT BOTS). But this of course is for far in the future, as it'd take a lot more research than is really feasible at this point. If this was a line of interest you'd be pursuing, most likely many other companies would be interested in the final product. In any case, this is all speculation!


Anyway, sorry for the wall of text and also if you're already using a semi-heuristic approach, just don't have a lot to do before I start my job (woohoo graduation last Saturday hehe).

[Melih]

You raise a good point, however I disagree that whitelisting is the "only way" of the future. Think about the end user. Not the end user that posts on this forum, mind you, the end user that has CAVS 3 installed on their system.

You may have a large whitelist compendium, yes, but you won't have everything. Say binary xyz.exe pops up, the end user doesn't know what it does and blocks it. Whoops, xyz.exe was the process for their new fancy game launcher (or some such thing). Well crap, now they have to dig through the program to try and whitelist that.

Many programs, when updated, actually do repackage their executable. Not everybody uses a perfectly modular format (sadly), if the end user updates their program and doesn't recognize the updated process name (lets face it, some of the process names really don't indicate what they actually are) under whitelisting they're supposed to block it. But once again, when they figure out it doesn't work, they'll have to go in and manually add it to the whitelist.

Now, lets take it a step further, the end user isn't going to know how/isn't going to want to do this themselves. What they will most likely do is make a quick stop here and post either ranting or asking for help on something that will seem very obvious. Or, they'll simply deinstall CAVS 3 and install another product.


The real method of AVs in the future isn't simply white listing. Whitelisting is a great approach, but by itself is only semi-effective. The future is in fact a combination of white listing and heuristics combined with black listing.

The heuristic should be used to analyze a file that the whitelist or blacklist doesn't know of, it should be a "fuzzy logic" (yay 90's buzz words!) heuristic. That is, it should give a result with a degree of certainty. For something that comes back somewhere around 90% or above, it should be automatically blocked (as its PROBABLY just a repackage of another virus), for something that comes back below that, it should have a recommendation that you should block the program from executing (i.e - high risk). For something around 50% it should give no recommendation about blocking or not, but it should warn the end user that the file is of medium risk and recommend submitting it for further inspection from Comodo (where you could then forward it to a lab if you're using some sort of licensing on that end). Below that, it should indicate that it is low risk and can most likely be allowed to execute (but still pop up the dialog, just in case).

There are a few ways this could be done. If you're simply looking for repackages with your heuristic (which is honestly what you'll most likely find the most of), you can most likely use a relatively simple document searching AI (possibly using the semi-standard lexicon approach, I'm not an expert on the development of AIs however, I've just taken some classes in them) as these inherently provide "degrees" of matching, this can be used as your guidelines for allowing something to run, etc.


If you really, really, REALLY wanted to be evolutionary (pun intended); one approach that could potentially be used (although it might be fairly expensive in terms of both money and time) is evolving a genetic algorithm to detect virus. While I'm not all that up on my genetic algorithms, I know that they have a very high success rate in terms of tasks that have definable and trainable sets of data (such as designing airplanes, which Boeing uses one for, also one notable example has been used to design signal amps with great success). One professor who I know has been contracted to do work of this sort (genetic AIs to do specific tasks) is Professor L. Darrell Whitley (whitley (at) c s. col ostate  . e  du TAKE THAT BOTS). But this of course is for far in the future, as it'd take a lot more research than is really feasible at this point. If this was a line of interest you'd be pursuing, most likely many other companies would be interested in the final product. In any case, this is all speculation!


Anyway, sorry for the wall of text and also if you're already using a semi-heuristic approach, just don't have a lot to do before I start my job (woohoo graduation last Saturday hehe).

Please read one of my blogs to see whether I say just whitelisting is enough or we need a layered approach.

thanks

Melih

[Star Shadow]

I was wondering if the whitelist is made up of all the software that people send to Comodo from CFP's My Pending Files thing. Is that how more D+ whitelist apps are added to each new version of CFP as well?

Cheers.

[Tags:]