Detection vs Prevention : Your first line of Defense

To Prevent or Not to Prevent! That is the question!

Yeah, is it?

Yep! It is.

What are you preventing?
Global Warming?

No Silly… the Alien invasion! That’s what we are preventing…

Ok, be serious now… come on… tell me what is it you are talking about?

Honestly, we are going to Prevent Alien Invasion! Aliens that will take over your PC!! Stuff called Virus, Spyware, Malware, Rootkits and Trojans!

Thanks but no thanks!

No thanks to what?

I have my AV software so don’t need your stuff thanks but no thanks!

He he, That’s why I titled this article “To Prevent or not to Prevent”

And your point is?

My point is legacy technology AVs (like the ones you have today) do not Prevent!

Why do you say that Melih, the AV I have detected many viruses on my machine!

Exactly the point! It “detected”! There is a BIG difference between

DETECTION vs PREVENTION!

Tell me more…

Ok here is a question: How can you detect there is a cold draft in the room if you don’t know what cold feels like? How can you detect there is a bacteria in your blood stream if you don’t know that thing you detected is a bacteria? Detection requires the knowledge of what they will detect… Let me give you an example… Police force and criminals… Imagine each police force in each country is a different AV company.

Police Force is your Legacy AV
Police force in different countries is different AV providers, now lets play the game (by the way here is a game you can play here….Comodo Game – Agent C – Intrusion Prevention )
Of Police vs Criminal…:

Ok

Lets start the game by first tasking the police force with finding (that would be Detection in Legacy AV terms) a murderer!

Ok that should be easy, get the photo of the murderer, track his/her credit card spending, get his cell number and track his whereabouts, get his car registration number and distribute to the police force, that will get the sucker in no time!!

Yes it will be but isn’t it too bloody late for the victim already? Where was the police force while the victim was being killed?

Hmm… you have a point there

What if you had the luxury of living and interacting with people who you knew for 100% that they had no criminal intent! Imagine an environment created by you, for you, in which where you only deal with people that you know and trust! There would be no crime, would there!

No there wouldn’t be, unless they didn’t do what I told them, he he!
But isn’t this unrealistic to expect Melih? I mean come on…

Yes it is unrealistic to expect of humans! But computers and software are a different ball game altogether!

What do u mean?

Well, we have no way of knowing what people are going to do nor predict their future actions, someone who seems nice one minute turns a serial killer in few years etc… it’s a wild world out there… But Software doesn’t have the brains to turn against you! Imagine your word program turning into an axe murderer!

That would be funny to see your Word application with an axe running after you he he, and imagine the liability on M$, that would be a costly exercise cleaning up the mess from this. I guess they could employ the same lawyers that OJ got :)!

Do you see my point though? An application that is good (usually coming from a credible vendor) ain’t going to turn against you!

Yeah I see that, but what was your point?

My point is that Environment where you only interact with good people is possible within the computing world (even though not possible in the physical world with humans). Because once you classify a software as good, then you know its good, it ain’t going to change its mind and be a baddie!

Ok get that point… and you are going where with this?

Patience grasshopper, patience…

So you agree that we can classify Software as good.

Yes

Yawning……

Am I boring you?

No sorry, just had a late night last night, that’s all… pls carry on… I am learning…. Yawning…

Ok np. Now that you agree that we can classify the software as good, why not create a platform whereby we only allow Good applications to run in our PC?

Huh? So are you telling me that at the moment we don’t do that and allow any and every application good or bad to run in our PCs?

Goooooddddddd mooorrrrnnniiinnngggggg Vietnam!!! (was a good movie btw)

That is exactly what I am saying! Today we just let everything run! Today we use Legacy AV that only knows “known” Murderers, which means the damage is done already! A new murderer will always make his/her way into their next victim cos Police force can’t stop them! Just like AVs they can’t stop new malware, cos they don’t know what that malware looks like. That is called a Signature…

Signature? Is that the thing that gets updated with my legacy AV that I pay them for? I think its called Signature Updates right?

Yeap, that’s right. Legacy AV companies get reports of malware and they take a snapshot of it (just like Police force distributes the MugShot of a criminal) and distribute it to end users as a “Signature Update”. But wait… for it to be reported as a malware, it must be doing some Bad stuff to someone right?

Actually you are right,.so for the malware to be a malware it must have caused the damage already, how could it be reported as malware otherwise?! Its not as if the guy who writes this malware will simply email the Legacy AV vendors and say, hey, I just wrote this malware and here it is and protect your users before I unleash it on them! would be good though if they did that, he he

Yep, now you are getting it!

So where do they get the malware from?

Usually from end users who gets the malware and notice that there is something wrong with their machine. Then the Legacy AV companies will create the signature and update their signature database for end users.

So if it’s a new malware, then legacy AV doesn’t detect it right?

Yep, that is right, afterall how can it? There has been some attempts to create heuristic (which is glorified signature) that doesn’t work really but all in all if the malware is new, then it usually gets thru. The guys who write these malware usually test their creations against the Legacy AVs to make sure non of them catch them before they unleash it. That’s how they cause the damage!

So now you know the limitiation of “Detection” based technology!

Do i?

I bloody hope so, I have been explaining it for last hour!!
Let me recap it: The problem with detection is that it really can’t stop a new malware cos it doesn’t know that it’s a malware!

Ah yes of course I now know that! What do think I am Melih? That was bloody obvious before even you started explaining all this! He he…

Yeah right…
Anyway… that’s why there are still millions of people suffer from malware cos there are new malware being created all the time! And by the time a new malware is found by the Legacy AV providers, the damage is done!

So how do u protect? Just unplug the PC from the Internet?

Yes, that’s one solution! However there is a better alternative. As I said above, why not only let the Good applications run on your machine and deny any CPU time to everything else?

Stop getting techie on me Melih, I will smack you if you get techie on me again, he he!!

Alright alright… let me explain,

How can a malware cause a damage do you know?

Urgh, No! how?

Well it needs to be run (executed). That happens by running something in the CPU. Ie its getting CPU time, this is like food to malware, without it it can’t survive.

[b]Survival Guide comparison would be:

Humans=Food & Drink & Air (etc)
Malware= CPU Time[/b]

I see, so unless a malware is executed (run) then it can’t cause a damage, get it!

So why not create a new Platform where only the good applications will get CPU time?

You mean like CFP v3, he he!

Yes, how do u know that?

Just read it in one of the posts you put out (:KWL)

So anyway, yes create a platform where you only get “Known Good” applications run. This way we can only let the good apps run and deny everything else, that will get you a protection in a way that it will deny everything else! Yes deny any known or, more importantly, any unknown new malware!

Nice…

You see that’s Prevention!! Do you see the difference between Detection vs Prevention now?

Detection= works only if it knows the malware and by getting to know the malware means its too late and damage is already done!

Basically, you don’t wanna know these buggers do you really! And millions of them sprouting everywhere, trying to getting to know them all is a difficult thing.

That’s a very good point indeed! If you look at how many good applications out there and compare it with bad ones you will see that bad ones growing very rapidly! And afterall which is easier to find? Good one or a bad one?

Well bad one, after it has caused the damage, cos it makes the headlines and becomes a big news everywhere, he he

You are right, but its too late for that for many of it’s victims! Its much easier to find the good applications and create a “Safelist! Instead of building a list of bad stuff, which you only can get after they caused the damage, why not build a list of good applications. Then set your computer so that it only will allow good application and deny everything else.

Ok you convinced me. That makes sense

This is called a

Default Deny system - Prevention : where you deny everything but only the known good applications

Default Allow System - Detection : where you allow everything then try to figure out if any of those was a baddie or not (yes a bit late when you realize this :))

This is the power of Prevention over Detection! It protects you from ANY malware!

Cool, now I understand why I need Prevention as my first line of defense against malware and not Detection!

Indeed, this is a Paradigm Shift in the way we think and protect ourselves!

Our first line of defense against malware is now Prevention and NOT Detection!

Thanks

Melih

that was a long post, but it was a pleasure to read (:LOV)

only one problem on the prevention method. for anyone who doesn’t download or install any new software thats fine for, but as soon as we download a new software or update we need to click it to execute it and if it contains an unknown malware then we are buggered lol.

also recently movie files like divx are now getting infected with malware/trojans that are unknown, the only way we find out the file is infected is when we click on it to watch it no?

prevention or detection then is not going to help us till after we execute the file and even then if its an unkown malware that none of our software uncluding firewall CFP knows about then we are going to get infected.

But anyway I am anxious to try CFP 3. can’t wait for a stable version to be released that will work without probs and issues on my computer. because one more layer of protection that won’t impact on my computer’s performance and cause probs is just a good thing ;D

anyway nice article Melih (B)

very good points Ron_75, Let me address them

Point 1) You willingly allowing a new software that turns out to be a malware: This is why we have created world’s largest safelist! We are trying to improve our response times but you can always submit any files you are not sure of for us to analyse and either add it to our Safelist or blacklist!

Point 2) something being hidden in something else: Well actually v3 will catch that! When you execute you will see that other things being attempted at executed then you will know that you didn’t ask for this “extra” software. you just wanted to watch a movie

But a very important that we shouldn’t miss is the effect of Prevention being a first line of defense! Imagine how many more machines will be malware free because they won’t be hit by drive-by-download etc.

thanks for reading it though

Melih

Melih,

As always, any method ultimately relies on the user - might be best to ‘unplug’ the user!

Some files can be good but used in a bad way; example:

I use SuperKeys; it drops text in to a document in response to a trigger key and keyphrase, e.g. /at will give my addressa nd 'phone no.
Now, obviously it has a keyboard hook for its .dll. This, quite rightly, is detected by antimalware progs. and firwalls as ‘bad’.
After some research and e-mails to the author, it appears that the .dll is also misused in malware (as are many other things).
If I approve the .dll when SuperKeys starts, then there’s another app. that I’m trying - seems to be OK - that also uses the .dll (as part of its function) but for nefarious purposes as well, what happens? The .dll and its actions have been OK’d, but now…!

these types of attacks rely on either dll injection or hooking and both are caught and prevented by CFP v3.

thanks
Melih

I agree100%. I also like your business model, only fly in the ointment - you need a working product. I have sampled several versions of your software on recommendation and reputable reviews but haven’t found one that actually works. None of them accept even the most well known applications nor do they recognise other applications produced by yourselves and even when disabled my internet connection remains hor’s de combat. I have to uninstall and manually clean the registry. I am in a quandry as the reason I have been trying your products is that a number of your competitors have become completely unusable as well. Yes I could spend hours trawling forums, reading manuals and tweaking settings but I actually want to use my PC for work. I t is a tool. I expect software to work out of the box with minimum configuration and maximum transparency of use. Detection after the fact may be second best in theory but I know of a good selection of products that actually work and the option of dual booting Linux. You are looking to create a virtuous circle, but if your software is non functional how trust worthy are your certificates? I wish you luck butyou have shot yourselves in the foot and I will be making my experiences known in other fora. Steven C Watson

Steven

Detection is over 20 years old technology, Our prevention is only few days old!
If you are referring to v3 and some of the bugs in it, we are doing an update this week with fixes. our V2 is a rock solid product loved and used by millions and I have no doubt V3 will exceed that.

I also find it interesting for you to bring in our certificate business into equation because a newly launched product of ours has bugs. don’t get your logic at all can you pls explain? I would love to hear your logic about the relationship between v3 of our firewall having some bugs for some people and this meaning untrusted certificates?

Melih

i like the game (L)

Many thanks for the explanation about what your progam is setting out to achieve.New ideas and concepts always scare people at first but they soon take it as the norm.I think some people may have problems(me included) in trusting something we know very little about ,but the fact comodo has a proven track record in delivering only the best will i hope make people stick with this product.As for the certification process ,me thinks if any company certified a product that turned out to be duff that company would be" dead man walking" .I think this is just a red herring as the two things have little or no connection.

V3 workiing fine on my computer(i think? lol) so many thanks to Melih and all.

regards Matty

Thank you Matty

Melih

Melih, I’m using CPF v3 and i love it a lot (i loved a lot v2.4 too ;)) and my question is.
Will CAV be efficient with RAM and CPU usage like CPW v3??
CPF v3 is incredible, only a few Kb

I really hope so!! (hey CAV team… read this!!!)

Melih

Hi Boss,
I read the news release about CPF3 and I get the impression that it is a total security solution, and I would not be needing CAVS or BOCLEAN as well.
Is that right or am I barking up the wrong tree?
Cheers

It is right! it is a total security solution.
However we also say, Layered Defense is the way forward.

But A-VSMART technology in the V3 is about making sure you don’t get malware into your machine in the first place!

Melih

Hey Melih :BNC

Looks like some others are finally waking up to the “Detection doesn’t work” reality… http://www.darkreading.com/document.asp?doc_id=143424&f_src=drweekly
… and it only took them what? 1 or 2 additional years? (:TNG) :THNK

Thanks for the heads up!

If it looks like a duck, walks like a duck and quaks like a duck…

There is billions of dollars worth of an industry and will take them time to admit publicly that what they make $billion dollars from doesn’t cut it yet in the current market.

But one can only bury their hands in the sand for a time, otherwise they will suffocate…

Melih

First Hello
it’s nice to see more commercial companies coming up with ideas how to cross finance entirely free consumer Software projects and still not hurting their buisness with it, i think Comodo has a head start here against many established Windows Security ISV’s indeed.
The State of the Art Prevention instead off Detection approach shows that and is really needed but not only on the Software Level also on the OS leve itself prevention in the future is vital against all the new coming Malware threats especially type 2 and 3 Malware.
In the future those will play a big role but then also Comodos approaches here will show it’s first weakneses against these complete new threats as Joana Rutkowska and others trying to prevent in their Research and who knows maybe even Comodo will be a known name in this Research field in the Future
Tough for the time being Comodos Firewall even without it’s SPI functionality seems to be a perfect gift for the average consumers to protect their old OSes better from todays threats so the new Generation of those Prevention Systems can be developed in the same time.
And all this for free i have really to take my head of infront of you Melih and the entire Comodo Staff, even if i think a closed source approach isn’t really the right way togo here for fast and the most efficient prevention results, but who knows maybe we gonna see a CFP OSS (:NRD) (a real community approach) version soon think about it Melih, think about the name Comodo from one day to the other the biggest everywhere and even in OSS Security this would be a big WIN/WIN/WIN for you guys im sure, i see you allready looking out for good Staff in those direction (aquireing nsclean (boclean), my advice bring those guys to you that’s much easier, then allways to lookout for who you could buy next (CWY) (CNY) and yeah OSS is best suited for that.

PS: Where is the labs.comodo.com (:WIN)

Thanks for the post Kolosos

Actually as it happens only last week we were talking about exposing all the R&D we do as people don’t realise just how much R&D Comodo does and it would be simply mind blowing to expose it all.

thanks
Melih

Hi Melih.
I see comodo firewall is a good peace of software. Beside that I use comodo memory firewall and no other security product. I would like to know if it is safe to use internet explorere 7 on vista home premium, or is it better to stick with firefox anyway. I do not know if comodo firewall will protect me when/if I visit malicious website from those malware that silently install without my consent.
Can you enlighten me about this please. (:WAV)
thank
Tomy

with CPFv3 and Comodo Memory Firewall it will be very (VERY) hard anyone to silently install anything without you knowing about it! Enjoy your surfing!

Melih