Explanation: An Antivirus software (no matter what type, from AI to heuristic, from behavior to static analysis…doesn’t matter…) can NEVER detect 100%!
knowing this…your security posture is “Default Allow”…meaning:
Although you can never detect 100% of the malware, scientifically proven, you are still allowing “unknown files” to run because you didn’t detect them to be “bad”…
To further simplify this scientific explanation…Imagine a kid with a chocolate cake in a room…you tell him not to eat it…he doesn’t…until you leave the room!
A computer software can never tell if another software has “halted” or “finished” execution, hence can never find bad stuff 100% of the time…
Summary of the problem:
1)Using a Software to detect bad stuff
2)Using a “Default Allow” posture
Exactly. On top they might not even find what they are “trained” to find, because they don’t know when the other software (malware) has “halted”. Unless they forever wait…in which case you still won’t have a detection. So what i am trying to say is, the code they recognize might come “after” AV has made its decision thinking that software (malware) has halted…
I think the problem is they read but chose to ignore. I prefer to not underestimate. Why do it when they claim industry-leading research? No need. Using “default allow” design is like saying “we know but do not care”. Even I can tell.
There is no doubt that ‘default deny’ is the best approach, the reason it’s not universally embraced is twofold I suspect…
The existing anti-virus companies have built their businesses on detection and if you make that redundant (as you do with containment technology) their business model goes up in smoke. Since they can’t compete with ‘default deny’ their only response is to spread FUD (Fear Uncertainty and Doubt) about ‘default deny’.
Users have come to expect detection as the best defence. This is mostly because it’s an active system; you’re actually looking for malware and users can readily understand how this helps them. Thus ‘default allow’ with detection is something most users can understand and even if you could convince them that detection can never be 100% effective they’d still feel as though they are doing something positive to stop malware. ‘Default deny’ and containment is largely a passive system; it doesn’t kill malware it just contains it. People like to feel that ‘they are doing something positive’ and detection gives them that good feeling. Relying on containment requires trust and people are generally not good with that…
Default allow, as insecure (compared to default deny) as it is, is much more easier to use for most users and creates less complications, that’s why many users choose default allow instead of default deny.
Default allow means run everything unless it is in the “bad” list. Meaning someone (Av companies) should maintain said “bad” list, and of course no AV company is capable of updating it fast enough, resulting in zero day \ minute malware.
Default deny means opposite - block (or ask) everything unless in “good” list (I know CIS uses sandbox instead of blocking, but that creates other complications). And who is supposed to maintain that “good” list? The user? If he’d known what programs are good, he wouldn’t need this whole default deny system. The company (Comodo)? If AV companies can’t possibly keep up with malware files created every second… what makes you think any company is capable of keeping up with much more safe files created every second?
Yes, I know CIS sandboxes files until they’re found safe, but currently it can take years, not to mention you can currently only upload a very small (by today standards) files. And I can add all the usability problems from the other thread (I assume Melih knows the one I’m talking about)
So, untill you guys add valkerye to CIS, that is supposed to greatly speed up this whole unknown file analysis (if I’m not mistaken), I’ll stay on Comodo Firewall + regular AV…and manual sandbox, It may not be as secure as default deny, but at least I wouldn’t have to go through CIS settings every time steam updates one of the games, or a unsigned program updates to make them work properly.
Who is to blame? Users like you, me? I don’t think so. If we acknowledge that “default allow” is not good then what stops the industry from improving “default deny”?
My questions remains : Does AV industry care? Probably not. :-La
Yes in a way, or the struggle to get seatbelts accepted in cars. I think that to get users to move away from ‘default allow and detection’ is also going to be a struggle. As I said, people generally want to feel that they are doing something positive, and detection feels like a positive action.
Perhaps you need to sell containment and default deny as a similarly positive action somehow? Perhaps you could tell people that you are detecting safe processes (which you do in a way with the whitelists and trusted installers) and thus forcing everything else into containment? I don’t think that highlighting the weakness of detection without replacing it with some other apparently proactive solution is going to persuade the average user to move away from pure detection.
I believe the main reason that “Default Deny” is not widely accepted is usability. The major problem with automatic containment of unknown files is that it is a type of false positive for all the “good” ones because most programs aren’t useful when run in containment because their results aren’t saved. This problem is made worse because getting unknown files added to a whitelist (so they become “good”) is NOT a quick process.
To be exact, they’re saved in the sandbox. One of the problems is when the file will be found good, it’s “result(s)” will remain in the sandbox, so the “now good” file won’t be able to see \ use them.
