A user friendly approach to the sandbox

"Now, with Avast 6.0 (which is coming sooner than you may think), it’s a different story. Avast 6.0 will feature the in-the-cloud heuristics based on the age/prevalence data (as suggested above by sded) as well as new stuff related to the use of our sandbox. But, instead of using the “default deny” paradigm that Comodo is trying to advertise so much, avast will work differently. It will rely on its heuristics engine to make decisions whether an executable file should run sandboxed or not. Let me explain this in a bit more detail. Currently, the outcome of the scan is pretty much binary - either the file is called “clean” (and is allowed to run), or it is flagged as “infected” (and appropriate actions are applied - and the file isn’t allowed to run). This also applies to heuristics detections. Now in avast 6.0, the outcome could also be “potentially infected, use extreme caution” and this case, when talking about an on-exec scan, will (by default) be handled by sending the file into the sandbox. If the program is legitimate, it has a good chance of running OK inside the sandbox (and of course you, as a user, can always override the decision and run it normally). And if it’s really malware, avast has just saved your ■■■■.

There are many other minor things that make up these changes (such as further emphasis on the Behavior Shield when making these heuristics decisions, i.e. taking into account full context info) but this is, at a glance, how it’s going to work. What may be of special interest, also, is that this is how it’s going to work even in the free version (which means that the core functionality of the sandbox will likely be moved to the free AV).


Should Comodo do the same, at least as an option in the configuration, improving the heuristics and using them in “high”?

using heuristics to determine what will run in sandbox or not will help them but as we all know heuristics can be fooled just as behavior blockers can be. If they make it too sensitive everything will be placed in sandbox, if they don’t make it sensitive enough lots of malware will not be sandboxed.

I think sooner or later more and more vendors will start copying comodo, they are starting to realize that detection ( signatures, behavior blocker, heuristics, etc) will never be enough. I can tell you that soon most security suites will turn into white listing applications.

I’m sure that can be done much better than you think, of course a malware can bypass the heuristics, but a normal user will not get one or two popups every single time that he execute the first time a not very common software.

Also Comodo is bypassed almost everyweek that I know due to the problems of whitelisting certificates.

The cloud heuristics are based on the age/prevalence data, they are not simple like the local heuristics that comodo has.

The only real problem with the age/prevalence model is that new versions of legitimate apps would fall under the “new” banner and possibly be classed as suspicious whereas a rapid spreading form of malware would quickly gain a higher prevalence indicator and possibly be flagged as OK.

Fingers crossed Avast! get the mix right on their heuristics. They’re heading in the right direction, just travelling a slightly different path to Comodo. Doesn’t mean it’s wrong, just that it’s different.

Just my $0.02

Ewen :slight_smile:

Careful with those Comodo-colored glasses. ;D

Comodo’s detections, heuristic or otherwise, when used to determine what is or isn’t sandboxed, may not have helped Comodo. In relation to Avast? - of little relevance. These Avast guys aren’t exactly rushing into this in order to fix a fundamental flaw. As you told me recently “Avast First released it’s protect in 1988”. Neither are their CEO and CTO renowned for gushing with unbridled promises or press statements.

Please enlighten us as to which is/are implementing default sandboxing of everything not white-listed?

Lol, other vendors were aware of the fact that static signatures alone are not enough when they first implemented heuristics. Not sure which company did this first, but they did and pretty much all of them use some form of it these days. Comodo is also a proof that even though their concept should be 100% in theory, it’s not. First because of stolen valid certificates and second because enforcements aren’t 100% either. Plus sandbox can make some headaches for legit programs…

Sometimes malware uses stolen valid certificates and can bypass CIS without any trouble. Also, a lot of safe vendors aren’t (yet) included in the Trusted Vendors list, which can be annoying if CIS sandboxes them all.