We volunteered for CAVS to be tested by http://www.av-comparatives.org/ to see its 2nd line of defense (Detection). CAVS 2 came out around 42%, v1 was 27%.
Why did we volunteer:
1)We got nothing to hide from our users, good or bad!
2)We care more about prevention than detection! Afterall CAVS 2 stops more malware than all the other AV’s can detect so we are happy that we are protecting our users and not charging them for a product that we know that will definitely fail when the next new malware hits the streets.
3)Even though detection is 2nd line of defense in our architecture, we still want everyone to see how we will improve slowly but surely in that area and will become one of the best.
The HIPS is supposed to ask you before you run a program, right, excluding programs in the safelist? That doesn’t really add any “prevention” because if it’s not in the definitions or caught by the heuristics, then the user won’t know it’s malware. And, if all it does is catch executions, it doesn’t really help because the user wouldn’t have downloaded it in the first place if they knew the file was malware. It’s more of an annoyance layer then a prevention layer.
valid point: however, that depends on how big your safelist is…
if you have a large enough safelist… then most likely, the only time you should see the warning from HIPS is when something is wrong…
Just ask yourself: how many times a day does an average user execute new applications on their machines ? not many! and if we have a big safelist…
But if all the safelist does is exclude items, then that still doesn’t serve any purpose. It would only serve to take up more space. You’re not supposed to run any program not on the safelist? What about some inconspicuous SourceForge program that’s buried on page 283 but still serves a great purpose? Normal user won’t know to submit, they’ll just randomly scream “OMG MALWARE”. Also, I don’t see any instruction in CAVS on that’s what you’re supposed to do, if it is. And if you’re not, then, again, what is the point of HIPS?
The last sentence is a great concept but it uses a flawed means of getting there. Instead of adding what is essentially a panic layer, annoyance layer, and bloat layer why not use your awesome technology to make the best heuristics in the world? HIPS seems old-fashioned and ineffective compared to a technology that could analyze behaviour.
Before I explain why I think that (yes, I do have one), may I ask you a question?
The whole idea of the HIPS is essentially don’t run any program not on the safelist? Is that what it essentially boils down to?
its about controlling resources that could cause damage.
eg: if Uranium is a resource that could be used against us, then it should be well controlled and we shouldn’t allow access to anyone unless authorised.
The only way a malware could do damage is if they get CPU time and execute some code.
so, by only allowing safe ones execution privilige you mitigate risks of malware causing damage.