To Prevent or Not to Prevent! That is the question!
Yeah, is it?
Yep! It is.
What are you preventing?
No Silly… the Alien invasion! That’s what we are preventing…
Ok, be serious now… come on… tell me what is it you are talking about?
Honestly, we are going to Prevent Alien Invasion! Aliens that will take over your PC!! Stuff called Virus, Spyware, Malware, Rootkits and Trojans!
Thanks but no thanks!
No thanks to what?
I have my AV software so don’t need your stuff thanks but no thanks!
He he, That’s why I titled this article “To Prevent or not to Prevent”
And your point is?
My point is legacy technology AVs (like the ones you have today) do not Prevent!
Why do you say that Melih, the AV I have detected many viruses on my machine!
Exactly the point! It “detected”! There is a BIG difference between
DETECTION vs PREVENTION!
Tell me more…
Ok here is a question: How can you detect there is a cold draft in the room if you don’t know what cold feels like? How can you detect there is a bacteria in your blood stream if you don’t know that thing you detected is a bacteria? Detection requires the knowledge of what they will detect… Let me give you an example… Police force and criminals… Imagine each police force in each country is a different AV company.
Police Force is your Legacy AV
Police force in different countries is different AV providers, now lets play the game (by the way here is a game you can play here….Comodo Game – Agent C – Intrusion Prevention )
Of Police vs Criminal…:
Lets start the game by first tasking the police force with finding (that would be Detection in Legacy AV terms) a murderer!
Ok that should be easy, get the photo of the murderer, track his/her credit card spending, get his cell number and track his whereabouts, get his car registration number and distribute to the police force, that will get the sucker in no time!!
Yes it will be but isn’t it too bloody late for the victim already? Where was the police force while the victim was being killed?
Hmm… you have a point there
What if you had the luxury of living and interacting with people who you knew for 100% that they had no criminal intent! Imagine an environment created by you, for you, in which where you only deal with people that you know and trust! There would be no crime, would there!
No there wouldn’t be, unless they didn’t do what I told them, he he!
But isn’t this unrealistic to expect Melih? I mean come on…
Yes it is unrealistic to expect of humans! But computers and software are a different ball game altogether!
What do u mean?
Well, we have no way of knowing what people are going to do nor predict their future actions, someone who seems nice one minute turns a serial killer in few years etc… it’s a wild world out there… But Software doesn’t have the brains to turn against you! Imagine your word program turning into an axe murderer!
That would be funny to see your Word application with an axe running after you he he, and imagine the liability on M$, that would be a costly exercise cleaning up the mess from this. I guess they could employ the same lawyers that OJ got :)!
Do you see my point though? An application that is good (usually coming from a credible vendor) ain’t going to turn against you!
Yeah I see that, but what was your point?
My point is that Environment where you only interact with good people is possible within the computing world (even though not possible in the physical world with humans). Because once you classify a software as good, then you know its good, it ain’t going to change its mind and be a baddie!
Ok get that point… and you are going where with this?
Patience grasshopper, patience…
So you agree that we can classify Software as good.
Am I boring you?
No sorry, just had a late night last night, that’s all… pls carry on… I am learning…. Yawning…
Ok np. Now that you agree that we can classify the software as good, why not create a platform whereby we only allow Good applications to run in our PC?
Huh? So are you telling me that at the moment we don’t do that and allow any and every application good or bad to run in our PCs?
Goooooddddddd mooorrrrnnniiinnngggggg Vietnam!!! (was a good movie btw)
That is exactly what I am saying! Today we just let everything run! Today we use Legacy AV that only knows “known” Murderers, which means the damage is done already! A new murderer will always make his/her way into their next victim cos Police force can’t stop them! Just like AVs they can’t stop new malware, cos they don’t know what that malware looks like. That is called a Signature…
Signature? Is that the thing that gets updated with my legacy AV that I pay them for? I think its called Signature Updates right?
Yeap, that’s right. Legacy AV companies get reports of malware and they take a snapshot of it (just like Police force distributes the MugShot of a criminal) and distribute it to end users as a “Signature Update”. But wait… for it to be reported as a malware, it must be doing some Bad stuff to someone right?
Actually you are right,.so for the malware to be a malware it must have caused the damage already, how could it be reported as malware otherwise?! Its not as if the guy who writes this malware will simply email the Legacy AV vendors and say, hey, I just wrote this malware and here it is and protect your users before I unleash it on them! would be good though if they did that, he he
Yep, now you are getting it!
So where do they get the malware from?
Usually from end users who gets the malware and notice that there is something wrong with their machine. Then the Legacy AV companies will create the signature and update their signature database for end users.
So if it’s a new malware, then legacy AV doesn’t detect it right?
Yep, that is right, afterall how can it? There has been some attempts to create heuristic (which is glorified signature) that doesn’t work really but all in all if the malware is new, then it usually gets thru. The guys who write these malware usually test their creations against the Legacy AVs to make sure non of them catch them before they unleash it. That’s how they cause the damage!
So now you know the limitiation of “Detection” based technology!
I bloody hope so, I have been explaining it for last hour!!
Let me recap it: The problem with detection is that it really can’t stop a new malware cos it doesn’t know that it’s a malware!
Ah yes of course I now know that! What do think I am Melih? That was bloody obvious before even you started explaining all this! He he…
Anyway… that’s why there are still millions of people suffer from malware cos there are new malware being created all the time! And by the time a new malware is found by the Legacy AV providers, the damage is done!
So how do u protect? Just unplug the PC from the Internet?
Yes, that’s one solution! However there is a better alternative. As I said above, why not only let the Good applications run on your machine and deny any CPU time to everything else?
Stop getting techie on me Melih, I will smack you if you get techie on me again, he he!!
Alright alright… let me explain,
How can a malware cause a damage do you know?
Urgh, No! how?
Well it needs to be run (executed). That happens by running something in the CPU. Ie its getting CPU time, this is like food to malware, without it it can’t survive.
[b]Survival Guide comparison would be:
Humans=Food & Drink & Air (etc)
Malware= CPU Time[/b]
I see, so unless a malware is executed (run) then it can’t cause a damage, get it!
So why not create a new Platform where only the good applications will get CPU time?
You mean like CFP v3, he he!
Yes, how do u know that?
Just read it in one of the posts you put out (:KWL)
So anyway, yes create a platform where you only get “Known Good” applications run. This way we can only let the good apps run and deny everything else, that will get you a protection in a way that it will deny everything else! Yes deny any known or, more importantly, any unknown new malware!
You see that’s Prevention!! Do you see the difference between Detection vs Prevention now?
Detection= works only if it knows the malware and by getting to know the malware means its too late and damage is already done!
Basically, you don’t wanna know these buggers do you really! And millions of them sprouting everywhere, trying to getting to know them all is a difficult thing.
That’s a very good point indeed! If you look at how many good applications out there and compare it with bad ones you will see that bad ones growing very rapidly! And afterall which is easier to find? Good one or a bad one?
Well bad one, after it has caused the damage, cos it makes the headlines and becomes a big news everywhere, he he
You are right, but its too late for that for many of it’s victims! Its much easier to find the good applications and create a “Safelist! Instead of building a list of bad stuff, which you only can get after they caused the damage, why not build a list of good applications. Then set your computer so that it only will allow good application and deny everything else.
Ok you convinced me. That makes sense
This is called a
Default Deny system - Prevention : where you deny everything but only the known good applications
Default Allow System - Detection : where you allow everything then try to figure out if any of those was a baddie or not (yes a bit late when you realize this :))
This is the power of Prevention over Detection! It protects you from ANY malware!
Cool, now I understand why I need Prevention as my first line of defense against malware and not Detection!
Indeed, this is a Paradigm Shift in the way we think and protect ourselves!
Our first line of defense against malware is now Prevention and NOT Detection!