I wouldn’t exactly call it innovation. It’s new to Comodo but others have been doing it for years. ThreatFire (former Cyberhawk), Kaspersky, BitDefender, avast!, AVG etc. They just use different means, avast! and BitDefender were doing it in virtualized environment, others do it directly on a host system.
Have to agree here.
Good point guys. For Comodo this is a big deal though. For a long time users have wanted a real behavior blocker. Now Comodo is building one.
avast!'s DeepScreen and BitDefender’s B-HAVE don’t have to because they run the apps within virtualized environment for testing.
Last time I tried Bitdefender they did not have a real behavior blocker. Have they actually added one now? Hopefully they did.
That’s really like BBing as FV. Not the same thing.
Kaspersky does have a feature like VC. I don’t know how well it works but they claim to have one. If anyone is curious just download a KIS trial. Honestly I would rather stick with CIS though.
Isn’t Active Virus Control in BD, BB? It blocks malicious process. I find it one of the best & smart BB? Currently I am testing BD Free & AVC detects good. No FPs on my production system yet.
It has it and it’s called Active Virus Control.
What makes you think that? It’s exactly the same thing as running it on the host system, except they simply do the same virtualized, ie separated from the real system, observed for malicious behavior and then a decision is made. Either a positive detection or an allowed execution.
I have tested Kaspersky defaults before. And during test I had got alerts something like malicious program xxx reversed or something like this but I never cared to check what actually Kaspersky did.
Thanks for the info. I never actually tested Kaspersky against much malware. Glad to know that their technology actually works.
You seem to be referring to blocking, not reversal, or have I misunderstood.
So this is dynamic heuristics and blocking, but not reversal?
Why would you need reversing when whole behavior analysis is done in virtualized environment? You just toss it all away. That’s how avast!'s DeepScreen works. And how BitDefenders B-HAVE (Behavioral Heuristic Analyzer in Virtual Environment) works.
If you do it on a host with interception of system calls you need to somehow roll back the changes, otherwise you’d have loads of ■■■■ depsoiting layer after layer on your system even after the AV would identify the source file as malware. If you do it like avast! and BitDefender do it, you just scrap the data in sandbox after analysis. It’s like doing a research in a lab and then cleaning that lab after you’re done. Nothing is left in it, no need to sort things around to make new room for new experiments.
avast!'s and BitDefender’s way way:
- Execute EXE in sandbox
- analyze behavior within sandbox
- define if behavior is good or bad
- clear the sandbox
- if source file was found malicious within sandbox, quarantine it
- if source file was found clean, allow to run it on a host
Comodo’s way (and partially/also Kaspersky’s and BitDefender’s):
- Execute EXE
- analyze behavior on a host system
- define if behavior is good or bad
- if source file was found malicious, rollback the changes it has done to the host and quarantine it
- if source file was found clean, allow uninterrupted execution
Now, i won’t say avast!'s way is better and Comodo’s way is worse. They both have pros and cons. Biggest pro for avast! is that it does it in virtualized environment. It doesn’t matter what it does, the number of changes and significance of them is irrelevant. It analyzes it and once found malicious, it’s all over. No bothering with rollback, the reversibility of the changes. The biggest con with this method is that it’s an interruption step process. When file is executed, it is analyzed by DeepScreen. And after it’s analyzed, the app is restarted on a host. The process is not yet seamless and that’s probably the biggest issue where people simply fail to understand why avast! has to start the app inside sandbox and then re-start it in order to use it on a host as any other clean app (if found clean of course).
Comodo on the other hand has a perfectly seamless process where user doesn’t get interrupted by any analysis process, but you are then bound to the rollback capability to sort out the mess malware might have done prior to positive detection. And if you can’t do that entirely, you pretty much have a broken system with irreversible changes done to it.
Behavioral analysis and blocking on a host has been done for many years and it’s not really anything new. But virtualization is sort of new technology with emerging of CPU’s capable of virtualizing stuff on a host level but in it’s own secured memory space. Things that weren’t possible 6 or lets say 10 years ago. Not with speed and security it can be done today. That’s why i think avast!'s and BitDefender’s approach is a tad bit more innovative than Comodo’s way. At least how VC was presented in current form and how i managed to understand it. But other than that, my guess is as good as anyone elses since very little is know on how VC interacts with Auto-Sandbox and it’s limitations enforced on the sandboxed files.
What if BB doesn’t recognize the behavior but you do and want to reverse? No BB is 100% and giving the option to reverse as a last resort is yet another layer in protection.
To my knowledge Viruscope only gives option to reverse once the application’s behavior has been identified as malicious, or am I wrong here? Besides reversing doesn’t seem to affect files deleted by the malware so it’s not a complete reverse of all the actions of the malware, unless I’m wrong here too.
Is Viruscope active in the FV sandbox? If not, will it be?
Off topic:
If the answer to the above question is yes then it means Viruscope is able to monitor the programs in the FV sandbox, would it also allow us to see what these programs are doing, like a real-time updating log? I’m guessing no but might as well ask… I really want something to see what programs inside the FV sandbox are doing, like accessing keyboard, modifying x files etc…
VC also doesn’t have that capability since it only pops up when it identifies something. If you want the on-demand restoring (when user feels like it), you need state imaging systems, sort of like System Restore. VC doesn’t have that neither is particularly useful if user doesn’t know when the actual modification happened for real…
I think you may be the recipient of a Melih hint
Worth remembering that Comodo has both virtualsation of unknown files (sandbox as FV) and process monitoring and reversal (VC). My guess is that both will be used for unknown and possibly also selected trusted files (eg non-system files, to catch trusted malware) in future. And that they will work together (dynamic as well as static detection of virtualised processs) in which case a roll-back choice may be given - sandbox reset or process reversal.
[Edit]The value of a process log for manual examination of processes you want to know wether to trust or not, and the future potential to offer manual decisions to reverse such processes I think tends to be underestimated.[/Edit]
So Comodo can choose the best technology for any given purpose?
I think the caching problem you refer to, which is valid, will probably be managed by placing a limit to the disk space allocated for the purpose. Currently the cache is limited to one process run session, and by cached action scope (no file deletes). The extent to which this applies to virtualisation as well needs debating.
Please explain the ‘layering’ problem.
It’s reasonable to talk of potential in this way I think because Comodo has done it’s usual of implementing the technology at a very fundamental level. The core concepts seem deep and sound and therefore flexible. However, what is delivered ‘on the surface’ to the user does not really live up to the potential at present. Comodo have promised progressive improvements - in my view some of them need to be delivered in the first public launch. (It’s not just the recognisers that need improvement).
Please refer to my notes on Viruscope, newly posted this week in the second post of the viruscope ‘How it works’ topic for more detail.
Hope this helps understanding
Best wishes
Mike
You can reverse the activity of any process on demand without VC detecting it. Its not just for average Joe hence you dont see it at first look. Try Killswitch “Terminate and Reverse” option.
Also whenever CIS shows you a popup(e.g. HIPS etc.) if you choose an option that involves process termination, CIS will present you an option to reverse the activity. This is also based on VC subsystem.
VC technology is used for 2 different purposes guys:
1- Behavior analysis on host, transparently without any limitations: You are not seeing much detection yet because we havent pushed any major behavior modules. We will be doing this gradually in 2014.
2 - Reversing the activity of any application: As i explained above, even without VC detecting anything, it allows us to reverse the activity. There are many cases this is used for e.g. cloud scanner reported that an unknown running file is a malware. While autosandbox does block critical actions, there are some actions, not harmless ones, that need to be reversed.
Thanks for the info egemen i never noticed the terminate and reverse option in killswitch before, this is a very nice feature for advanced users