If detection is meant to make prevention (D+) less chatty, then shouldn’t detection be applied before prevention and therefore actually be the first line of defense? I think this is how it’s working anyway. The detection (CAV) finds known malware before it gets a chance to try to execute. If it gets past detection, then prevention (D+) kicks in when it tries to perform a potentially malicious action.
Also, I could not agree with this more–"Comodo needs to be made into a program that almost takes everything out of the hands of the user.
Okay, but the way it works makes it seem like the detection aspect is being applied first since that is the first alert that will come up for known malware.
I understand the angle you are coming from, but it all stems from our ability to prevent anything from executing and sending this for a check and showing user an alert depending on the check we perform. But as I said, I do understand your point…
I think what Melih’s saying is, you should mentally order them like:
Prevention (First line of defense)
Detection
Cure
Meaning, when you’re planning your PC Security, what ever Products you choose, value Prevention more than you value Detection. But use all Three of course…
Analogy:
Instead of buying a Burglar Alarm (Detection) for your Home, buy Steel Doors, and also, Steel Bars (Prevention) for your Windows. You can concentrate on the Burglar Alarm later.
Its easy to see why Prevention is better than Detection when imagined this way…
hey Melih here is a statement from symantec about how there new behaviour stystem works:
With the breadth of security engines and technologies we have, SONAR 2 leverages all possible sources of information to make a very quick judgment call about the risk a file poses to a PC and its owner. As an example, the source URL, site reputation and transport method are a few of the pieces of information, among many others, used by the pre-classification system to quickly make a call about an unknown file. Thus the pre-classification system allows us to narrow our focus more specifically on suspicious files and components. Following pre-classification, SONAR 2 then analyzes and uses evidence about the file itself and its relation to the system. Relation analysis involves understanding and gathering information about the file from a system use perspective. However, ‘gathering information’ is not a reactive but a real time activity being performed as the file enters the system. Again, this allows us to even challenge the existence of the file as it becomes part of the system, by registering itself to the OS and its various applications. Hence a file can be classified as a malicious and convicted much before it ever runs on the system.
Now when the file executes, SONAR 2 observes key behaviors in real time, synchronously. These behaviors are carefully chosen to have the least performance impact but the most amount of insight into the potential “maliciousness” of the running process. As the process exhibits these key behaviors, the knowledge of what it is doing is added to the evidence gathered during pre-classification and relation analysis and all of this is fed into a real time classification engine that helps determine the maliciousness of the process and the file. The classification engine is not just using the knowledge of good and bad behaviors, like 1st generation behavioral engines typically did. The classification engine in SONAR 2 also uses the strength of the Norton Community and Quorum technology to build a classifier that is truly representative of prevalence of these behaviors in applications across the Norton user community. Thus a malicious behavior observed extensively in large class of malware may be the only evidence required to convict a new piece of suspicious software. …
SONAR 2 system uses more than ~400 data points in the classification system. These data points are extensively researched and measured constantly for the value they provide in the classification system and are constantly added to or dropped to keep up with the constantly changing landscape. The data points comprise of existential evidence of the file, its relation to the system, its runtime behaviors, etc.
The runtime behaviors are not limited to merely how the process interacts with the OS or what the process does on the system. SONAR 2 has the unique advantage of even observing behaviors that are exhibited by the software over the network. Since most malware are motivated to communicate externally over the network, the unique visibility we have into the process behaviors allows us to use this additional data point in the classification system resulting in very high success rates in the final classification of a process.
On paper it looks rock-solid. I tested it against 20 malware samples, and it caught 18. With sonar 2 user got great protection, and it all goes automatic. Afcors CIS with it hips would hade caught all 20 samples, but the not all the user have the knowledge to understand what D+ is realy telling them. Like Dch48 said, CIS 4 should make more choices for the user, that way average users could use it to it’s fullyst potential too Threadcast is a great start i think by the way
Please tell my what you think about this Melih ;D
BTW overall test results depends on the sorting/selection of samples (it couldn’t have been possibly done in a way to prevent over-representation of specific attack types like it could be possible to do for PoCs) eg: other Sonar2 tests provided with a 20% miss (80% catch).
Behaviour blockers are the latest flavour in default allow systems. As you have found out it can’t catch everything :(. And as you will also appreciate a malware author will analyse how to bypass these and they will release malware that will cause damage by bypassing these. Its good to see that there are always new ways to fight malware, but its a battle that we can’t win if we always be reactive. Time to be proactive and time to Default Deny!
There are a couple of reasons why the 80% detection rate of the new BETA Sonar2 system of Symantec was rated excellent by the tester. First, it was at or near the top of all the systems tested. Secondly, it did it with NO false positives. I think that’s pretty impressive for a beta product.
To get back to the title of this thread, there no longer is a reason to pay to get top notch protection and this is a problem for companies like Symantec who’s whole structure is based on paid products. For many years, Norton was the vendor of choice and best in the field, but now they face stiff competition and they have a challenge ahead of them. I personally hope they survive because I have fond memories of how well I was protected by their products in the past.
Oracle:“You’re going to have to make a choice. In one hand, you’ll have Default Allow… And in the other hand, you’ll have Default Deny. One of them is going to die… Which one… Will be up to you…”
thanks for the reaction Melih. Well you’re right, it didin’t caught everything. Cis would hade caught everyting afcors, but i hope that in Cis.4 things will get al little bit easier for the user. That way my mom can i use it too ;D
Jes Endymion i know about the colour diference, i forgot to mention that :-[
Symantec, the systemhoggers should known better. They can say what they want there, I stay with Comodo. Symantec was pre installed on my PC, guess what was uninstalled first???
Melih - you are doing fantastic job. You are making software security standards today.
Comodo is awesome company, I think that many software security companies must first look at Comodo then LEARN how make world class software for 0$. Sounds funny, but that is one of the rules how to make miracles and how to make new standards and new revolutions.
But . . .
Symantec WAS fantastic company, 10 years ago in the times when Win9x OSes were simply standard as today Vista/Win7/XP are. BUT, today’s security products from Symantec are completely shame of software security. I don’t know simply what happened to Symantec, but they were awesome 10 years ago. But TODAY, today they are making a software like food. This goes in following ways “Let’s make on the easiest ways software that we will charge” and after that end-users are having pretty big problems because of these thoughts and poor manafacture plans.
But Symantec isn’t alone company that degraded too much, I can count on the fingers another world known companies that are doing similar bad things as Symantec.
Thirdly, you know I thought always that software for home users cannot be charged, because when you see history of first software, then you can see that first software on PCs were open-source or freeware. Freeware is a power of making software standards. But I think that software should be charged for commercialized users and for big companies, but for home users software should be free, because millions of people doesn’t have job (including me) and they cannot earn money in the easy ways (including me too).
I am living on PCs since my age of 9, I am now 23 years old. I gave almost my whole childhood to PCs and to IT technologies. I am hardcore geek and I choosed Comodo, because I won’t find better products for that “price” and that’s why because Comodo firewall is one of the best ever constructed software firewalls.
I know this from my point of view.
So Melih, proceed with doing that - you have awesome company, awesome software standards. You know, 5 years ago I believed that won’t present in the future a security company that will build awesome security software for 0$. Because of that, I saw that 90% of software on NT/Win9x OSes are simply over-commercialized, but I have big respect to all open-source projects and to all freeware projects. This was 5 years ago my thoughts, now I see that is a fantastic way how to make miracles really.
Big respect to Comodo from me. :-TU :-TU
One comment on symantec, right now I am testing Norton Internet Security 2010 BETA and it rules, the SONAR behavior analyzer has so for caught everything I have thrown at it that is zero day. Also it has a light memory foot print ( about 18MB) and I have not noticed any slow downs on my computer. I think that the 2010 suite will bring them back.
hey languy how come the sonar behavior works so good at you? you use all kinds of malware right? When does sonar detect a thread? when running the exe, ore when it completely installed like with roque av’s?
i;m asking this because i tested it too and uhm i barly saw sonar popping up. For instance I download a fake av, signatures don’t caught the exe, i try to run the exe, norton pops up with the info over the exe, like how many times downloaded, then i install it. But in the whole proces sonar never pops-up. Also when installed i let the roque run, rebooted but nothing… Could you please explain, thnx
I also tested the 2010 version and absolutely saw no difference with the 2009 version (well, for the big lines, there are some differences, but all minor). This SONAR, is it enabled by default ? If so, I don’t think it’s pretty effective as it never popped up in my tests…
stock install, I would download malware and run them sandboxed. Sonar would pop up saying it had detected malicious avtivities. It would kill the processes and the original installer. I didn’t do anything special to it, I have no idea why it did not work for you guys.
Threadcast is a great start i think by the way