why the wait for cavs 3 makes sense

panic · May 25, 2008, 12:16pm

Exactly my point when I said

Quote from: Luketan on Today at 10:50:01 You are kidding right? You can generate a goodie with exactly the same method!

But who does that with legitimate software?

Ewen

Melih · May 25, 2008, 1:29pm

snap…

you are right Ewen… sorry missed your post.

Melih

Elvis_Maximus · May 25, 2008, 6:36pm

You raise a good point, however I disagree that whitelisting is the “only way” of the future. Think about the end user. Not the end user that posts on this forum, mind you, the end user that has CAVS 3 installed on their system.

You may have a large whitelist compendium, yes, but you won’t have everything. Say binary xyz.exe pops up, the end user doesn’t know what it does and blocks it. Whoops, xyz.exe was the process for their new fancy game launcher (or some such thing). Well ■■■■, now they have to dig through the program to try and whitelist that.

Many programs, when updated, actually do repackage their executable. Not everybody uses a perfectly modular format (sadly), if the end user updates their program and doesn’t recognize the updated process name (lets face it, some of the process names really don’t indicate what they actually are) under whitelisting they’re supposed to block it. But once again, when they figure out it doesn’t work, they’ll have to go in and manually add it to the whitelist.

Now, lets take it a step further, the end user isn’t going to know how/isn’t going to want to do this themselves. What they will most likely do is make a quick stop here and post either ranting or asking for help on something that will seem very obvious. Or, they’ll simply deinstall CAVS 3 and install another product.

The real method of AVs in the future isn’t simply white listing. Whitelisting is a great approach, but by itself is only semi-effective. The future is in fact a combination of white listing and heuristics combined with black listing.

The heuristic should be used to analyze a file that the whitelist or blacklist doesn’t know of, it should be a “fuzzy logic” (yay 90’s buzz words!) heuristic. That is, it should give a result with a degree of certainty. For something that comes back somewhere around 90% or above, it should be automatically blocked (as its PROBABLY just a repackage of another virus), for something that comes back below that, it should have a recommendation that you should block the program from executing (i.e - high risk). For something around 50% it should give no recommendation about blocking or not, but it should warn the end user that the file is of medium risk and recommend submitting it for further inspection from Comodo (where you could then forward it to a lab if you’re using some sort of licensing on that end). Below that, it should indicate that it is low risk and can most likely be allowed to execute (but still pop up the dialog, just in case).

There are a few ways this could be done. If you’re simply looking for repackages with your heuristic (which is honestly what you’ll most likely find the most of), you can most likely use a relatively simple document searching AI (possibly using the semi-standard lexicon approach, I’m not an expert on the development of AIs however, I’ve just taken some classes in them) as these inherently provide “degrees” of matching, this can be used as your guidelines for allowing something to run, etc.

If you really, really, REALLY wanted to be evolutionary (pun intended); one approach that could potentially be used (although it might be fairly expensive in terms of both money and time) is evolving a genetic algorithm to detect virus. While I’m not all that up on my genetic algorithms, I know that they have a very high success rate in terms of tasks that have definable and trainable sets of data (such as designing airplanes, which Boeing uses one for, also one notable example has been used to design signal amps with great success). One professor who I know has been contracted to do work of this sort (genetic AIs to do specific tasks) is Professor L. Darrell Whitley (whitley (at) c s. col ostate . e du TAKE THAT BOTS). But this of course is for far in the future, as it’d take a lot more research than is really feasible at this point. If this was a line of interest you’d be pursuing, most likely many other companies would be interested in the final product. In any case, this is all speculation!

Anyway, sorry for the wall of text and also if you’re already using a semi-heuristic approach, just don’t have a lot to do before I start my job (woohoo graduation last Saturday hehe).

Melih · May 26, 2008, 1:17am

Elvis_Maximus post:43:

You raise a good point, however I disagree that whitelisting is the “only way” of the future. Think about the end user. Not the end user that posts on this forum, mind you, the end user that has CAVS 3 installed on their system.

You may have a large whitelist compendium, yes, but you won’t have everything. Say binary xyz.exe pops up, the end user doesn’t know what it does and blocks it. Whoops, xyz.exe was the process for their new fancy game launcher (or some such thing). Well ■■■■, now they have to dig through the program to try and whitelist that.

Many programs, when updated, actually do repackage their executable. Not everybody uses a perfectly modular format (sadly), if the end user updates their program and doesn’t recognize the updated process name (lets face it, some of the process names really don’t indicate what they actually are) under whitelisting they’re supposed to block it. But once again, when they figure out it doesn’t work, they’ll have to go in and manually add it to the whitelist.

Now, lets take it a step further, the end user isn’t going to know how/isn’t going to want to do this themselves. What they will most likely do is make a quick stop here and post either ranting or asking for help on something that will seem very obvious. Or, they’ll simply deinstall CAVS 3 and install another product.

The real method of AVs in the future isn’t simply white listing. Whitelisting is a great approach, but by itself is only semi-effective. The future is in fact a combination of white listing and heuristics combined with black listing.

The heuristic should be used to analyze a file that the whitelist or blacklist doesn’t know of, it should be a “fuzzy logic” (yay 90’s buzz words!) heuristic. That is, it should give a result with a degree of certainty. For something that comes back somewhere around 90% or above, it should be automatically blocked (as its PROBABLY just a repackage of another virus), for something that comes back below that, it should have a recommendation that you should block the program from executing (i.e - high risk). For something around 50% it should give no recommendation about blocking or not, but it should warn the end user that the file is of medium risk and recommend submitting it for further inspection from Comodo (where you could then forward it to a lab if you’re using some sort of licensing on that end). Below that, it should indicate that it is low risk and can most likely be allowed to execute (but still pop up the dialog, just in case).

There are a few ways this could be done. If you’re simply looking for repackages with your heuristic (which is honestly what you’ll most likely find the most of), you can most likely use a relatively simple document searching AI (possibly using the semi-standard lexicon approach, I’m not an expert on the development of AIs however, I’ve just taken some classes in them) as these inherently provide “degrees” of matching, this can be used as your guidelines for allowing something to run, etc.

If you really, really, REALLY wanted to be evolutionary (pun intended); one approach that could potentially be used (although it might be fairly expensive in terms of both money and time) is evolving a genetic algorithm to detect virus. While I’m not all that up on my genetic algorithms, I know that they have a very high success rate in terms of tasks that have definable and trainable sets of data (such as designing airplanes, which Boeing uses one for, also one notable example has been used to design signal amps with great success). One professor who I know has been contracted to do work of this sort (genetic AIs to do specific tasks) is Professor L. Darrell Whitley (whitley (at) c s. col ostate . e du TAKE THAT BOTS). But this of course is for far in the future, as it’d take a lot more research than is really feasible at this point. If this was a line of interest you’d be pursuing, most likely many other companies would be interested in the final product. In any case, this is all speculation!

Anyway, sorry for the wall of text and also if you’re already using a semi-heuristic approach, just don’t have a lot to do before I start my job (woohoo graduation last Saturday hehe).

Please read one of my blogs to see whether I say just whitelisting is enough or we need a layered approach.

thanks

Melih

Star_Shadow · May 26, 2008, 8:48am

I was wondering if the whitelist is made up of all the software that people send to Comodo from CFP’s My Pending Files thing. Is that how more D+ whitelist apps are added to each new version of CFP as well?

Cheers.

Melih · May 26, 2008, 3:49pm

Our users sends us tens of thousands files a day, we then go thru and identify which ones are good or not…
the ones we find to be good makes it to the whitelist.
thanks
Melih

Luketan · June 5, 2008, 12:31pm

You are confused.

If a user encounters more goodies than baddies (which is something you agreed to), whitelisting is a BAD idea.

the economics of whitelisting and blacklisting is such that advocates of whitelisting claim that there are more BADDIES than goodies, hence it is easier to keep a list of goodies than baddies.

Luketan · June 5, 2008, 12:34pm

Huge is relative obviously.

Even if the number of malware is increasing (and do note that the AV companies do have incentives that cause them to inflate their numbers), that doesn’t say anything about whether it makes more sense to whitelist rather than blacklist…

E.g The number of malware might be increasing, but the number of goodies might be increasing even faster!

Osage · July 5, 2008, 11:08pm

All this talk about Cavs3 and Comodo CIS right now is confusing me because I can’t seem to get my arms around exactly how they will work.

But to use a crude analogy, if I believed the Matousec ratings of firewalls were totally accurate and I wanted the highest rated firewall of the moment, I would be switching firewalls at near the speed of light, adding injury to insult, because a switch would happen before I could even get the one I had properly configured. And since paid firewalls are normally one year subscriptions, I would have barely installed On line armor before my investment was wasted there, and I had to buy into Out post after my at least brief freeware flirtation with CPF3. Maybe in a better world, I could run any number of firewalls at the same time, but the fact is and remains, when it comes to computer firewalls, the limit is one and only one running at a given time.

But call me behind the times or stupid if you will, I have somehow resisted switching and stuck with CPF3. But because CPF3 has blurred the line between only a computer firewall and somewhat gone to the traditional roles
formerly done by Process Control, HIPS Programs, and other security programs I used to have in what I felt was a good multilayer computer security defense. And maybe even before CPF3 advocated prevention, I was already a huge believer in prevention. But when I went with CPF3, I had to rethink my entire multilayered computer security defense because I had to maintain the most important thing in computers, namely Compatibility of all programs running on a given computer. As soon as your computer starts fighting itself, big problems follow.

And exactly like a firewall, one is limited to one and only one active anti virus at a time with an active anti virus, by definition, being a prevention program. Two points are important in MHO. (1) Traditional active AV’s rely on a combination of signatures and some heuristics. Now CAVS3 seems to impliy some different approach. Question number one in my mind, can I still use the same AV I now have along with CAVS, or will they be incompatible? (2)
We must also ask, which is presently better if I must delete the active AV I now have? In my case it will not be a
comodo blind faith thing, I will rely on unbaised testing organizations better than Matousec.

system · July 6, 2008, 7:03am

Osage post:49:

All this talk about Cavs3 and Comodo CIS right now is confusing me because I can’t seem to get my arms around exactly how they will work.

But to use a crude analogy, if I believed the Matousec ratings of firewalls were totally accurate and I wanted the highest rated firewall of the moment, I would be switching firewalls at near the speed of light, adding injury to insult, because a switch would happen before I could even get the one I had properly configured. And since paid firewalls are normally one year subscriptions, I would have barely installed On line armor before my investment was wasted there, and I had to buy into Out post after my at least brief freeware flirtation with CPF3. Maybe in a better world, I could run any number of firewalls at the same time, but the fact is and remains, when it comes to computer firewalls, the limit is one and only one running at a given time.

But call me behind the times or stupid if you will, I have somehow resisted switching and stuck with CPF3. But because CPF3 has blurred the line between only a computer firewall and somewhat gone to the traditional roles
formerly done by Process Control, HIPS Programs, and other security programs I used to have in what I felt was a good multilayer computer security defense. And maybe even before CPF3 advocated prevention, I was already a huge believer in prevention. But when I went with CPF3, I had to rethink my entire multilayered computer security defense because I had to maintain the most important thing in computers, namely Compatibility of all programs running on a given computer. As soon as your computer starts fighting itself, big problems follow.

And exactly like a firewall, one is limited to one and only one active anti virus at a time with an active anti virus, by definition, being a prevention program. Two points are important in MHO. (1) Traditional active AV’s rely on a combination of signatures and some heuristics. Now CAVS3 seems to impliy some different approach. Question number one in my mind, can I still use the same AV I now have along with CAVS, or will they be incompatible? (2)
We must also ask, which is presently better if I must delete the active AV I now have? In my case it will not be a
comodo blind faith thing, I will rely on unbaised testing organizations better than Matousec.

CAVS 3 will use signatures & HIPS. Yes using another AV off course will be incompatible.

Regarding CIS, Yeah the HIPS obviously wont be in there since CFP 3 takes care off that.

We just gotta wait and see… Alot off stuff is happening!!

Josh

turnorburn · July 6, 2008, 8:30am

Seems like now is the time to put on those patience patches before those other
applications scare us into downloading another product we’re not satisfied with.
I came to Comodo because I like the product, Oh! I sold used cars a while ago
and your right, wait for the finished product, otherwise that towing package you
ordered won’t tow a wheel barrow. (:NRD)

Kyle142 · July 6, 2008, 11:52am

I’m interested to know… Will CAVS3 be mainly signatures? Behavioral signatures, Heuristics… Or what?

system · July 6, 2008, 1:00pm

HIPS & Signatures.

Josh

system · July 9, 2008, 12:27pm

(:NRD)

I’m not sure if this has already been mentioned or asked about (don’t recall all said behind), but is CAV 3 going to be light on resources? I hope so. I am sick and tired of those antivirus consuming too many resources. Some even do a better job than many viruses.

psych1610 · July 10, 2008, 5:49am

Depends what you determine to be “light” but it will probably be lighter than version 2. I know at one point it was said they were going to make sure of that. No, I don’t think anyone knows specific numbers yet.

Dave

system · July 10, 2008, 6:20am

Yep. It will be ALOT lighter then v2.

Josh