dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1316
share rss forum feed

claudiubotez

join:2009-06-28
reply to Triple Helix

Re: How an antivirus performs repair---> need expert opinion

said by Triple Helix:

Hi Magnus when WSA comes into contact with an unknown file it starts journaling and is auto sandboxed, when the file is found to be bad it will revert back to the state before the infection and if found good it's stops journaling and allowed to it's business.

TH

In Malware Removal Test from AV comparatives , WSA scored only 78%. So, if the system is so great what was "lost in translation"

KitFox

join:2002-10-09
Denver, CO
kudos:1

said by claudiubotez:

In Malware Removal Test from AV comparatives , WSA scored only 78%. So, if the system is so great what was "lost in translation"

Read up on AV-C's testing process for this test and you'll find the answer quickly.


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

I just don't understand the why of joining a test when at the same time you can't agree with testing process.


KitFox

join:2002-10-09
Denver, CO
kudos:1

1 recommendation

Not at all related to agreement or disagreement with the testing process. (Though for the record, I do disagree with the testing process, as it's faulty for every AV out there unfortunately and effectively represents user error, but that's unrelated to this in this case.)

The OP asked why AV-C test results are so low if journalling can roll back everything. I advised him to read the test process to find his answer. Upon doing so, he'd discover that the process is "Infect machine. Install AV. Try to disinfect machine." Then it's trivially easy to see that if journalling by the AV is the process by which it normally rolls back infections, obviously if the AV is not there when the machine is infected, it can't journal. Which means that journalling is not able to be used in the test at all.



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit
reply to claudiubotez

said by claudiubotez:

Is it possible for an AV / Security Suite to repair an extensively damaged system due to a malware infection, using journaling?

If yes, why is not used by all AV vendors and the repair score in AV comparatives is so low?



1) yes. However, as KitFox See Profile explained, journaling must be started BEFORE the infection. It is impossible to roll back changes if change records (Journal entries) did not exist prior to the changes.

2) Because using file and object journaling to record and back out alterations, creations and deletions of system objects, records, files and programs is a cumbersome complex solution, fraught with failure possibilities like file and program corruption.

For performance and reliability, journaling is better suited to data record level recovery than system recovery.

If you feel that the response from the Webroot developer is not valid or is slanted, please explain what in his post you find to be incorrect.

claudiubotez

join:2009-06-28

"2) Because using file and object journaling to record and back out alterations, creations and deletions of system objects, records, files and programs is a cumbersome complex solution, fraught with failure possibilities like file and program corruption"

The whole WSA program is around 650Kb . If the process is such " a cumbersome complex solution" do you really believe that in 650kb you can fit an AV, Web shield, Firewall, Sandbox, Behavior Blocker, Heuristic module and a cumbersome complex solutionnd such as Journaling????

Mamutu from Emsisoftware, which is ONLY a behavior based malware blocker has 4.18MB only the installer.

I may not be an expert in PC security but I am not stupid either.

Thanks,
Claudiu



Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
reply to MagnusM

That's a great Question and I don't have the answer but I know you have an account on Wilders and you could ask Joe (PrevxHelp) himself for the best answer.

TH


KitFox

join:2002-10-09
Denver, CO
kudos:1
reply to claudiubotez

Absolutely.

Most code these days is bloated. Windows PEs alone are required to have a substantial amount of padding that provides no use.

Take, for example, the code needed to perform an SHA1 hash on a file. I've seen a 200+k exe. The GNU binary ported to Windows is about 30k. There is a 14k exe for it floating around, but it doesn't handle over 2gb files. By comparison, I have PE that does it in 3.6k and UPX compresses down to 2.4k. Plus it makes heavy use of the CPU cache and the stack for security, which also means it chokes primarily on disk operations as the bottleneck. If something that somebody else thinks is small at 14k can be squished down to 2.4k, then yes, a lot can be put into 700k.

For a severe "WT...!?" moment, look up the demo "The Product" by farbrausch. I think www.theproduct.de. Because of the packing technology, a good number of AV programs will flag on it, but if it's the legitimate program, it's safe. Run it, don't hit Esc when they tell you that you may, and you will see a 20+ minute, 3D-rendered AV demo with scenes (not abstract) packed into under 64k.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Triple Helix

said by Triple Helix:

That's a great Question and I don't have the answer but I know you have an account on Wilders and you could ask Joe (PrevxHelp) himself for the best answer.

TH

Yep. That's the best statement in this thread. I hope Magnus reports the answer in this thread if he does go to Wilders to ask Joe.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to claudiubotez

said by claudiubotez:

I may not be an expert in PC security but I am not stupid either.

Thanks,
Claudiu

If you already have your opinion set, no further time needs to be wasted on you and your requests.

My abject apologies for insulting your obviously superior knowledge of journaling and file recovery. I will not deign to insult you with unwanted information again.


Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
reply to Mele20

What's your point Mele?

TH