ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Review

5 posters

Go down

Review Empty Review

Post by Ruhe 29/1/2011, 22:38

Found this review by a Wilders user: Review
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Review Empty Re: Review

Post by p2u 30/1/2011, 00:56

Ruhe wrote:Found this review by a Wilders user: Review
Just a few loose thoughts on this review.
* As a rule, the better the security policies, the less you have to depend on products to protect you.
* If "in-the-cloud" and "reputation" services depend (partly) on user input, then they *can* be abused (not only good people use those services). This does not only apply to BPS; I've seen this happen with Symantec's services as well, where TDL4 rootkit was completely "trusted" (100%) by I-don't-know-how-many-users. For me this was such a shock that I decided once and for all: I'm not gonna be anybody's zombie. I totally reject in-the-cloud security. So sorry for all the people who use it and believe in it.
* If the admin forces the user into a limited account, sets BPS to "deny all unknown" and protects that setting with the admin password (I hope there is such a possibility in BPS), then the point the reviewer makes is rebutted; the user won't be able to install that "Flash player update" to watch the enticing video.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Review Empty Re: Review

Post by ssj100 30/1/2011, 01:12

p2u wrote:* If "in-the-cloud" and "reputation" services depend (partly) on user input, then they *can* be abused (not only good people use those services).
As far as I understand it, the user still has complete control on whether to allow or deny a program. The "reputation" service appears to give the user an idea of what others have done (which I would personally generally ignore). The "reputation" service in BPS has nothing to do with the actual signature detection - correct me if I'm wrong Zero_One. So for example, a TDL4 rootkit could be 100% "trusted" based on "reputation", but BPS could still label it as a virus with its signature detection. And even if BPS didn't label it as a virus (and it's not in the white-list), the user can still click "Deny", and get the opinions of eg. VirusTotal, malware analysts etc before opening/running the file.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Review Empty Re: Review

Post by rocky 30/1/2011, 01:25

p2u, I think you understand the program better than some people who have actually tested it. All I can offer to this is how I use it right or wrong it seems to work for me. I allow notification on install because I run a few programs it doesn't recognize. But that is getting alot better all the time. After opening and allowing those programs I shut notifications off I only use it for a tool to get my programs functional. Then I password protect and forget its on the computer. Its been fool-proof for me. I have tried opening a few questionable files downloaded for no other good reason and tried opening them bang they're gone. It's alot smarter than I am , that's why I need it!
rocky

rocky
Member
Member

Posts : 11
Join date : 2010-07-23

Back to top Go down

Review Empty Re: Review

Post by rocky 30/1/2011, 01:29

ssj100, I think you are exactly right and this is what is confusing some people. rocky

rocky
Member
Member

Posts : 11
Join date : 2010-07-23

Back to top Go down

Review Empty Re: Review

Post by p2u 30/1/2011, 01:40

ssj100 wrote:The "reputation" service in BPS has nothing to do with the actual signature detection - correct me if I'm wrong Zero_One
rocky wrote:p2u, I think you understand the program better than some people who have actually tested it.
I hope you guys didn't interpret my remarks as an attack on Blue Point Security. I can assure you; it was not intended that way. From what I've seen, the product is good; let there be no misunderstandings about it.

I was just reacting to one point the reviewer made about BPS not knowing sometimes whether the file was good or bad. The inexperienced user will then most likely take a decision based on the reputation of the file. But there is this risk anyway: users from the Underground may also "try" (or even buy) the product and influence the reputation if their freshly created rootkit is new, unknown and can't be easily detected with heuristics, there are no export tables (Rustock C, for example). I know that for Symantec's in-the-cloud service all it takes is 10 users with different IP's to change the reputation of a bad file into "Good". Now that can't be too hard to do, right? Wink

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Review Empty Re: Review

Post by ssj100 30/1/2011, 02:54

p2u wrote:I hope you guys didn't interpret my remarks as an attack on Blue Point Security. I can assure you; it was not intended that way.
No mis-interpretation at all. And besides, I like to "criticise" (often negatively) products myself haha.

p2u wrote:I was just reacting to one point the reviewer made about BPS not knowing sometimes whether the file was good or bad. The inexperienced user will then most likely take a decision based on the reputation of the file. But there is this risk anyway
There is this risk for any (home) security setup where the user has control. I'm willing to bet that the majority of guests and users on this forum "know the Administrator password" on their systems. Therefore, they can pretty much do whatever they want. For me personally, this is where the "security approach" is of most importance. For example, if your "security setup" involves BPS, the following scenario could follow:

1. User downloads file
2. User tries to execute file
3. BPS states that the file is "Unknown", and the "reputation" of the file is "Good".

Does the user then completely trust this file? If the user has a good "security approach", he/she wouldn't just trust what others have been doing. He/she would eg. check the file's MD5 checksum, check if the file is digitally signed, submit it to VirusTotal etc. Or in my case, I would often just open/run it sandboxed and then discard it (probably at least 75% of everything I download).

I think this is something the reviewer (in the original post) fails to recognise. Again, the stuff between our ears is needed to stay safe. One needs to combine a good "security approach" with one's setup - one cannot simply rely on "automatic" software.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Review Empty Re: Review

Post by Zero_One 25/2/2011, 09:57

ssj100 is correct on all descriptions. All files are blocked/prevented before execution occurs (before you even see the allow/deny popup actually). Reputation has no impact on a file being "auto allowed" the only way files are allowed to execute, is if we have added them as known safe, ie they are from a trusted vendor.

There's no way we'll ever know about every single safe file out there, so the user needs a way to easily override. Hopefully the popup provides them with some useful information to make the decision. General rule of thumb, if you don't know what it is, just click deny. You can easily reverse the rule under history -> ruleset, no harm done. The difference is products relying upon blacklisting/heuristics will never prevent every bad file out there. Personally I'd rather hit deny on a few safe files then end up silently infected by a few unknown bad ones. Have no idea why AV vendors haven't significantly changed the way they do things in 15 years when it's painfully clear it isn't working.

Zero_One
Security Professional
Security Professional

Posts : 32
Join date : 2010-07-22

http://www.bluepointsecurity.com

Back to top Go down

Review Empty Re: Review

Post by p2u 25/2/2011, 20:40

Zero_One wrote:Personally I'd rather hit deny on a few safe files then end up silently infected by a few unknown bad ones.
Couldn't agree with you more.

Zero_One wrote:Have no idea why AV vendors haven't significantly changed the way they do things in 15 years when it's painfully clear it isn't working.
More than likely business considerations. Some marketing people regard "too many" alerts as a bad thing and are afraid they'll lose clients because of them. And let's not forget certain AV tests were "false positives" are punished. Not getting first prize there seems to be worse than actually protecting the client.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Review Empty Re: Review

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum