04.10.2012, 07:10
Trzeba tylko zrozumieć filozofię działania WSA a nie sugerować się jedynie wynikami testów on demand.
Tę filozofię świetnie opisuje kilka cytatów z bloga Webroot:
Sam nie byłem przekonany, dopóki nie poczytałem nieco o tym jak naprawdę WSA działa.
Poczekajmy też na testy jakie planuje wykonać rafikrafiki
Tę filozofię świetnie opisuje kilka cytatów z bloga Webroot:
Cytat: Currently most “Real World” tests rely on automation and AV scanners are only given a single chance at detection before the test system is reverted for the next round of testing. Unfortunately this testing model doesn’t give WSA a chance to leverage our unique cloud approach as it has a very static view of the files being tested. If another scan had taken place a short amount of time later, nearly all samples would have been detected from background rules running in our cloud and all system changes would have been reversed automatically.
Cytat: So this begs the question, how did WSA protect these infected endpoints while the infections were still unknown to the cloud user base? There are two pieces to this puzzle. The first piece focuses on ensuring WSA is able to reverse all system changes made by a new unknown file and to prevent any irreversible changes from taking place. For example, if a newly discovered program makes file system, disk, registry, or memory changes, these are recorded and analyzed in real time. WSA then checks frequently with the cloud while the program runs to see if an updated classification is available for the unknown files on a system. During this period, the program is able to change the system, but it is under a transparent sandbox where all of the changes taking place are not only being analyzed for behavior correlation, but are also being recorded to see the before-and-after view of every modification to the system. If at any point the cloud comes back and indicates a file is malicious, WSA will automatically remove the infection and restore the system perfectly to a pre-infection state. WSA effectively creates its own system imaging feature that works on a per-application basis, allowing it to generically and completely revert out any threat without needing humans to write signatures. Pretty neat, eh?
Cytat: The other piece to protecting an infected system is to prevent sensitive data leakage. Most often, malware is after credentials to various websites, whether that is personal email, banking sites or social networking sites. To prevent this from happening, WSA has an innovative combination of security components that are used to create a safe browsing environment which works without any requirement of user interaction. This is done by blocking the various methods used to lift keystrokes from secured browser sessions as well as the numerous new methods that threats are using today: information stealing attacks running in the browser, screen-grabber threats, man-in-the-middle attacks, and various other forms of covert information gathering.
With this layer of protection, WSA will block threats even if it doesn’t know that a file is malicious. While it is definitely best to remove any threats from your system for performance reasons, with WSA enabled, you could install an undetected, zero-day Zeus infection and continue safely banking online even with it active on your system. This layered defense allows WSA to close the gap from what it finds with pure signatures to what it is able to actually protect the user against. While detection is certainly very important, actually blocking the vectors of attack used by malware is what the goal of security software should really be
Sam nie byłem przekonany, dopóki nie poczytałem nieco o tym jak naprawdę WSA działa.
Poczekajmy też na testy jakie planuje wykonać rafikrafiki