Slashdot Mirror
The End of Signature-Based Antivirus Software?
nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list.
What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update.
"
From the referred posting: You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at http://www.av-test.org./
At first glance this looks like a clever variation on "important document attached" e-mails we all get every day...
This week on /., "The Death of [fill in the blank]!" It's just one test, slow down and breath.
We better find a way to secure our computers without Bill's help. Otherwise he has a major reason for why we "need" the NGSCB....even though it would most likely be used to accomplish other things.
The anti-virus companies have finally learned that the type of viruses they're creating are too difficult to fight against. So they've decided to start writing slightly new viruses that can be more easily killed through their new type of program, which will cost the unsuspecting Windows user, oh, only a few dozen more dollars a month.
I love the world of GNU/Linux.
The product scores (only the trolls need more karma). Or you can try page 4.
BitDefender 6/6
Fortinet 6/6
Nod32 5/6
eSafe 3/6
F-Prot 3/6
Panda 3/6
QuickHeal 3/6
McAfee 2/6
Norman 2/6
AntiVir 1/6
ClamAV 1/6
Proventia-VPS 3/6
Panda TruPrevent 6/6
A thought, and perhaps a better mind can say why this would or would not work.
Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
Experience taught me that no av solution is good enough if it's just some string scanner. The best solutions I've come across are those which offer string search + resident protection + web shield + resident p2p/torrent and im scan + file hashing with file altering monitoring, and the whole combined with a good firewall. With time I have found the one for the first and one for the second task which I'm satisfied to the point that I quite rarely evaluate newly popped up solutions and install these every time. I won't name them 'cause I'm no free advertiser for nobody. I'm sure the thousands of security experts the /. crowd has :P will provide you with a gazillion of options to choose from :]
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
...It's the users. Until the general population of computer users become smart enough to know not to open strange attachments or install malware from unscrupulous websites, hax0rs will always find a way around virus protection schemes.
People here always clamor about how poorly Windows is designed and how it leaves people so open to attack. The truth is, even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities stemming from the ignorant masses.
That's a bit extreme. If anything the signature based AV software isn't going anywhere right now. It seems like behavior analysis, which is what I thought of when I read the headline, would be a nice extra preventative measure to integrate into exisiting resident scanners. It doesn't seem like that type of technique would be very reliable if used by itself. Maybe the headline should have been: "A program that watches other programs spots a potential problem in advance!"
I think, based on my personal experience, that Hotmail is already moving away from virus definitions to a more general measure of "traits." In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "." (dot) in it.
.pdf file, and using a filename with two "dots." I send this document to a Hotmail user, who wrote me back that Hotmail had declared the file to contain an incurable virus. Reasonably sure that my Xandros linux box had no virii on it, I renamed the file something more Microsoft friendly. The file was received with no problems.
I base this on the fact that, after exporting a document from StarOffice 7 directly to a
So there you have it, any file with a suspicious name must contain a virus. Easy, reliable detection.
Trying to use sarcasm in text-based forums does not work.
It just means that they already had the signature.
No, it means that the AV program was using "proactive virus protection."
That simply means that the AV program monitors the behavior of programs and makes sure they don't violate security policy. If they do, the AV software assumes it is a virus.
This kind of thing can only work if it's on the machines that will be running the viruses. If you want to scan everything coming in, or at your mail gateway, signature is still the way to go. There's a place for both methods, as has been the case for a long time.
I am trolling
Sheesh...This should be obvious to anyone that MS05-039 totally outclasses MS05-038 in proactive detection test response time. NTIKWTFIATA
...using heuristic detection rules that generate a high number of false positives as well, if scanned files are simply runtime-compressed.
Thanks, but I prefer not to throw the baby out with the bathwater.
Oh no... it's the future.
I was surprised that this article was not in the writeup since it seems at least tangential to the subject: this product claims to actually slow the propagation of worms that have no known signature...which strikes me as being one louder than detecting a virus without a signature. I realize I'm conflating worms with viruses here, but nevertheless...
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
You did it wrong. The formula is this:
All Your [fill in the blank with a SINGULAR noun] Are Belong To Us
Nice to see them called "Windows Worms" instead of computer viruses as usual. These are all Windows problems.
Disclaimer: I worked for a household-name antivirus sw firm in the past and now work for one that does filters network-based viruses as a network service.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.
Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.
The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.
Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")
While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?
In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition is already available.
What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?
How about a proper security & permissions architecture and non-exploitable system & application sw? Wouldn't that be better than having to burn CPU cycles looking for this crap?
This sort of technology isn't new. Intrusion Detection systems have used it for 5 years or so, though their targets are better tailored to the setup. Anyways, most of those systems needed modified to include signatures.
Why? Because the systems couldn't be guaranteed to win 'bake off' tests versus their signature based competators. Competators that often only had signatures for the often ancient and arcane vulnerabilites used in the tests.
Such shiny statistics are like catnip for executives it seems.
Anyways, this sort of setup is wonderful that not only does it detect new attacks, it's also usually an order of magnitude faster than the signature scanners.
Just follow the simple rules:
1) Never install stuff from the browser (like ActiveX etc.)
2) Never open email attachments that are executable (most mailer warn about it)
3) Never download software from third-party sites, only from the vendor's site
4) Scan all suspicious files with an online scanner (or send them through a virus-protected mailbox)
5) Configure your firewall properly (close all ports you don't need)
If you follow these rules you aren't likely to get any infection at all. I didn't have ANY anti-virus software when I had Windows and didn't get ANY infection in about ten years.
Antivirus software on the other hand requires constant updates, slows down PCs (I can determine if an antivirus is running without pressing Ctrl-Alt-Del or looking at the taskbar) and eats your money. What's more, if a virus is new and the user doesn't have the latest updates, he can be easily infected. The only users of antivirus software should be Windows users with relatively no computer experience. This way, the antivirus will probably protect evil from happening when a user doesn't understand what's happening to his PC.
Oh, and some (but not all) antivirus programs are simply a waste of time and money. This applies to most mobile device software. I remember a Norton Antivirus For PalmOS which had an impressive database of FOUR variations of ONE virus. That's all. And yet it cost something like $30 and required yearly subscription in order to receive updates.
>What's really impresive, besides the huge difference between response times among antivirus
>companies, is that two products succeeded to proactively detect all 6 attacks without any
>signature update. "
This would have been more impressive if they had signatures that said "all your base belong to me!" or "in soviet russia, grits pour down portman!" or "/* place sig here */" or the like.
bad_outlook
--
Is this vague enough for you?
How can they already have the signature for a virus before the virus actually exists? They obviously managed to detect the virus by some general heuristics for spotting suspicious behaviour. ... unless you are suggesting the AV companies were the virus authors? :-)
Homme petit d'homme petit, s'attend, n'avale
On the Macintosh, there was an application called "Gatekeeper" (not positive on the name) that was round at least 10 years ago. It basically looked at actions that a virus might take and alerted a user. You had to allow for actions like writing to another application or such.
I have been waiting for this to catch on. I've also been waiting for virus makers to become more sophisticated, but I'm amazed none have learned to use compression and randomize their own signature. My point is, that the clock has been ticking on virus patterns being useful for detecting viruses for years. It's pretty equivalent to blocking email with certain words because that was the title given to a previous email with a trojan horse in it.
>>"ad space available -- low rates!!!"
Just like this selected quote from one of the links says:
:-)
Of course, we know that the problem related to MS05-039 is not primary an AV problem, but something for (Personal) Firewalls, IDS/IPS systems and a better patch management.
I'm using Mailscanner on my mail server, it passes mail through ClamAV (which scored 1/6 on this test) and then BitDefender - the command line version for FreeBSD (which scored 6/6). Perhaps I don't need both...
bad_outlook
--
Is this vague enough for you?
why is every third post on technology sites, the end of the old way, and the ushering in of something untested. i understand the need to write eye grabbing headlines, but wouldn't saying something threatens the old way, be more accurate?
fine. quarantine for X minutes and observe behavior... then hax0r writes malware that hibernates for X+1 minutes...
The real story here is that new malware are not normally caught by antivirus programs until they are discovered and updated in the patch file. What percentage of malware have never been discovered before? How many of those are on your computer right now?
Nobody knows.
The only trustworthy solution to malware is a read-only system: the system and application partitions must not be modifiable without rigorous user-initiated discipline including disconnecting from the network and rebooting to a known-clean state.
This sounds crazy, but it is practicable. It requires some technology and some resetting of expectations. One way to think of it is how game systems like the PS/2 operate: you boot the system and save the data to removable media. There are no PS/2 viruses.
What I do today is re-dump my system partition image every couple of days. The image is highly compressed and the dump actually is actually faster than a virus scan. Now my system partition is perfectly organized. Whenever I want to install some new software, I disconnect from internet, re-dump, install the new software, and then re-image. Keeps the harddrive nice and organized. I put data files on removable media. Its remarkable how well this system works; and its great to have piece of mind that my system is not growing crufty over time.
Wouldn't it be safer to switch from blacklists to whitelists? i.e. Only known safe applications are permitted to run. If some shiny-new-app isn't added to your current A/V whitelist for 48 hours, all that means is you can't run the program for a while. That's an inconvenience. If shiny-new-malware isn't added to an A/V blacklist for 48 hours, major damage can ensue. I'd prefer the former, personally.
/every/ piece of software; so the whitelist for the stuff that one particular person uses should be of a manageable size, shouldn't it?
Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.
When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.
It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs
If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.
Is this feasible? Where's the downside?
Aren't they wrinting polymorphous viruses these days? They were pretty common back in DOS era... pretty hard for AV to catch coz there is *no* signatire.
Simply put, it is relatively trivial for a virus writer to have the virus determine whether it is running inside a virtual environment/sandbox. This is a known problem in the AV world - shortly after the first attempts to create this sort of sandbox the virus writers demonstrated this capability in the wild.
A good discussion of this is the somewhat famous Halting Problem:
http://en.wikipedia.org/wiki/Halting_problem
My favourite use of this was a book by Greg Bear (Legacy/Eon, I believe) where the protaganists capture an alien, and then clone its mind in a computer simulated world in order to question it. However, the alien knowns how to determine that it is in a virtual environment, and the virtual alien commits mental suicide (somehow). Great book, mind blowing hard sci fi.
Regardless - sandbox technology only catches the really dumb viruses, which are pretty easy to catch anyways. You can pretty much count on any viruses taking advantage of new advances in other viruses pretty quickly - whether it be host file rewrites, building botnets, disabling AV functionality, keylogging, auto-upgrades, encrypted command and control channels, etc.
And yes, I do work for an AV company.
CLASSIC!
Did you just defend Windows' security? You may be barking up the wrong tree... ;)
I think you have to assume the user is ignorant. An OS designed to be used by such users should not be able to be taken down by a single double-click. Whether or not Windows should be designed with these kinds of users in mind is a different issue altogether.
Testing virus definitions is somewhat straightforward. Aside from variations (which can still be detected in many cases), you're just looking for a pattern that you already have.
/. tradition, let me give a shoddy example. Consider the crime of murder. There are many ways to kill someone. If we want to detect this crime, we need to analyze one of two perspectives: the ability of a human to survive or the functions required for life (alternatively the presence of death). Looking for death and looking for a life-taking action are not too difficult (with exceptions). But the in-between, fuzzy areas where the subject might be dead but could be alive are very difficult.
A policy approach is practically an AI problem. We can describe it in terms of patterns, but it should be very easy to find a loophole in the logic (or too many false positives). Most importantly, the problem frequently begs for intrinsic knowledge of a system - but the whole goal is to find a general solution to specific problems (hence "policy").
In true
We also have to identify the cause of the crime. Not to mention since this action is automated, we need a way to double check our data and ensure it hasn't been tampered with.
Frankly, signature matching is what I pay for in an AV client. The vast bulk of threats are known and preventable. Until I know more about the policy logic of a client, I cannot afford to bank on it.
I might suggest that, but I don't want a sudden string of viruses to attack my computer...
Shoot Pixels, Not People!
Now, I don't know about any of you, but I myself have never found it necessary to give my signature out to McAffee or Norton to get their products to work. Maybe I had a cracked version, I don't know, but I've always been able to install and operate without signing a damn thing....okay, okay, I'm kidding! Sorry to all you who were about to just rip into my stupidity. I've taken away your fun! I'm just foolin'!
lol what?
Honestly...
I haven't needed signature-based AV for over a year, and I've never gotten a virus. What's my AV? POSIX. Look at the safety record of POSIX OSs. Only about 40 known viruses for Linux (yes, technically, it's not officially tested, but it does comply with the Single Unix Specification) or MacOS X (I know, it does not quite comply, and has also not been approved either), about 6 for commercial UNIXs. Almost all of these viruses were proof-of-concepts, and none have been seen in the wild (largely because the concept they proved was promptly secured).
"Fight for lost causes. You may discover they weren't."
3) Never download software from third-party sites, only from the vendor's site
Sorry to rain on your parade there champ, but that won't keep you safe. There have been instances of software vendors unknowingly distributing infected executables on both physical media and via the web. It doesn't happen often but it does happen.
Your method of passive scanning should be extended to all downloads to be safe. If you aren't willing to do that then you should be running an active antivirus scanner.
Mod parent down. The properly shoddy example would have had something to do with cars.
Slashdot: News for Nerds, Stuff that Matters, Bad Car Analogies.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
more profit than loss. why else?
"Keeping it updated" doesn't help for the flash-flood viruses though. If you get infected before your AV company comes out with a tool to scan/remove the infection then it really doesn't matter when you last updated.
You can open an attachment from anyone, known or unknown. Just don't open it by (duh) double clicking it!
So you want to see that naked tennis player? Save the damned thing to your desktop, and open [name of photo editing software]. There's a menu item called "file" and another called "open". Click them. Choose your picture of the naked tennis player.
If a picture of a naked tennis player appears, you got your picture, which isn't a virus.
If you get "Unknown file format" you have been served a virus - which you haven't executed and can safely delete.
Strange spreadsheet? Don't open it. Screen saver? Ditto. Word document? Are you nuts? DON'T OPEN IT!
WMA file? DON'T OPEN IT. It has DRM, meaning a microsoftian mix of code and data. DON'T OPEN IT. It can contain a virus that will be run by ANY media player.
MP3? Fine, just don't use WiMP (Windows Media Player) to open it, as it may actually be a WMA file renamed to MP3, and can contain a virus that WiMP will execute.
Use just about any other media player (eg Winamp) and if it's a WMA file it won't play. IT'S LIKELY A VIRUS.
Text file? Use a text editor.
"But" you say, "what about buffer overflows?" True, you can have a real JPG carefully crafted to overflow a buffer in a poorly written app, but if your OS and apps are patched you're in very little danger.
Programs are dangerous, whether or not they have data imbedded. Pure data is not, provided you can assure yourself it's simply data.
Microsoft could just about end viruses by stopping the active-everything nonsense and keep code as code and data as data, and to SHOW EXTENSIONS! It's just stupid that you can rename "virus.exe" to "Naked Tennis Player.jpg.exe" and Windows will display it as "Naked Tennis Player.jpg."
And for God's sake get a firewall and don't use IE!!!!
And please stop blaming users for Microsoft's shortcomings. Users can be educated, Microsoft apparently cannot.
the time invested in writing most of todays "viruses" amounts to little more than 20 lines of VB script.
I understand the Halting Problem fairly well. I also went and read the wikipedia entry you reference (which is quite well written, as usual). But I simply do not understand how this enables a virus to determine whether it is running inside a virtual environment/sandbox.
Is it possible that you are confused? The Halting Problem DOES guarantee that no virtual sandbox can be created which will review any program and verify that it never engages in virus-like behavior. But I fail to see how it proves anything about the virus's ability to determine whether it is in a virtual environment or not. And it seems obvious to me (although I'm certainly not claiming to possess a proof) that the opposite is true: for a good-enough sandbox a program can NEVER determine whether it is running in a sandbox or in the "real world".
[Insert clever Matrix quip here, but I'm too bored to come up with one.]
You posted AC, but if the previous poster (or anyone else) knows the answer, please let me know (email jekk@mcherm.com) or post it here.
-- Michael Chermside
I heard about this ages ago. I think it was called something like "mac"... ;)
Just follow these simple rules:
There is no step two!
Join Tor today!
On the other hand, you really wouldn't know if you had an "infection", would you?
Just another "Cubible(sic) Joe" 2 17 3061
You can do a network scan of your harddisk from a friend who DOES have an antivirus and then press Reset to make sure any viruses resident in the memory but not on the harddrive are killed.
Dammit, I knew I should never have trusted those cheap Taiwanese AV knock-offs!!!
Sure, users can cause problems on every platform.
However, what this article is about is worms. Specifically, "flash" worms that spread faster than AV vendors can respond with signature updates. Worms don't spread through user interaction, they spread through vulnerabilities in the OS/application suite, and they spread FAST. Most places were hit with Zobot hours before users had much if anything to do with it, and in some cases days before virus signatures were out.
even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities
Nice try, but no Linux distribution that I'm aware of has its hardware discovery service bound to the network interface, by default. And very few Linux distros (if any these days) are shipped with *any* listening services by default. A worm like this, or Code Red, or Nimda, or Slammer, or Blaster, or Sasser simply isn't possible. If it was, believe me, you'd have seen it - there's a whole buttload of Linux servers out there in the wild, and believe me, worm authors would love that prize.
But sure, keep spreading the "nothing is 100% secure, therefore everything is equally insecure" myth. I need a chuckle from time to time.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
you can scan your windows systems with the following 2 online windows scanners from time to time:
http://www3.ca.com/virusinfo/virusscan.aspx
http://housecall.trendmicro.com/
That simply means that the AV program monitors the behavior of programs and makes sure they don't violate security policy. If they do, the AV software assumes it is a virus
Unfortunately, according TFA, the programs that did the best "proactive" virus detection also tend to catch a lot of false positives.
Kinda like shooting squirrels with cruise missiles. Effective....yes. But was it worth taking out the tree/yard/half a house the squirrel was next to?
Don't take life so seriously. No one makes it out alive.
The only downside is if a third party controls the whitelist.
I think the solution is good if the "gatekeeper" can be setup to a similar way that ZoneAlarm Firewall works today. The whitelist should be managed by the user. You download a program and run its executable. Up pops a window:
"Hello, Program ABC is about to be executed. Are you certain that you want to allow this program to run?
[Yes, and add ABC to whitelist] [Yes, allow ABC to run once] [No, do not allow ABC to run]
becasue AV companies employ people in labs to write computer virus . not to release them in the wild, just so they can be proactive.
It is interesting to look at how the AV companies(large ones) stocks are performing the previous 6 months before a sudden and major virus release.
But that is coincidental.
The Kruger Dunning explains most post on
I don't recognize about half of those anti-virus products, but I do not see my personal favorite - AVG from Grisoft. It is free for personal use and you get access to the same timely updates as the paying corporate customers. So you don't have to worry about your virus definition subscription expiring or not working because your laptop is no longer on the campus network so can't get the site-license for the updates.
Maybe Windowsupdate will provide an option to "Update and install automatically" like A/V does with signatures. Most end users ignore the globe in the taskbar anyway so no matter the visual indicator they won' t install the updates. It's pathetic that A/V is tasked with saving us becase we are too lazy to patch....
Or you could do it the easy way
1) Install Linux
clerical error in parent
This report is pure crap. Most of those companies have multiple products/versions. Shouldn't an analysis of this type detail what product they tested? Further, shouldn't they document which options they enabled? There is no merit to this at all without some basic information to make comparisons from. How is an administrator/user suppossed to use this information?
yeah so when the latest version of photoshop (or whatever else) decides to do a direct read to the FS it will just terminate the app without saving that last ten hours of work you just did to try out the latest app you just paid several hundred $$$ for. Since we all know how Adobe and certain other coMpanie$ like to through in some non-standard code (like there is a standard) where you least expect it.
FragHARD or don't frag at all
that Fortinet did well in this test. Fortinet as a company seems to have developed an excellent AV Engine. I am a huge fan of their Fortigate firewalls as well as their FortiClient host software. My company transistioned from the Symantec product, and we haven't looked back.
Signature based malware detection is hardly becoming obsolete. In fact, quite the opposite. The majority of threats are poorly written, and have very little in the way of dynamic code. I would go so far as to say that checksumming is becoming increasingly popular. Not however in the way you might think! By using intelligent code, and hardware optimized scanning we are able to perform "fuzzy checksums" of certaining "interesting" code. This is the way by which two of the three companies earning perfect detection succeeded in this test. Point being; don't think for a second this stuff is getting much harder. The difficulty is in creating engines that are fast, and very efficient with memory and CPU resources. Fortinet is going down the right path with their antivirus firewalls for sure.
TruPrevent is not a scanner, but a behavioral analyzer. The malware must be executed and then TruPrevent detects and announces that there is a problem on the PC.
That's great, a program that tells me I got infected. OK, maybe that's useful to some people, but should a "reactive" program really be named "Prevent" ?
time after time I have to clean all the spyware/addware/viruses off my friends computers, becuase they do things like instal random activex controls.
the easy thing is cleaning the computer, it usually takes me 10 mins.
the hard thing is convincing these people to change their computer use habits and getting them to remember not to do things such as click random popups on the web.
Invariably I get called back to clean the computer again because they did not take my advice.
You're right that the virus cannot determine whether it's in a sandbox. That was the subject of a huge flame war in comp.theory a while back. However, it is also true that the sandbox cannot determine whether it contains a virus, for Halting Problem reasons; proving a more rigorously defined version of that is a commonly-assigned homework problem in theory of computation classes.
The grandparent AC (which wasn't me) was probably thinking of the book Permutation City by Greg Egan, although the mind in the box in that book wasn't actually an alien. It was a downloaded human mind, and there was no spooky detection of virtuzalization involved - the human on the outside intended to be copied and knew what to expect before getting scanned for the copy in the first place, so he had no doubt that he was a downloaded copy when he woke up in the simulation.
Posted and mailed - I'm only posting AC because I stubbornly refuse to get a Slashdot account.
I am amused. How do you plot a unique graph on a single data point? You could have an infinite number of curves going through it.
Drawing conclusion on one single fact borders on the insane.
Quite. At a client site last year, an obscure DLL buried in a 3rd party software package set off what turned out to be a false positive. It generated a flood (well, hundreds) of helpdesk calls on the day it "hit", which, as it turned out, was first day of an automated weekly scan following the definition udpate. False positives can be dreadfully expensive on a large network.
If you mod me down, I shall become more powerful than you could possibly imagine.
...so you whacked on Norton Internet, Car and Household Security 2006 and suddenly your rig turned into a complete hoe.
:-)
Has anybody mentioned AVG? I use this at home and on all my (non-business) client's computers and it seems to be quick to update, has heuristic analysis (which is what we are talking about), and has your resident+email scanner and auto update.
For P2P I just keep my IP blocker up-to-date. I find my computer runs as normal most of the time, as opposed to those business clients running Norton's.
Norton *is* the virus goddammit. If everybody uninstalls Norton's there will be no more viruses!
Aaron.
It's OK Bender, there's no such thing as 2.
I note that the ITSEC government security evaluation rules specifically cover the speed of updating of an AV product. The standard is termed F-AVIR, and this comment refers:
http://vx.netlux.org/lib/asg09.html
If you have trouble finding it - I enclose a short extract:
"By attempting to measure a product's performance against the threat by scanning a comprehensive large collection of all viruses, testing extensively against those viruses which are known to be "In the Wild" according to designated reporting authorities, and measuring product abilities against a range of different attack strategies, the ITSEC scheme is focusing on the current and future "In the Wild" threat. By evaluating the product's ability to defend against the different techniques used by viruses, they hope to provide a measure of a developer's ability to track a rapidly changing threat. The CLEF would maintain close contact with the developer of the product currently under evaluation, with developers being required to demonstrate that not only are they up to date with the current threat, but that they have in place sufficient procedures to monitor the threat as a function of time and update the software to meet this threat. This would be documented through the use of the Certificate Maintenance Scheme, which includes extensive paperwork on the part of the developer to document their resources and plans in various areas including intelligence activities related to monitoring the threat, threat analysis and countermeasures. This "vendor evaluation" is something that almost no other evaluations of anti-virus software includes, and is one of the biggest benefits of the proposed ITSEC approach. It is also one of the areas which appears to meet with the most resistance within the USA."
If this does not get modded 'insightful' I don't know what will!!
First off: relatively trivial actually means 95% of VXers fail to make the cut. That's good security.
Second: The first attempts were easily thwarted because they attempted to emulate the hardware, rather than the operating system environment itself.
However, they resulted in the creation of , and spearheaded further development.
Third: The halting problem does not apply.
Fourth: Don't diss it just because you don't use it.
And yes, so do I.
No, it doesn't. Antiviruses are not single-machine intrusion detection systems.
Something bad is coming when people are suddenly anxious to tell the truth.
(I assume that a signature for an encoded payload could be used but that hopefully anyone who encoded their payload in their executable would also take the time to include a table to xor against unique for each exploit in which the payload was used so that the same payload could be used undetected with different exploits.)
I do security
I'm using E-Mail Security With Procmail for just that: proactive detection (plus sanitation). It works quite well, especialy considering its price and no need for frequent automatic updates (though they are available, sort of).
hany
> well I don't think it has any chance of getting modded insightful for various reasons, the first of which is you didn't bash m$ at all... I mean whats up with that? this is slashdot afterall. Then all you really did was quote a link to some goverment report (borrrrring) with a bunch of double-talk where they make up all kinds of acronyms and 'cliche sorts'... but then thats what they do best ;) maybe the mods thought that lase statement was your sig???
FragHARD or don't frag at all