Slashdot Mirror

← Back to Stories (view on slashdot.org)

The End of Signature-Based Antivirus Software?

Posted by CmdrTaco on from the one-can-only-hope dept.

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

20 of 290 comments (clear)

  1. Excel sheet Zip file???? by gtrubetskoy · · Score: 5, Funny

    From the referred posting: You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at http://www.av-test.org./

    At first glance this looks like a clever variation on "important document attached" e-mails we all get every day...

    1. Re:Excel sheet Zip file???? by milimetric · · Score: 5, Funny

      what I find interesting here is that whereas in the detection time sorted column Symantec performed at an average level, in the alphabetically sorted column they performed very badly, being one of the last ones in the list. Judging by a quick glance at this, I will switch my antivirus software to AntiVir which was at the TOP of the list.

  2. The death of X by twigles · · Score: 4, Funny

    This week on /., "The Death of [fill in the blank]!" It's just one test, slow down and breath.

  3. Data from the article by Anonymous Coward · · Score: 5, Informative

    The product scores (only the trolls need more karma). Or you can try page 4.

    BitDefender 6/6
    Fortinet 6/6
    Nod32 5/6
    eSafe 3/6
    F-Prot 3/6
    Panda 3/6
    QuickHeal 3/6
    McAfee 2/6
    Norman 2/6
    AntiVir 1/6
    ClamAV 1/6
    Proventia-VPS 3/6
    Panda TruPrevent 6/6

    1. Re:Data from the article by Baron+von+Leezard · · Score: 5, Insightful

      This is a meaningless test. I can write an AV program that will get 6/6 no matter what you feed it: it always returns positive. Is that actually helpful? Obviously not. The article mentions that the products that scored 6/6 have a higher false positive rate. Sounds harmless, but even the tiniest false positive rate renders a product completely unusable when the volume of scanned items is high. So what does this test actually reveal? Absolutely nothing. [BvL]

  4. Sandbox by hrieke · · Score: 4, Interesting

    A thought, and perhaps a better mind can say why this would or would not work.
    Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
    So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.

    --
    III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...
  5. The problem isn't the software... by QuantumPion · · Score: 4, Insightful

    ...It's the users. Until the general population of computer users become smart enough to know not to open strange attachments or install malware from unscrupulous websites, hax0rs will always find a way around virus protection schemes.

    People here always clamor about how poorly Windows is designed and how it leaves people so open to attack. The truth is, even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities stemming from the ignorant masses.

    1. Re:The problem isn't the software... by why-is-it · · Score: 4, Informative
      You truly don't know anything about "Unix", do you?

      He might. I am wondering just how much you know about it though...

      From what I have read, many (but not all) trojans , viruses and spyware can operate just find in the user space, without needing to be root. It all depends on what the vx'er wanted to achieve. Sure, if they want to 0wn j00, they want root access. But you would not need root access to:

      • install a TCP-based application in $HOME/bin and phone home
      • participate in a DDOS attack against a specific host
      • send spam via sendmail (user-mode)

      There are lots of malevolent things that could be done without being root. Fortunately, the vx'ers want the most bang for the buck and target windows users.

      The pp's point was entirely valid. It has just as much to do with user education as it does with securing your boxen.

      --
      *** Where are we going? And what's with this handbasket?
    2. Re:The problem isn't the software... by Delphiki · · Score: 5, Insightful
      The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.

      Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?

      Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer? There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?

      Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.

      --

      Feel free to mod me "-1 - Angry Jerk".

    3. Re:The problem isn't the software... by 99BottlesOfBeerInMyF · · Score: 4, Insightful

      The problem is the culture that Windows has engendered, which says "everything should be automagic -- don't think! -- just click and the world will be yours!"

      I call this the "OK/Cancel" problem. Users get into the mindset that if they just click OK all the time things will work. You have to click OK a dozen times a day to keep your computer working, just like adding gas to a car. After a little while they don't even pay attention to what is being asked.

      Part of the solution is simply to use better dialogue windows and part of it is to give the user better choices. I remember in Word (back in the day) I would get a dialogue box that said, "Warning, this word file contains macros that may be viruses, open it anyway? OK/Cancel" Talk about useless. What it needed was a button that said, "open the file, but don't run any macros." I know people who would have paid $500 bucks for that option. Aside from all the viruses that autorun (which are pretty much MS's fault) e-mail should never run executables when clicked without attaching a warning that says, this is a program, not a file. it may be a virus (Don't run)/(Run but don't allow access to my files of the internet)/(Run and let it access my files and the internet.)" That would stop most viruses right there. If Linux was the market leader it would have some of the same problems, but I bet someone would include that dialogue box and make all our lives easier. This is partially a problem with users, but mostly it is a problem with functionality. Users need fine grained control, good default settings, and a good user interface that lets them know what it is they are doing. I haven't seen all three of those yet, anywhere but it is very possible. The only reason it does not exist is because MS doesn't care because it has a monopoly and Apple/Linux developers don't have a problem yet and are thus not motivated to solve it.

    4. Re:The problem isn't the software... by Drooling+Iguana · · Score: 4, Insightful
      The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.
      Those updates are for potential exploits in programs that the user may have installed (but, in the case of a typical desktop user, probably won't.) This hardly compares to the endless march of exploits that can attack the default configurations for Windows.
      Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?
      And how, pray tell, would such a malicious program get onto a Linux machine in the first place, since Linux programs are typically installed from a central repository using a tool such as apt-get or Portage, rather than from executables downloaded from random web sites, as Windows programs are?
      Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer?
      And how many regular users will have MySQL installed on their systems, particularily in a configuration that allows it to be accessed remotely?
      There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?
      Those programs are not remotely-accessable in their default configurations.
      Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.
      Except that nearly every Linux distribution strongly encourages or even outright forces the creation of a regular user account during installation, and many programs will pop up warnings when run as root.
      --
      ... I'm addicted to placebos
  6. Death of? by springbox · · Score: 4, Insightful

    That's a bit extreme. If anything the signature based AV software isn't going anywhere right now. It seems like behavior analysis, which is what I thought of when I read the headline, would be a nice extra preventative measure to integrate into exisiting resident scanners. It doesn't seem like that type of technique would be very reliable if used by itself. Maybe the headline should have been: "A program that watches other programs spots a potential problem in advance!"

  7. Hotmail is doing this already? by Thunderstruck · · Score: 5, Informative

    I think, based on my personal experience, that Hotmail is already moving away from virus definitions to a more general measure of "traits." In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "." (dot) in it.

    I base this on the fact that, after exporting a document from StarOffice 7 directly to a .pdf file, and using a filename with two "dots." I send this document to a Hotmail user, who wrote me back that Hotmail had declared the file to contain an incurable virus. Reasonably sure that my Xandros linux box had no virii on it, I renamed the file something more Microsoft friendly. The file was received with no problems.

    So there you have it, any file with a suspicious name must contain a virus. Easy, reliable detection.

    --
    Trying to use sarcasm in text-based forums does not work.
  8. Re:well by the_mighty_$ · · Score: 4, Informative

    It just means that they already had the signature.

    No, it means that the AV program was using "proactive virus protection."

    That simply means that the AV program monitors the behavior of programs and makes sure they don't violate security policy. If they do, the AV software assumes it is a virus.

    --
    VI VI VI - the editor of the beast!
  9. Signature is the only way to scan on entry by m50d · · Score: 4, Insightful

    This kind of thing can only work if it's on the machines that will be running the viruses. If you want to scan everything coming in, or at your mail gateway, signature is still the way to go. There's a place for both methods, as has been the case for a long time.

    --
    I am trolling
  10. I don't know about you, but I saw this coming. by Bnderan · · Score: 4, Funny

    Sheesh...This should be obvious to anyone that MS05-039 totally outclasses MS05-038 in proactive detection test response time. NTIKWTFIATA

  11. Heuristics by Cally · · Score: 4, Interesting
    Most of the major AV programs have incorporated some sort of heuristics capability for years now. The problem with these (and the reason they're not usually turned on by default) is that they tend to false positive all over the place. So the corrolary to these test results is: how many false positives did these product generate using the same config?

    Disclaimer: I worked for a household-name antivirus sw firm in the past and now work for one that does filters network-based viruses as a network service.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  12. Virus proliferation by QangMartoq · · Score: 5, Insightful
    It is almost amazing to me that most viruses (and other various forms of malware) continue to flourish in a computer culture where using a virus scanner is so common nowadays.

    Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.

    Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.

    The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.

    Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

    While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?

    In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition is already available.

    What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

    1. Re:Virus proliferation by sootman · · Score: 4, Funny

      Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

      Understandable. $30 was a lot of money in ancient Roman times.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  13. Switch A/V S/W from a blacklists to whitelists? by Anonymous Coward · · Score: 5, Interesting

    Wouldn't it be safer to switch from blacklists to whitelists? i.e. Only known safe applications are permitted to run. If some shiny-new-app isn't added to your current A/V whitelist for 48 hours, all that means is you can't run the program for a while. That's an inconvenience. If shiny-new-malware isn't added to an A/V blacklist for 48 hours, major damage can ensue. I'd prefer the former, personally.

    Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.

    When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.

    It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs /every/ piece of software; so the whitelist for the stuff that one particular person uses should be of a manageable size, shouldn't it?

    If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.

    Is this feasible? Where's the downside?