Slashdot Mirror

← Back to Stories (view on slashdot.org)

The End of Signature-Based Antivirus Software?

Posted by CmdrTaco on from the one-can-only-hope dept.

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

8 of 290 comments (clear)

  1. Excel sheet Zip file???? by gtrubetskoy · · Score: 5, Funny

    From the referred posting: You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at http://www.av-test.org./

    At first glance this looks like a clever variation on "important document attached" e-mails we all get every day...

    1. Re:Excel sheet Zip file???? by milimetric · · Score: 5, Funny

      what I find interesting here is that whereas in the detection time sorted column Symantec performed at an average level, in the alphabetically sorted column they performed very badly, being one of the last ones in the list. Judging by a quick glance at this, I will switch my antivirus software to AntiVir which was at the TOP of the list.

  2. Data from the article by Anonymous Coward · · Score: 5, Informative

    The product scores (only the trolls need more karma). Or you can try page 4.

    BitDefender 6/6
    Fortinet 6/6
    Nod32 5/6
    eSafe 3/6
    F-Prot 3/6
    Panda 3/6
    QuickHeal 3/6
    McAfee 2/6
    Norman 2/6
    AntiVir 1/6
    ClamAV 1/6
    Proventia-VPS 3/6
    Panda TruPrevent 6/6

    1. Re:Data from the article by Baron+von+Leezard · · Score: 5, Insightful

      This is a meaningless test. I can write an AV program that will get 6/6 no matter what you feed it: it always returns positive. Is that actually helpful? Obviously not. The article mentions that the products that scored 6/6 have a higher false positive rate. Sounds harmless, but even the tiniest false positive rate renders a product completely unusable when the volume of scanned items is high. So what does this test actually reveal? Absolutely nothing. [BvL]

  3. Hotmail is doing this already? by Thunderstruck · · Score: 5, Informative

    I think, based on my personal experience, that Hotmail is already moving away from virus definitions to a more general measure of "traits." In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "." (dot) in it.

    I base this on the fact that, after exporting a document from StarOffice 7 directly to a .pdf file, and using a filename with two "dots." I send this document to a Hotmail user, who wrote me back that Hotmail had declared the file to contain an incurable virus. Reasonably sure that my Xandros linux box had no virii on it, I renamed the file something more Microsoft friendly. The file was received with no problems.

    So there you have it, any file with a suspicious name must contain a virus. Easy, reliable detection.

    --
    Trying to use sarcasm in text-based forums does not work.
  4. Virus proliferation by QangMartoq · · Score: 5, Insightful
    It is almost amazing to me that most viruses (and other various forms of malware) continue to flourish in a computer culture where using a virus scanner is so common nowadays.

    Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.

    Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.

    The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.

    Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

    While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?

    In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition is already available.

    What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

  5. Switch A/V S/W from a blacklists to whitelists? by Anonymous Coward · · Score: 5, Interesting

    Wouldn't it be safer to switch from blacklists to whitelists? i.e. Only known safe applications are permitted to run. If some shiny-new-app isn't added to your current A/V whitelist for 48 hours, all that means is you can't run the program for a while. That's an inconvenience. If shiny-new-malware isn't added to an A/V blacklist for 48 hours, major damage can ensue. I'd prefer the former, personally.

    Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.

    When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.

    It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs /every/ piece of software; so the whitelist for the stuff that one particular person uses should be of a manageable size, shouldn't it?

    If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.

    Is this feasible? Where's the downside?

  6. Re:The problem isn't the software... by Delphiki · · Score: 5, Insightful
    The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.

    Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?

    Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer? There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?

    Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.

    --

    Feel free to mod me "-1 - Angry Jerk".